Following the recent Tricare breach, our CIO would like us to provide validation that we’ve sufficiently encrypted our company’s customer data. In the event of a breach, we want to avoid making a disclosure in accordance with HIPAA’s breach notification mandate that is necessary when data isn’t sufficiently encrypted. However, it seems like there is some gray area regarding what’s considered sufficient encryption. Can you boil down exactly what HIPAA demands with respect to data encryption, so an enterprise may avoid a breach disclosure?
However, this document is three years old and rather long (117 pages). First, let's talk about two important points to cover: what information needs to be encrypted, known as ePHI, and what is considered sufficient encryption. According to the Department of Health and Human Services, ePHI is any protected health information (PHI) subject to the federal HIPAA regulation. It refers to any information that identifies an individual, usually a patient, and relates to at least one of the following:
- The individual's past, present or future physical or mental health;
- The provision of health care to the individual;
- Past, present, or future payment for health care.
That explanation is measurably straightforward, although much of this information is constantly being stored, processed or transmitted within a myriad of IT systems throughout many organizations. Therefore, the challenge is identifying all these systems.
Encryption, on the other hand, is rather straightforward, as it’s simply the process of transferring data into an unreadable format by the use of algorithms. Advanced Encryption Standard (AES) is a specification for the encryption of electronic data that is now widely used, so enterprise security pros will find this readily available in many tools or utilities offering encryption. It’s now clear what to encrypt and how to encrypt, but where to encrypt is the issue, as IT systems holding ePHI seem to be everywhere. Using the following encryption measures should prove sufficient to meet HIPAA encryption requirements.
- Encrypt all websites with SSL certificates, resulting in the use of the HTTPS within the URL of a given site. In short, any website owned or operated by your entity for which ePHI is associated with needs to be encrypted.
- Encrypt all databases that have ePHI data "at rest." Data at rest is data stored in a repository, usually in files within a given database. Thus, using column or file-level protection for ePHI data would suffice for HIPAA requirements.
- Encrypt all emails that contain ePHI and always secure connections, such as VPN IPSec tunneling when connecting over untrusted networks for accessing ePHI.
Furthermore, the meaning of encryption is rather straightforward, along with what to encrypt. Your challenge is finding and identifying all systems that potentially store or transmit ePHI.
This was first published in December 2011