HIPAA’s Safe Harbor provision is well-known: If PHI is encrypted so that it's unusable, unreadable, or indecipherable to unauthorized individuals, breach notifications aren’t required. However, the U.S. government considers that encryption not validated by NIST to FIPS 140-2 standards is the equal of plaintext. In other words, healthcare providers are rarely in full compliance with the federal benchmark. While governing bodies have been overlooking this incongruity, it is inevitable that the FIPS 140-2 cryptographic standard will be imposed on healthcare providers in the near future. This presentation will prepare attendees for this major hurdle.

1. Unsafe Harbor
Will Your Encryption Weather the Storm?
Ray Potter
CEO, SafeLogic

2. Safe Harbor
• Eliminates the requirement to notify
affected parties and the federal
government of an ePHI data breach
• ePHI data must be in a format that is
unusable, unreadable, or indecipherable
to unauthorized individuals
2

3. HIPAA
• Establishes the national set of standards
for the handling of ePHI in electronic form
• Security Standards for the Protection of
ePHI
• Privacy expectations for covered entities
3

4. HIPAA Security Rule
• General Rules
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• Policies / Procedures and Documentation
Requirements
4

5. NIST SP 800-66
• Introductory resource guide for Implementing
the HIPAA Security Rule
• Voluntary guideline and best practices for
implementation of HIPAA security rule
• State / local government
• Private industry
• Links NIST Risk Management Framework to HIPAA
Security Rule 5

6. Risk Management Framework
6

7. What's at Risk?
• Personal health info
• Device compromise
• Health
• Life
• How does HIPAA / Safe Harbor help?
7

8. Access Control
• Access Enforcement
• The organization encrypts or stores off-
line in a secure location
• Media Access
• The system uses cryptographic
mechanisms to protect and restrict
access to information on portable digital
media 8

9. Identification & Authentication
• Device Identification and Authentication
• Authenticates devices before
establishing remote, wireless network,
and network connections using
bidirectional authentication between
devices that is cryptographically based
9

10. • Cryptographic Module Authentication
• Implement role-based or identity-based
• Use of Cryptography
• System should use FIPS 140-2 validated
modules
Encryption
10

11. Data at Rest / Transmission
• Media Storage
• Media Transport
• Transmission Integrity
• Transmission Confidentiality
• Maintain confidentiality and integrity
11

12. FIPS
140
• Federal
Information
Processing
Standard
140
• Specifies
requirements
for
cryptographic
hardware
and
software
modules
• Published
by
US
(NIST)
and
Canadian
Governments
• Offers
4
levels
of
validation
12

13. Sections of Requirements
• Module Description
• Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operating Environment
• Key Management
• EMI/EMC
• Self Tests
• Design Assurance
• Mitigation of Attacks 13

14. Value
• Standardized algorithms
• Algorithm testing
• Documented processes
• Documented code
14

15. Why Compliance?
• Vendors need to be able to sell products
to the regulated industries
• Vendors need to remain competitive
• End users need security assurance
15

16. Let’s Connect
• @SafeLogic
• @SafeLogic_Ray
• www.safelogic.com
16