When Encryption Isn't Enough: Going Beyond HIPAA To Protect Your IT Clients

By Megan Williams, contributing writer

Many of your clients believe, at least at an applied level, that complying with Health Insurance Portability and Accountability Act (HIPAA) standards of encryption keeps them sufficiently safe from data breaches. As this article from mHealth News addresses, however, there are situations in which it does not. Those include:

• Data thieves gaining passwords to get around encryption (read about the Partners Health example here)
• Devices being stolen while running with an authorized and authenticated user account already active
• Formerly authorized users becoming un-authorized, but still having access

To address issues like these and other emerging threats around cybersecurity and mHealth, both you and your clients will need to look to the future of encryption.

Jeremy Weiss, principal security architect at CDW Healthcare provides insights:

What do you see in the future of encryption in healthcare as it moves beyond HIPAA requirements?

The need for encryption is a fundamental requirement for any data containing electronic protected health information (ePHI). As HIPAA/HITECH continues to become the standard for healthcare as a practice, having tools in place that ensure patient security is key.

Encrypting data at rest — for example, file shares, local disks and removable media — and data in motion, such as email and other online methods, addresses only part of the issue. Mobile access to data allows staff to be more efficient via tablets and smartphones, and combined with the increasing trend toward bring your own device (BYOD), there are more possibilities of data breaches than ever before. Having the proper policies in place to monitor access to data and audit against these policies is critical for any organization that has access to ePHI.

Not only are these policies important for compliance, but they also help protect the patient experience, which is good for both patient outcomes as well as the bottom line. Encryption is an important tool for protecting data, but having controls in place regarding access to the data is just as critical. HIPAA/HITECH guidelines label email encryption as “addressable” not “required;” however, this does not mean it should be taken as an optional step when considering patient security.

How can organizations best engage their employees in being active participants as part of an organization-wide security team?

Communication is key when building an organization-wide security team. Ensuring that employees understand what policies are in place to protect patient data is the first step. Next, training employees on what information they are sending, as well as how the experience works for both the sender and recipient, will allow for a much better overall result.

Most people are aware of the news on recent data breaches targeting the healthcare industry, or have been in the situation of having their information potentially compromised. Referencing these incidents as an example often encourages employees to adhere to the policies and regulations in place. Security shouldn’t be thought of as an inconvenience, but rather as a protective measure.

What measures would you recommend to organizations that want to find a balance between employee productivity and optimizing security through encryption processes?

Several solutions allow for hosted/hybrid encryption, reduced sign on and automated tools that control and audit content going out, such as data loss prevention, user provisioning and unstructured data analysis solutions. These solutions offer IT more visibility into operations, as well as the ability to be effective in the enforcement of compliance — while still allowing the staff to perform efficiently.

Organizations with few IT resources may experience difficulty managing a comprehensive security strategy; however, a trusted IT partner can help organizations mitigate those concerns and optimize security measures.