Secure data transmission methods

The HIPAA Security Rule, references secure transmission and the use of encryption. Although the Rule does not require the use of encryption, it's included as an "addressable" implementation specification. In other words, a healthcare organization covered under HIPAA has three choices: implement the specification as it appears in the Rule, implement an alternative that is equivalent to the specification or document why the specification is not applicable and therefore is not implemented.

Given the availability and affordability of encryption technology today, it is difficult for a healthcare organization to justify not using some form of it when transmitting PHI. A number of vendors offer a variety of reasonably priced encryption hardware and software, as well as outsourcing options. Now we'll review the options in more detail.

E-mail encryption
A number of vendors offer products that encrypt e-mail messages, are easy to use and provide the ability to send private data, including e-mail attachments, securely. The recipient can respond using the same encryption method. Many of these products are Web-based. They work by sending a link to the recipient, who then clicks on it and logs on to a secure e-mail server, which the organization either owns or outsources to an appropriate vendor. The recipient is then able to read the e-mail and any attachments securely, and send a secure r

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

There is also non-Web-based technology that allows transportation of secure messages from one person or organization to another, the most common of which is public key infrastructure (PKI). PKI requires an exchange of keys used to unlock the encrypted file. For example, Bob wants to send a secure e-mail to Sue, so he gives her a copy of his public key to open his encrypted message. Bob retains the private key he used to encrypt the message or file, which he can also use, especially with a digital signature, to authenticate himself as the sender. A digital signature is a small electronic file that is unique to each sender and specifically authenticates his or her identity. In many states, a digital signature can be used and is enforceable to the same extent as an original signature on a contract or other legal document.

There haven't been any large PKI deployments as of yet, mainly due to it being cumbersome, and the difficultly of administering and managing keys. However, PKI has been successful with small deployments and is frequently used for sending large files between organizations such as health plans and healthcare clearinghouses.

One method of secure data transmission often used in conjunction with PKI to encrypt and authenticate large data files, is secure file transfer protocol (FTP). However, it is not used for transmission between individuals. The technology is readily available and recommended for organizations transmitting large amounts of data, such as claims transactions and electronic remittance advices through clearinghouses.

Web site encryption
Organizations that use the Web to collect and transmit sensitive data to customers or other organizations need to secure their Web site. The general standard is the use of secure socket layers (SSL), which encrypts data transmitted via a Web site. Upon opening an Internet browser, an open or closed lock appears in the lower right hand corner of the Web site. If the lock is closed, it means the data transmitted over the Web site is secure, generally by SSL. This allows the transmission and collection of private data over a Web site, without worrying about a hacker accessing it. There is no such thing as security without risks, but the use of SSL and secure Web sites when transmitting data significantly reduces the risk of it being inappropriately intercepted. Secure Web sites can be established by using internal Web analysts/programmers or working with a vendor who has expertise in creating an appealing and secure Web presence.

Application encryption
Some organizations transmit data between applications, such as an electronic health record. It is wise to view such transmissions, if the data travels outside an organization, as any message sent over the Internet, meaning it's subject to interception and, unless properly protected, misuse. When transmitting sensitive data between applications, it is sound and good security practice to evaluate the encryption capabilities of the application(s) and implement an encryption solution beforehand. An organization can obtain this technology from the vendor that manufactures the application or a custom-programmed product that accommodates application functionality while protecting the data as it travels from one point to another.

Remote user communication
Remote users present an additional security risk, because they are often communicating between their home and an organization. This means they not only need to be aware of secure data transmission requirements, but also other information security risks associated with remote access to confidential information. To secure communication with remote users, install a virtual private network (VPN), which encrypts all the data sent between its users. This technology is readily available on the market, and it is advisable that organizations with remote users install it. If a VPN is not established and a modem is not in use (which is generally not an efficient method of accessing a company network), all data transmitted over the Internet is subject to interception and inappropriate use.

Laptops and PDAs
These portable devices can be easily lost or stolen. Therefore, it is wise for organizations using these devices to transport confidential information to encrypt the data stored on those devices. This protects the organization against inappropriate data disclosure if the portable device is lost or stolen. Encryption programs are available for portable devices and the cost of such software is reasonable and affordable, even for smaller organizations.

Wireless networks
Wireless threats are on the rise and unsecured wireless networks are significant points of vulnerability and open up organizations to easy hacker access. Therefore, it's becoming increasingly important, to prevent access by anyone not authorized to access the network. Also, encrypt all data transmitted between wireless devices to prevent inappropriate disclosure of confidential information. Laptops connected to wireless networks are becoming more common, especially in hospital emergency rooms where medical and health insurance information is collected. These laptops communicate with the organization's wireless server and update applications, health records, etc. This data is generally sensitive and needs the extra layer of protection that encryption provides.

About the author
Chris Apgar, CISSP, is president of Apgar & Associates, LLC and former HIPAA Compliance officer for Providence Health Plans in Oregon and SW Washington. He is a nationally recognized data security, privacy, transaction and code sets, regulatory and HIPAA expert. He is a member of the HIPAA Compliance Insider Advisory Board, the Security Compliance Insider Advisory Board, the URAC Privacy Advisory Committee, and chairs the Oregon and SW Washington Healthcare, Privacy & Security Forum and the Forum's Transaction & Code Set Workgroup. Mr. Apgar now operates an independent consulting firm specializing in security, privacy, HIPAA, global and detailed business process review, information systems project development, and lobbyist activity.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   HIPAA,   PKI and Digital Certificates,   User Authentication Services,   Enterprise Identity and Access Management,   Web Authentication and Access Control,   Application and Platform Security,   Database Security Management,   Web Application Security,   Web Security Tools and Best Practices,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   NAC and Endpoint Security Management,   Secure Remote Access,   Enterprise Network Security,   SSL and TLS VPN Security,   Secure VPN Setup and Configuration,   Process improvement,   Data security,   Compliance,   Wireless Network Security: Setup and Tools,   Wireless LAN Design and Setup,   Email Protection,   Email Security Guidelines, Encryption and Appliances,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management PCI DSS: The structure of a standard How to choose between source code reviews or Web application firewalls HIPAA compliance: New regulations change the game Data security best practices for PCI DSS compliance Key elements of a HIPAA compliance checklist A preview of PCI virtualization specifications Strategies for email archiving and meeting compliance regulations HIPAA HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements How to avoid HIPAA Social Security number compliance violations HIPAA changes force healthcare to improve data flow CVS pays $2.25 million HIPAA settlement Is a lack of employee privacy a HIPAA violation? Hacked dental school server compromises 300,000 What's the best strategy to catch up on HIPAA compliance quickly? HIPAA Research PKI and Digital Certificates Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation What is the best way to administer exams to students via computer? Should computer exams be transmitted as PDF files or Word files? PKI and Digital Certificates Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Certificate Revocation List  (SearchSecurity.com) Digital Signature Standard  (SearchSecurity.com) HDCP  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) nonrepudiation  (SearchSecurity.com) PKI  (SearchSecurity.com) public key  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.