Encryption of ePHI and HIPAA – Remember to Protect Data on Desktops and Servers
Although most HIPAA compliance training underscores that the e-mailing of ePHI that has not been encrypted is a violation of the HIPAA security rule, most training materials that I have come across do not go far enough in emphasizing the importance of encrypting ePHI that is at rest not only on laptops, but on desktops and servers as well. Unfortunately, as an office in San Antonio just learned the hard way, the lack of full-disk encryption can make the difference between the consequences of a computer theft being little more than inconvenience and the need to replace a few relatively inexpensive computers on the one hand, and a breach that puts patients at risk for medical identity theft potentially resulting in millions of dollars in costs, requires the publication of the occurrence and the reporting of the same to HHS, results in high legal costs, and exposes the organization to the possibility of large fines and costs associated with providing the thousands of patients who have had their information put at risk with credit protection services for years.
It is important to note, however, that although the cost of encryption technology that allows for a theft such as that described above to fall under a HIPAA Encryption Safe Harbor provisions (thus protecting ePHI and not triggering reporting requirements) can be modest, the details of the encryption solution implemented are critical to easily determining whether safe harbor provisions apply (in other words, simply encrypting is not enough). Although most modern business-class desktops and laptops offer, at minimum, support for hard disk passwords or encrypted drive management (which can be combined with the use of hardware-encrypted drives), not all self-encrypting disks contain cryptographic modules that comply with stringent NIST certifications (such as FIPS 140-2) that support their usefulness for the purposes of compliance in meeting safe harbor requirements. It is critical to confirm with drive manufacturers or NIST that the specific hard drives under consideration have encryption modules with appropriate FIPS certifications. Happily, FIPS 140-2 certified full-disk encrypted notebook drives (such as the 500GB Seagate ST9500422AS) are available starting at only a little over $100 at this time, so cost should certainly be no barrier to adoption. In a future post, we’ll offer some tips regarding the protection of data at rest on servers (the news is good when it comes to keeping costs reasonable) and look at options for managing full-disk encryption on laptops and workstations if your organization has a lot of systems to protect.