by Stephanie Gallagher, JD
Chris Apgar – CEO at Apgar & Associates, LLC
Andy Nieto – Health IT Strategist at DataMotion
Data security has certainly been a hot topic in recent months, especially in the healthcare industry. In today’s HCCA webinar, Chris Apgar and Andy Nieto discuss the need for data encryption, and where some of the industry’s key risks lie.
The first, and sometimes most daunting, question is where to start when deciding how to protect your organization from data breaches. One of the most important steps in this process is to assess the risk. When assessing your organization’s risk, keep in mind that, in the event of a breach, encryption is typically considered a reasonable safeguard. In other words, you’ve got to do it! In the past, ORC has fined entities for lost, unencrypted laptops, and has emphasized the need for encryption in 2014 HIPAA/CLIA Rule.
A second point that was brought up during the session is the importance of investigating where the organization stores its data. Mr. Apgar told an interesting anecdote about conducting an assessment for a healthcare provider that insisted none of its patient data was stored on workstations. However, upon investigation, it was found that around 75% of the workstations stored PHI. Investigating where patient data is stored is definitely something that should not be overlooked when assessing an organization’s risk and deciding on an encryption policy.
A third consideration is whether vendors are inadvertently putting your organization at risk. When employing key vendors, a best practice is to be sure to inquire about their security policies and processes on a routine basis. At times, vendors can unintentionally be putting your organization at risk, no matter how well your own internal security and encryption policies are implemented.
A fourth point of emphasis is the importance of having and maintaining a “bring your own device” (BYOD) policy. The mobile nature of the world we live in opens an organization up to a whole host of data breach risks, especially when employees are using personal devices to access PHI. A study was presented that shows about 96% of physicians use a smartphone as their primary device to support clinical communications. Encryption of patient data is especially important in these situations.
As our world becomes more mobile, the policies must change to accommodate new technology and practices. When designing and updating policies, it is important not to overlook the data that is “in motion” and be sure to account for encryption and security protocols in those situations as well. Training on such policies is crucial. OCR reminds us to employ a “culture of compliance” and be sure that employees are aware of the organization’s policies, and that the policies are enforced. Having a policy that is not enforced puts the organization at risk as much as not having a policy at all.
Finally, there are budgetary considerations. An informal study has shown that the average cost of a breach is around $201 per compromised document. This is not taking into account any potential fines that may follow for HIPAA violations. Given the fact that a data breach can be costly, not only to an organization’s budget, but to its reputation and customer base, it is important to carefully weigh these factors when choosing encryption and policy implementation strategies.
The key is to find the encryption solution that works best for an organization’s culture, and of course – implement.
A few thoughts to pass along. Chris’ statement that “you’ve got to do it[encryption}!” should not be read to mean that encryption is required by the regulations. In both instances where encryption is listed within the HIPAA Security Rule it appears in implementation specifications that are identified as “addressable”. Now I am not going to go into detail here on what addressable versus required means and how one differs from the other (I have posted a short video on HCCAnet that does that)…BUT…I do want to point out the following.
When the addressable implementation specification of encryption is assessed by a covered entity or business associate, often as part of its security risk analysis, the covered entity or business associate must first answer the question…is the safeguard reasonable and appropriate….STOP!
I believe than when making this assessment, I would find it very difficult if not borderline impossible for someone to come to the conclusion that the use of encryption is not reasonable and appropriate. This is basically the simple pathway that if one follows the regulations to include assessing addressable implementations…leads most if not all people to the final position of implementing encryption.
Now of course if anyone has come up with a reason why encryption is not reasonable and appropriate when it comes to PHI…believe me…I am happy to be the first person in line to hear what you have to say, because like Chris, I cannot imagine that there are very many, if any, situations where the use of encryption as a safeguard of the security of PHI would not be reasonable and appropriate and therefore the end result would be that encryption is used as a technical safeguard.
Comments are closed.