• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Sep 06, 2016 Leave a Comment

Encryption Prescription

himss study encryption A recent study[i] by the Chicago based Healthcare Information and Management Systems Society (HIMSS)  found that a significant number of hospitals and “non-acute providers”[ii] are not encrypting data in transit or at rest (the “HIMSS Study”).[iii]   Studies such as the HIMSS Study have become commonplace due to an explosion in cybersecurity awareness. Law firms, security consultants, trade organizations, and researchers continually produce surveys, studies, and reports reciting the epic failures of organizations to adequately protect information assets.  Some pundits have counseled restraint regarding these studies, citing bias, ulterior motives, sketchy data gathering, and even fear-mongering.[iv]

Regardless of the actual legitimacy of the HIMSS Study, it raises an important discussion point regarding encryption. So, with due respect to the pundits advocating caution, I will presume it to be reliable.  When viewed as reliable, the HIMSS Study presents compelling statistics with immediate impact to the healthcare industry.

The Numbers Regarding Encryption.

According to the HIMMS Study, approximately 32% of hospitals and 52% of non-acute providers do not encrypt data in transit.  Further, 39% of acute providers and 52% of non-acute providers do not encrypt data at rest.   The overarching gist of the HIMMS Study is that a significant percentage of healthcare organizations (“HCOs”) do not encrypt data, either at rest or in transit.  But, what’s the big deal?

The Rules Regarding Encryption.

HIPAA does not necessarily require encryption.  However, encryption is an addressable implementation specification.  See 45 CFR 164.312(a)(2)(iv).   Importantly, “addressable” does not mean “optional.”  Instead, “addressable” means that a covered entity must “[i]mplement the implementation specification if reasonable and appropriate” under the circumstances for that covered entity.  See 45 CFR 164.306(d)(3).  If a covered entity determines that an addressable item is not reasonable and appropriate, it must document why and implement an equivalent measure, if the substitute measure is reasonable and appropriate.  Clearly, if encryption is reasonable and appropriate for a covered entity, failure to implement encryption violates HIPAA’s Security Rule.  Thus, the operative question is whether encryption is reasonable and appropriate.

In 2016, encryption tools are readily available and there is no excuse for failing to encrypt data at rest.   For example, Windows OS includes BitLocker Drive Encryption onboard.  Further, there are numerous affordable encryption options for Windows.[v]   Mac offers FireVault 2 encryption standard with OS X.  Firevault 2 encrypts not only the hard drive, but removable drives as well.  FireVault is a respectably robust encryption tool, especially for individuals or small business.  Mac users also have additional options for encryption.[vi]

Data in transit is a bit more technical.  I do not claim to be a CISSP – my knowledge base is in the law, not hardware and software.  So, for purposes of this article, let’s just consider that “data in transit” entails methods with which we are all familiar – email, fax, and text.  All of these transmissions may be encrypted by employing various programs, services, and technology, many of which are readily available and affordable.

People will undoubtedly argue about the viability of, and protection afforded by, these encryption tools.  For example, you can Google numerous articles discussing the security flaws in Firevault 2 and BitLocker.  Encryption options for faxing and texting usually fare no better.

The good news is that HIPAA does not demand that the encryption WORK – but only that covered entities “[i]mplement a mechanism to encrypt and decrypt” ePHI.  See 45 CFR 164.312(a)(2)(iv).   HIPAA defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”  See 45 CFR 164.304.  So, the mere fact that a covered entity implements encryption methods meeting technical requirements[vii] satisfies HIPAA’s basic requirement.  Of course, covered entities must also keep safeguards up to date and monitor overall effectiveness in protecting information assets.

Finally, it should be stated that encrypting data relieves a covered entity from data breach notification requirements in many states, including Ohio.  In Ohio, data breaches exposing “personal information” must, under certain circumstances, be reported to the individuals.  See R.C. 1349.19(B)(1).  Information is only “personal information” “when the data elements are not encrypted, redacted, or altered by any method or technology[.]”  R.C. 1349.19(A)(7)(a).

In closing, it is arguable that encryption is currently reasonable and appropriate for 100% of covered entities.  Under that postulation, then, according to the HIMSS Study, between 32% to 52% of HCOs are violating HIPAA and perhaps do not even realize they are doing so.  While HIPAA’s Privacy and Security Rules go far beyond encryption, perhaps it is a good, objective starting point for covered entities.  Stakeholders in covered entities (and business associates) should ask:

  • Do we store data? If so, do we encrypt that data?
  • Do we transmit data? If so, how?  Email, fax, or text?
  • Do we encrypt the data we transmit? How?
  • Is encryption reasonable and appropriate for our organization?
  • If not, do we have the justifications documented?

Based on this self-analysis, covered entities should contact an information security lawyer to help them: (1) conduct a thorough and confidential analysis of existing information security policies and procedures; and (2) develop and implement an information security regimen tailored to foster an organizational culture of security.

 

[i] http://www.itworld.com/article/3110506/healthcare-it/many-hospitals-transmit-your-health-records-unencrypted.html

[ii] outpatient clinics, rehabilitation facilities and physicians’ offices.  See note iv, infra.

[iii] 2016 HIMSS Cybersecurity Survey, available at: http://www.himss.org/sites/himssorg/files/2016-cybersecurity-report.pdf

[iv] For example, the HIMSS Study was sponsored by FairWarning.  FairWarning is a provider of information security services and has a considerable market in … you guessed it … the healthcare industry.  Sure, it seem convenient that a study exposing a lack of information security in healthcare is sponsored by a seller of information security to healthcare. In fact, the lawyer in me demands the injection of a healthy dose of skepticism.

However, in fairness, as an information security attorney, I could be accused of the same sort of fear-mongering designed to scare people into hiring me.  But, I know this to be patently untrue.  No reasonable person would consider identification of critical issues and application of sound legal advice to mitigate those issues as “fear mongering.”  It is no different that advising a business owner to incorporate to avoid the risk of exposing personal assets to creditors.  So, because I know my motives are pure, I am inclined to extend the benefit of doubt to others.

[v] http://www.toptenreviews.com/software/security/best-encryption-software/

[vi] http://www.toptenreviews.com/software/security/best-mac-encryption-software/

[vii] HHS has issued guidance on encryption standards, namely referring to NIST guidelines.  For example, encryption for data at rest must be consistent with NIST Special Publication 800-111.  Encryption for data in transit must comply with other specifications, including NIST Special Publications 800-52,

 

Categories: Cybersecurity, Data Breach, Data Security, Encryption, HIPAA, Information Governance, Information Security, Privacy

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 3 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 5 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Danielle Kuestner
Danielle Kuestner

5 out of 5 stars

posted 1 week ago

I'm a college kid who Mr. Holt assisted. I also have a lot of anxiety and Mr. Holt helped ease the process of what I was going through legally, always reached out, and communicated with me about my case and the progress of it.

Read All 44 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm