Armour has written a guide book: “HIPAA compliance & risk management, A PROACTIVE APPROACH TO DATA SECURITY”. I strongly recommend that you grab yourself a copy. In the meantime, over the next two days, I will be highlighting excerpts from the book for you.
First they ask:
“As long as data is encrypted, it won’t be compromised, right?”
This statement isn’t entirely correct and is also a dangerous
assumption to make since not all forms of encryption are
uniformly the same. Many healthcare organizations consider
encryption to be optional, although the truth is that it’s actually
a mandatory requirement under HIPAA. HIPAA’s Security Rule
specifies that safeguards be in place to ensure the integrity
and confidentiality of ePHI.
It’s essential that your security strategy include locating a
service that understands HIPAA’s encryption standards. Certain
encryption formats are stronger than others, and an easily
converted type of encryption can be deciphered by hackers
with the right tools.
Confusion potentially enters the picture when determining
which encryption type is most effective for different scenarios
and ensuring the encryption keys are managed properly.
Full-disk encryption (FDE; also known as whole disk
encryption) is often used on laptops since it is effective in the
case of physical theft. With FDE, a device’s entire hard drive
is protected as long as the machine is in pre-boot mode —either turned off or before a user can provide authentication credentials to boot up the device.
After a successful boot-up, the data stored on that machine is no longer protected. Subsequently, FDE is not recommended for servers or any device that is on most (if not all) of the time. Logical (or role-based) encryption is more effective when securing data that resides on always-running servers.
Further complicating matters is that the biggest challenge may not lie in the full implementation of encryption (which can be problematic on legacy systems) but in managing the
encryption keys and keeping these keys safe. Keys should always be stored in a separate location as the encrypted data without sacrificing convenience to the end user.
A trustworthy vendor will be able to deliver an encryption program that will work in a variety of different settings, through any transportation method, and provide reliable
security. A critical component to look for when it comes to encryption is certification, which will convey that a company is a professional and experienced one that can be a trusted
partner for your organization.
Certification from the National Institutes of Standards and Technology (NIST) is an established best practice that will deliver a reliable form of encryption cybercriminals won’t be able to break easily.
Business associates must also achieve HIPAA compliance
If a CE needs more incentive to take the proper precautions to encrypt data, that incentive can be found in Safe Harbor, a provision under HIPAA’s Final Breach Notification Rule.
Safe Harbor frees an organization from the obligation of announcing a breach as long as that organization can prove it has taken the appropriate steps to render that data
“unusable, unreadable or indecipherable to unauthorized individuals,” according to HIPAA. Organizations also must be able to prove that the encryption keys have been protected.
For the healthcare industry, the definition of a “business associate” (BA) is a person or organization that has access to patient records or handles patient data as part of its services.
A BA often refers to a cloud storage provider that helps guide compliance efforts, but a BA is any third-party vendor that supplies a product or service to a CE. It also must be held to
the same HIPAA standards as the CE it works for.
Any data storage a cloud provider performs is vulnerable to unwarranted access or encryption weaknesses unless proper security measures are in place along with meeting compliance
standards. To protect an organization and the data it’s outsourcing for storage, a business associate agreement will be required under HIPAA.
The OCR has established the minimum requirements that a business associate agreement must entail, and not having one in place would be considered neglect, leading to fines that
could total in the tens of thousands. As with any third-party IT service, a service provider has to be chosen wisely since both your operations and reputation will take a massive hit if any
sort of data breach takes place.
Even if a contract with a BA comes to an end, steps must be taken to cover how any deletion of data is handled to prevent any breaches from occurring. A BA simply agreeing to delete
the information won’t be good enough. It will need to safely delete any files to prevent any threat of exposure and then provide a certificate of destruction, confirming that the data is
A BA can be an excellent ally in your compliance efforts and a helpful resource for allowing your organization’s operations to work efficiently. The process for choosing a BA can be
compared to choosing a bank; before opening an account, you want to know that the bank employs security guards and utilizes vaults to keep your money safe.
In the same way, a business associate must prove it has safeguards in place. There’s no better way for a BA to do that than to achieve HITRUST certification.
“Nobody else can say you’re HIPAA-certified,” says Hicks. “To achieve this certification, you must have far more controls in
place than you do to satisfy the HIPAA requirement.”
Check out the post tomorrow, where we will continue with this valuable information.