A recent study[i] by the Chicago based Healthcare Information and Management Systems Society (HIMSS) found that a significant number of hospitals and “non-acute providers”[ii] are not encrypting data in transit or at rest (the “HIMSS Study”).[iii] Studies such as the HIMSS Study have become commonplace due to an explosion in cybersecurity awareness. Law firms, security consultants, trade organizations, and researchers continually produce surveys, studies, and reports reciting the epic failures of organizations to adequately protect information assets. Some pundits have counseled restraint regarding these studies, citing bias, ulterior motives, sketchy data gathering, and even fear-mongering.[iv]
Regardless of the actual legitimacy of the HIMSS Study, it raises an important discussion point regarding encryption. So, with due respect to the pundits advocating caution, I will presume it to be reliable. When viewed as reliable, the HIMSS Study presents compelling statistics with immediate impact to the healthcare industry.
The Numbers Regarding Encryption.
According to the HIMMS Study, approximately 32% of hospitals and 52% of non-acute providers do not encrypt data in transit. Further, 39% of acute providers and 52% of non-acute providers do not encrypt data at rest. The overarching gist of the HIMMS Study is that a significant percentage of healthcare organizations (“HCOs”) do not encrypt data, either at rest or in transit. But, what’s the big deal?
The Rules Regarding Encryption.
HIPAA does not necessarily require encryption. However, encryption is an addressable implementation specification. See 45 CFR 164.312(a)(2)(iv). Importantly, “addressable” does not mean “optional.” Instead, “addressable” means that a covered entity must “[i]mplement the implementation specification if reasonable and appropriate” under the circumstances for that covered entity. See 45 CFR 164.306(d)(3). If a covered entity determines that an addressable item is not reasonable and appropriate, it must document why and implement an equivalent measure, if the substitute measure is reasonable and appropriate. Clearly, if encryption is reasonable and appropriate for a covered entity, failure to implement encryption violates HIPAA’s Security Rule. Thus, the operative question is whether encryption is reasonable and appropriate.
In 2016, encryption tools are readily available and there is no excuse for failing to encrypt data at rest. For example, Windows OS includes BitLocker Drive Encryption onboard. Further, there are numerous affordable encryption options for Windows.[v] Mac offers FireVault 2 encryption standard with OS X. Firevault 2 encrypts not only the hard drive, but removable drives as well. FireVault is a respectably robust encryption tool, especially for individuals or small business. Mac users also have additional options for encryption.[vi]
Data in transit is a bit more technical. I do not claim to be a CISSP – my knowledge base is in the law, not hardware and software. So, for purposes of this article, let’s just consider that “data in transit” entails methods with which we are all familiar – email, fax, and text. All of these transmissions may be encrypted by employing various programs, services, and technology, many of which are readily available and affordable.
People will undoubtedly argue about the viability of, and protection afforded by, these encryption tools. For example, you can Google numerous articles discussing the security flaws in Firevault 2 and BitLocker. Encryption options for faxing and texting usually fare no better.
The good news is that HIPAA does not demand that the encryption WORK – but only that covered entities “[i]mplement a mechanism to encrypt and decrypt” ePHI. See 45 CFR 164.312(a)(2)(iv). HIPAA defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” See 45 CFR 164.304. So, the mere fact that a covered entity implements encryption methods meeting technical requirements[vii] satisfies HIPAA’s basic requirement. Of course, covered entities must also keep safeguards up to date and monitor overall effectiveness in protecting information assets.
Finally, it should be stated that encrypting data relieves a covered entity from data breach notification requirements in many states, including Ohio. In Ohio, data breaches exposing “personal information” must, under certain circumstances, be reported to the individuals. See R.C. 1349.19(B)(1). Information is only “personal information” “when the data elements are not encrypted, redacted, or altered by any method or technology[.]” R.C. 1349.19(A)(7)(a).
In closing, it is arguable that encryption is currently reasonable and appropriate for 100% of covered entities. Under that postulation, then, according to the HIMSS Study, between 32% to 52% of HCOs are violating HIPAA and perhaps do not even realize they are doing so. While HIPAA’s Privacy and Security Rules go far beyond encryption, perhaps it is a good, objective starting point for covered entities. Stakeholders in covered entities (and business associates) should ask:
- Do we store data? If so, do we encrypt that data?
- Do we transmit data? If so, how? Email, fax, or text?
- Do we encrypt the data we transmit? How?
- Is encryption reasonable and appropriate for our organization?
- If not, do we have the justifications documented?
Based on this self-analysis, covered entities should contact an information security lawyer to help them: (1) conduct a thorough and confidential analysis of existing information security policies and procedures; and (2) develop and implement an information security regimen tailored to foster an organizational culture of security.
[ii] outpatient clinics, rehabilitation facilities and physicians’ offices. See note iv, infra.
[iii] 2016 HIMSS Cybersecurity Survey, available at: http://www.himss.org/sites/himssorg/files/2016-cybersecurity-report.pdf
[iv] For example, the HIMSS Study was sponsored by FairWarning. FairWarning is a provider of information security services and has a considerable market in … you guessed it … the healthcare industry. Sure, it seem convenient that a study exposing a lack of information security in healthcare is sponsored by a seller of information security to healthcare. In fact, the lawyer in me demands the injection of a healthy dose of skepticism.
However, in fairness, as an information security attorney, I could be accused of the same sort of fear-mongering designed to scare people into hiring me. But, I know this to be patently untrue. No reasonable person would consider identification of critical issues and application of sound legal advice to mitigate those issues as “fear mongering.” It is no different that advising a business owner to incorporate to avoid the risk of exposing personal assets to creditors. So, because I know my motives are pure, I am inclined to extend the benefit of doubt to others.
[vii] HHS has issued guidance on encryption standards, namely referring to NIST guidelines. For example, encryption for data at rest must be consistent with NIST Special Publication 800-111. Encryption for data in transit must comply with other specifications, including NIST Special Publications 800-52,