Protected Health Information (PHI) is the glue that holds a healthcare system together. Electronic health records include insurance information, proper dosage amounts for medicine, and other personal information. The digital age of healthcare allows for easy access to this information to provide more efficient care. With data of this level of importance being utilized in everyday healthcare operations, why would any health organization not have some level of encryption?
What is Encryption?
Encryption falls under the category of cryptography and is the process of encoding data in a complex way that can only be deciphered with the proper key. This prevents unauthorized access and keeps sensitive information secure with layers of scrambled characters surrounding the legitimate data.
There are two types of encryption, the first being software-based, and the other being hardware-based. While software encryption is cheap and easy to implement, it only requires a password. If a hacker or other cybercriminal can crack that one-word code, your system is immediately unsecured.
Hardware encryption is much more secure because the encryption process is separate from the rest of the device. It has a dedicated processor to make the process faster, reducing lag time on the device and ensuring greater security through biometric authentication or PIN authentication on a keypad.
Security Requirements in Healthcare
According to a white paper from Stanford University, there is an estimated 48% growth of medical data each year. This includes private information regarding patients, their health status and insurance providers that circulates in a hospital or doctor’s office. This sensitive information needs high levels of security for the patients.
That is why the HIPAA Security Rule was enacted to protect electronic personal health information that is created, received, used, or maintained by a covered entity. These entities include covered health care providers, health plans, health care clearinghouses, and medicare prescription drug card sponsors.
Safeguards under the Security Rule include the following categories:
- Administrative: Assigning security responsibility to an individual and implementing security training.
- Physical: Protect electronic systems and data they hold by restricting access to EPHI and using off-site backups.
- Technical: Automated processes like authentication controls and encrypting data during transfer.
Consequences of Not Utilizing Encryption
While the Security Rule establishes some guidelines for the protection of patient information, encryption is not technically required under HIPAA rules. However, it is still considered an “addressable” offense. Their requirements state that covered entities should implement encryption for PHI whenever deemed appropriate.
There have been several data breaches in recent years that have involved data storage devices that were either lost or stolen and were unencrypted. In these cases from businesses such as the University of Rochester NY Medical Center and the University of Texas MD Anderson Cancer Center, the fines for PHI leaks were in the millions.
The MD Anderson Care Center was fined $1.3 million for failing to encrypt devices with electronic health records. This was only a portion of their total fine of over $4 million. While the organization argued in court that encryption was not required under HIPAA, the court ruled that it was still an “addressable implementation.” This meant that the fine was deemed reasonable by the court because they failed to implement encryption, which is an additional safeguard available commercially.
Real-Life Applications in the Healthcare Field
Mical Cayton, the CIO at Community Medical Centers states that his organization uses encryption particularly for the mobile environment “where providers are communicating with one another about a case or a series of cases that they may encounter with patients that have a set of opportunities, challenges and conditions. You want that data very secure.”
Western Reserve Hospital uses our SecureUSB BT storage devices in their daily operations for medical presentations and any other electronic data. Their IT Director has commented on the convenience and easy set up for these devices. One of the features the director liked was the ability to remotely wipe the drive from anywhere in the world in the event it becomes lost or stolen.
Our SecureDrive and SecureUSB BT are hardware encrypted storage devices that are both FIPS 140-2 Level 3 Validated and HIPAA Compliant for the highest levels of security that more than meet the addressable issue of encryption in the healthcare industry. The devices work across all systems with a USB port and device access can be managed through the paired mobile app. Users can authenticate with facial recognition or fingerprints and can set step-away and inactivity auto-lock on the drives to protect data from unauthorized users.
PHI includes insurance information, medical records, and social security numbers. Healthcare organizations shouldn’t run the risk of exposing this data due to a lack of encryption. SecureDrive products are HIPAA compliant and can easily be added to existing healthcare operations. Let us help you protect your PHI with our hardware encrypted products