Archive for March, 2012
Q. Please explain the level of encryption necessary to email to be considered secured as required by the interim final breach notification rule.
A. All ePHI, including email, is considered secure if it is secured at a level consistent with National Institute of Standards and Technology (NIST) standards. Most documents that meet these standards are not easily decipherable to nontechnical individuals.
Several different standards may be used to encrypt data transmitted via email. One common approved standard is the Advanced Encryption Standard (AES).
A second, usually used for website encryption and webmail encryption, is Secure Socket Layers (SSL). Encrypting email with AES, SSL, or another NIST approved standard is a good place to start.
Determining the strength of the mathematical algorithm used to protect or “scramble” your data is the next step. If the algorithm is less than 128-bit, your data is not secure. The larger the number of bits, the stronger the algorithm is. Some vendors and healthcare entities are transitioning to 256-bit encryption.
This exceeds the NIST standard, but it is worth considering because it provides better protection for any PHI you transmit via the Internet.
The specific NIST standards that address PHI transmitted via ¬email are NIST ¬800-52, NIST 800-57, and Federal ¬Information Processing Standards 140-2.
The OCR explains the necessary protections for ePHI transmitted via the Internet or email in an FAQ at http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html.
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question, which first appeared in the April Briefings on HIPAA. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
HIPAA Summit nuggets from William R. Braithwaite, MD, PhD, “Doctor HIPAA”; Chief Medical Officer, Equifax; Former Senior Advisor on Health Information Policy, HHS, Washington, DC (Co chair):
- Dr. HIPAA: “You all owe your jobs to me,” Braithwaite said (he helped craft the rules and regulations of HIPAA).
- The Privacy Rule: Don’t surprise the patient with a use or disclosure they don’t expect; “it’s that simple,” Braithwaite says.
- HIPAA says you must get your health record when you ask for it; but some providers still think they don’t have to give it to them on occasion
- 50,000 comments on first proposed HIPAA rule
- If you don’t encrypt a mobile device you are in violation because you have to put in reasonable protections; and encryption is the only protection for mobile devices
- Take reasonable and appropriate steps to reduce risk; those terms are used throughout all pages of the privacy and security rule
- Don’t just train once, “as some of you have done,” Braithwaite said, widening his eyes at the audience. Do it at least annually and have training material reflect what you found in your risk assessment
- Username and password alone is not satisfactory protections for logging from a home computer
HIPAA Summit nuggets from Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates LLC, Purchase, NY:
- Often, we see providers with extensive lists of “business associates,” but often some of them are not actually BAs. Most organizations can shorten that list. First thing is look at your list to make sure you have all BAs on the list. Most lists are 20 percent too long.
- Someone has to be the focal point of managing business associate contracts and relationships. It does take time, but if you haven’t done it already, you need to step back and take a look at the BA agreement in a “new light” and see what you can do with it. It has to be on your risk profile.
- Have you prioritized your BAs? Higher risk companies might be billing services, record management, IT vendors, etc. And have you identified where your PHI resides?
- May be a good idea to survey your BAs. What kinds of privacy and security policies and procedures do they have in place?
HIPAA Summit nuggets from Sharon D. Nelson, Esq., president, Sensei Enterprises, Inc., Fairfax, VA; and John W. Simek, vice president, Sensei Enterprises, Inc., Fairfax, VA:
- You may have a great security plan, but it’s as only as good as your incident response plan for breaches
- Where did attacks on your organization originate: is it internal or external? You may have to do forensic investigation and preservation.
- Containing a breach? Just because you block a certain IP address, if they’re already in, it doesn’t matter. You have to block them out.
- No. 1 failure we see on breach response? Failure to patch things.
- If you’re running something like Windows 98, you may want to update that. Turn things on like failed log-in detection. It may not be a default feature.
- Physical security is a concern; a server is right behind a receptionist in a doctor’s office — not good
- Any eight-character password can be broken in two hours. You need 12 characters these days; it takes 17 years to hack a 12-character password. “Eight-character passwords are dead,” Nelson said.
- Have an exit/termination checklist. Did you get all keys, tokens, passwords, log-ins, disable remote access, when an employee is no longer with a company?
HIPAA Summit nuggets from J. David Kirby, president, Kirby Information Management Consulting LLC; Former Director, Information Security Office, Duke University Health System, Durham, NC
- 39% of privacy breach incidents on the OCR “Wall of Shame” (breaches of 500 or more website) have occurred on laptop or mobile device
- 88% of exposed records are mobile-media related
- Ponemon study says 60% of breaches have a strong malicious component
- Business associates involved in half of breaches