HIPAA Encryption: Requirements, Best Practices & Software
Wondering if HIPAA requires encryption? We are going to cover when encryption is required, what type is best and software to maintain compliance.
Does HIPAA require encryption? Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI) of patients when the data is at rest, meaning the data is stored on a disk, USB drive, etc. However, there are very specific exceptions.
The Necessity of Encrypting Patient Health Information and Modern Threats
In November 2019, an unencrypted laptop and flash drive were stolen from The University of Rochester Medical Center (URMC). As a result, the URMC paid $3 million to the Office for Civil Rights (OCR) as part of a settlement due to potential violations of HIPAA security requirements.
While the loss of PHI is problematic enough, the OCR investigation illustrated a breakdown in security implementation across the organization, including a failure to conduct sufficient risk analysis (and subsequently reduce risk and vulnerabilities) and a lack of proper device encryption that had already been flagged as a problem nine years prior.
In a world of electronic data transfers and mobile devices, there are dozens of ways that security can break down and lead to HIPAA non-compliance. All of these ways point back to the necessity of strong HIPAA-compliant implementation.
What are HIPAA Encryption Requirements for Electronic Patient Health Information?
HIPAA establishes three foundational rules for protecting patients and their information:
- The Privacy Rule, which outlines protected health information and documentation.
- The Breach Notification Rule, which defines how your organization must report a HIPAA breach to authorities and patients after a security breach.
- The Security Rule, which establishes security standards for the storage and transmission of ePHI.
These requirements include the responsibility to maintain the confidentiality and security of ePHI, to protect against threats against that security, and to, within reason, anticipate future threats to that information.
While these general requirements inform more specific requirements related to administration, risk management, and technical implementation, they do not specify any particular protocol, technology, or standard. They do, however, specify that healthcare entities must implement reasonable security measures to protect ePHI wherever it is, or justify why they do not do so. The idea here is that, as technology scales and threats evolve, so too must HIPAA security technologies (including security software).
So, the short answer is that the Security Rule doesn’t spell out an encryption protocol to use–and that can seem confusing at first. There are, however, several requirements built in the law to specify the required strength and reliability of a security standard for it to be used as a method of securing ePHI based on recommendations by the National Institute of Standards and Technology (NIST).
According to HIPAA, encryption software must meet minimum requirements relevant to the state of that information, whether it is at rest or in transit:
When data is “at rest”, it is inactive and stored in a digital medium such as a server hard drive or SSD. This can also mean that the data is sitting on a mobile device like a tablet or phone.
At rest, HIPAA defines valid protocols as consistent with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices”. This publication outlines the proper technologies used for secure storage, including advanced cryptography, full-disk and virtual disk security, and the encryption of mobile devices.
When data is “in transit”, it is actively moving between a sender and a destination. This can include sharing PHI between two health care providers via email or other software, transmitting to cloud storage, or transmitting between central servers and mobile devices.
In transit, HIPAA cites NIST Special Publications 800-52 “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations” and 800-77 “Guide to IPsec VPNs”. These publications outline proper procedures for securing data.
Through these guidelines, providers can make reasonable decisions about what kinds of security they should use.
What are HIPAA Encryption Protocols, and Why Are They Important to Protect ePHI?
Maintaining strong encryption for data at-rest across all computers and devices in your network, alongside strong protection for in-transit information, will help keep ePHI private while demonstrating to the Department of Health and Human Services that you’re using reasonable and appropriate end-to-end security measures.
There are several compliant measures that can support HIPAA compliance. For example, The Advanced Encryption Standard (AES-256). AES encryption is a symmetric method established by the U.S. National Institute of Standards and Technology. Through a series of robust security steps and a complex 256-bit decryption key, this standard is nearly impossible to break with brute-force methods and has been approved for the handling of confidential data by the U.S. Government.
Transport Layer Security (TLS) is another protocol that can also support secure data transmission over the web via HTTPS, email or instant messaging. This protocol uses AES-256 plus additional security measures to secure data transfer.
OpenPGP (Pretty Good Privacy) and S/MIME are both compliant, but require complex public key management, which can prove clunky and too time consuming for most organizations. AES-256 and TLS 1.2 don’t have those issues, which is why Kiteworks utilizes them over other security measures.
These technologies can make it harder to send messages because they require an organization to manage public security keys, and it doesn’t necessarily preclude email messages from being compromised in insecure email environments.
As a rule, a secure system should include AES-256 encryption for data at-rest and TLS for data in-transit. To avoid requiring public-key encryption for emails, Kiteworks utilizes secure data servers and transmits links to users. So, rather than sending encrypted data through email directly, Kiteworks sends a link to a secure site with user authentication where the recipient can view that information safely.
Where Are the Biggest Cracks in Your HIPAA Encryption Armor and How Can Encryption Safeguard that Data?
Put advanced encryption in place as the first step in ensuring HIPAA compliance. However, Several factors can undermine that protection, opening up non-compliance issues and exposing patient data:
Unsecured email systems and servers. Your employees will inevitably send PHI either through emails or as email attachments. When they refer a patient to a specialist doctor, for example, they need to send records full of PHI to that doctor’s clinic.
Leading secure email products today can ensure HIPAA compliance for all your employees’ private emails and attachments. Choose one that is as simple as normal email, doesn’t require users to manage keys, and even handles huge diagnostic files, so users are not tempted to bypass it in an emergency. Be sure patients, colleagues, and insurance carriers can receive and reply securely without special software.
- Lost and Stolen Devices. More healthcare staff are using laptops, tablets, and mobile phones to do their work, which means handling ePHI through those devices on a regular basis. A stolen laptop with an unencrypted hard drive is a huge security risk and a point of non-compliance for your organization. Likewise, mobile devices using unsecured apps can open your organization to non-compliance even if the device itself is encrypted. Providers like Kiteworks offer secure mobile apps that can meet HIPAA encryption standards.
- Staff and Training. Weak passwords, poor email habits, downloaded malware on company devices, or poor browsing habits can open the door for attackers to grab PHI regardless of what security your organization uses. While HIPAA encryption can protect against some of these attacks, it can’t protect against a lost or stolen device with a key and access to critical ePHI data.
- Rotating encryption keys and certificates. The best security in the world can’t stop someone with the right key. Regular rotation of keys and certificates can make your infrastructure more resilient to security breaches due to compromised keys.
- Third-party partners. If your organization works with subcontractors, vendors, or other associates, your organization could be held liable for their lack of HIPAA compliance. When you have a Business Associate Agreement with a vendor, it’s where liability falls when a breach occurs. Kiteworks has a standing BAA that it enters into with any partner in the healthcare industry to maintain HIPAA compliance and protect both organizations and patients.
- Weak encryption. Old computers, servers, and devices may not have the appropriate protections installed. If data is stored on these devices for production use or just for backup, you’re exposing that data and your organization to non-compliance.
Meet HIPAA Encryption Requirements for Your ePHI with Kiteworks
Healthcare organizations must have the right technical security standards in place to protect ePHI. Encrypting data on servers and during transmission is a necessary part of HIPAA compliance, and that necessity also carries over to third-party cloud and IT vendors that they work with.
Kiteworks provides enterprise-grade managed file transfer and security services for partners in healthcare. Kiteworks follows all HIPAA requirements so that any data stored or transported through our systems, whether via file transfer, email, or cloud storage. This includes several HIPAA-compliant services and technologies like mobile apps, secure managed file transfer, content firewall software.
That means that when you enter into a BAA with us, you can trust that patient data is safe and secure, and your organization is compliant.
To learn how Kiteworks can help keep you HIPAA compliant, schedule a custom demo of Kiteworks today.