Medical Data Encryption: Keeping Your PHI Secure

Encryption is another layer of security to your organization’s PHI. 

Did you know that only 63% of healthcare organizations encrypt PHI on their work devices? Yet encryption is an essential aspect of data security. Without it, your data is more vulnerable to hackers.

SEE ALSO: Snapshot of HIPAA and Healthcare Data Security

Why encrypt? 

HIPAA requires that all electronic PHI that’s created, stored, or transmitted in all work devices must be encrypted.

If a hacker is able to break into a work device, any data on that device is now available to him. But if the data is encrypted, it makes the data worthless to the hacker, unless he has the encryption key. Encryption is an extra layer of security that prevents stolen data from being used by hackers.

What type of encryption should I use? 

Many confuse encryption with masking. Masking only hides part of the data from view, while encryption runs the data through an algorithm that makes it indecipherable without a key. Masking doesn’t protect your data like encryption does.

While HIPAA doesn’t specify what types of encryption to use, it’s best to use AES-128 Triple DES, AES-256, or better.

Finding PHI

To encrypt your PHI, you need to know where it is. Keeping track of where your PHI is created, stored, and transmitted is the first step to properly securing your data. Make a diagram to find out where PHI enters, leaves, and resides in your organization. You should focus on entry, transmission, and storage.

Entry
Where is your PHI entering your entity? Is it just at the reception desks or are you getting information from other areas of your organization? Figure out where you are getting your patient information and from where. Here are some possible points of entry.

• Reception desks
• Emails
• Texts
• Business associates

Transmission
Just like you need to document where PHI is entering your environment, you need to know where it’s leaving your environment. PHI exiting your organization can be vulnerable to hackers. Some points of exit to consider are:

• Business associates: are you sending information through encrypted transmissions?
• Email: is your email secure? Are you encrypting PHI? 
• Flash drives: what happens if one is stolen? Have policies in place. 
• Trash bins on computers: how often are these cleared out? 

SEE ALSO: How to Permanently Delete Files with Sensitive Data

Storage
You should know where PHI is being stored. Is it copied and transferred directly to a department, or is it stored automatically in your EHR system? You also need to record all hardware and software devices, and other data storage mediums that can access PHI.

Here are some common places where PHI is stored:

• EHR/EMR systems
• Mobile devices
• Email
• Servers
• Laptops/computers
• Wireless medical devices
• Applications
• Encryption software

Need help managing your PHI? Talk to one of our experts! 

Encrypting mobile devices

Most mobile encryption isn’t as secure as other devices. Mobile technology is only as secure as the device’s passcode. The best security practice with mobile devices is setting up policies and procedures, such as:

• Procedures for storing sensitive data, 
• Stolen/lost device policies
• Mobile password length requirements

SEE ALSO: 5 Tips to HIPAA Compliant Mobile Devices

If you can, avoid storing sensitive information on mobile devices to eliminate the threat of a data breach altogether.
SEE ALSO: 5 Ways Your Mobile Device Can Get Malware

Encrypting Email

According to the HHS Breach Portal, over 100 organizations since 2009 have had PHI stolen through insecure emails. It’s crucial to secure your emails through encryption.

Since email is difficult to secure properly, it’s best to avoid sending PHI through email whenever possible. Experts recommend a patient portal for sending information to patients and secure file transfers to send files to other covered entities.

If you have to use an internet-based service, make sure the service signs a business associate agreement with you. This still makes you ultimately responsible for protecting data, but it gives you extra protection. Make sure that all PHI in the emails you send are encrypted.

SEE ALSO: How to Send a HIPAA Compliant Email

You need to encrypt sensitive data in your organization, not only for your sake, but for your patients' sake as well.

Tweet

It’s just another layer of security than can keep you from having a costly breach on your hands.

Want to learn more about encryption? Read our white paper Medical Data Encryption 101.