Security Encryption Software Can Prevent HIPAA Breaches

By Richard Anderson

As the year draws to a close, many people in the healthcare industry will be breathing a sigh of relief and will be glad to see the back of ‘the year of data breaches’; however as bad as this year was for HIPAA breaches, many of these security incidents could have been prevented with the use of security encryption software.

There is often a public outcry following a large scale data breach. Patients want to know how multiple-hospital healthcare system storing millions of records can avoid using data encryption, especially at a time when hoards of hackers are focused on obtaining that data by any means possible.

However, under the Health Insurance Portability and Accountability Act, Covered Entities (CEs) are not required to use data encryption to protect PHI. Data encryption is not a requirement; it is merely addressable. Storing unencrypted data will not result in a HIPAA violation, provided other security measures are in place that offer a comparable level of protection.

This may be an area of HIPAA legislation that the Department of Health and Human Services may wish to address in the near future, especially considering the volume of data breaches that have been reported this year. Experts are already predicting that the worse is yet to come.

Security Encryption Software Can Prevent HIPAA Breaches

Encryption is often seen as the ultimate in data security. Data is rendered unreadable and undecipherable without the use of a unique security key. If a laptop computer is stolen containing encrypted data, it would not be a HIPAA breach and would therefore not need to be reported to the Office for Civil Rights. That data would be unreadable so there would be no disclosure of PHI.

…But Not Always

Unfortunately, data encryption is not an infallible system that will guarantee that PHI cannot be accessed by unauthorized personnel. The data may be indecipherable without a security key, but with that key there is no protection at all.

A doctor from the Boston’s Brigham and Women’s Hospital (BBW) was recently robbed at knifepoint. The attacker obtained his laptop, but that was not all the thief wanted. The doctor was tied to a tree and threatened until he disclosed the passwords and security key. Such situations may not be common, but security keys can be divulged.

The theft of encrypted devices containing PHI will result in a HIPAA breach if the device is stolen with the security key, as the protection will be rendered useless. This can be tackled as a training issue but some members of staff do store security keys with laptops in spite of the risk.

In many cases where servers have been compromised by hackers, data encryption would protect the PHI. However this rather depends on how the hackers gain access. Security encryption software will similarly be rendered useless if hackers are able to obtain the keys or login codes from employees. Phishing schemes and malware often try to trick users into revealing these details.

The Best Solution as Part of a Multi-Layered Security Strategy

It may not be 100% effective, but encrypting data is one of the best ways to avoid HIPAA violations. As part of a multi-layered security strategy, data encryption along with other technical safeguards and staff training can go a long way to preventing HIPAA breaches.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news