New HIPAA rule draws attention to encryption regulation
A surprising number of healthcare organizations are putting patients’ electronic health records (EHR) at risk by failing to adhere to HIPAA compliance.
According to TechTarget, the recently released omnibus amendment to HIPAA required that healthcare providers abide by a new set of data protection regulations, which will force IT to look for enhanced security strategies. The omnibus rule will be effective March 26, and organizations will have until September 22 to ensure compliance.
Some patients prefer emails to be unencrypted, and in those cases, providers covered under the new rule will not be liable for any data breaches. Now more than ever though, mobile device encryption will be an increasingly critical security measure, considering that more healthcare organizations are granting mobile access to EHRs. According to Mack Baniameri, CEO of Health BI, most organizations donot fully comprehend what proper encryption entails, and every single email sent with confidential patient data can leave traces for hackers to exploit. He explained that cyber-criminals can easily hack mobile devices for copies of these emails, and the security of these exchanges is directly dependent on the server’s infrastructure.
Encryption compliance requires that the infrastructure is built to completely block any unauthorized external access to the server. In fact, Baniameri is adamant that there should be absolutely no evidence of the data ever existing on employee devices, and encryption must be at least 128-bit. Even authorized users must only be able to access email and other messaging platforms by strictly enforced username and password authentication. Additionally, the system should be capable of automated audits of all network activity logs in order to detect breach attempts. Lastly, the system should have intelligent capabilities for quickly retrieving this information and enacting automated time-outs for abnormal use of the server.
A truly secure system for HIPAA compliant file transfer will leverage the most advanced encryption technologies to eliminate even the smallest footprint.
A steady rising of data breaches of unencrypted devices suggests that many organizations still aren’t taking necessary steps for data protection.
Greenville Online reported that following a devastating breach on the state Revenue Department’s database in October that exposed 3.3 million bank account numbers and 3.8 million Social Security numbers, the agency still hasn’t implemented an encryption technique. Mandiant, the cyber security firm responsible for investigating the attack, highlighted encryption of all servers, applications and devices as a primary recommendation for taking preventative measures. The agency’s chief information officer, Dale Brown, and deputy director, Harry Cooper, claimed that the department is currently researching and evaluating encryption options. Bruce Bannister, Greenville representative, told the news source that he is surprised by the department’s failure to consider encryption for data security purposes.
“I thought they were already in the process of dealing with encryption and I thought they were finished with dual authentication,” he said, “It appears the agencies in general have taken a more relaxed view of data security. I don’t think they appreciate the threat they are under now.”
Kevin Bryant, chair of Anderson, the subcommittee exploring the breach, told Greenville Online that mandates requiring full encryption might be necessary to creating urgency for the department’s security efforts.
Increasing legislative encryption regulations have required firms to invest more heavily in supporting technologies. CRN contributor Kevin Percy asserted that encryption should be integral to every company’s overall security strategy, especially because human error is a primary reason for data breaches. Percy explained that while some enterprises have concerns that these methods will have an effect on operational efficiency, encryption is an invisible solution that runs in the background. This means that since files are encrypted once and each user has a unique key, it’s unlikely that an employee would be falsely locked out of systems they are authorized to view.
It’s imperative that businesses implement a thorough, fully-functioning encryption technique because as Percy pointed out, a poor product could ultimately end up costing the enterprise more to replace. Greenville Online reported that while adoption of encryption technology was expected to cost the department between $4 and $12 million, the state has spent $20 million in recovery costs already in response to the recent breach.
Data security regulations concerning the protection of highly sensitive information will only become more strict with time. In order to ensure compliance and avoid costly consequences, organizations will need to seek the most advanced encryption technologies.
After the HIPAA omnibus privacy and security rule was recently finalized, healthcare professionals have been forced to re-assess whether investments in data protection are sufficient.
According to an HIMSS survey taken at the end of 2012, more medical organizations are beginning to take these regulations into account with respect to security budgets. More than half of HIMSS respondents agreed that federal initiatives have led to an IT security budgetary increase. Secure methods for delivering patient information remains a topic of debate, and the survey found that 60 percent of healthcare providers use a CD to transfer records, while 39 percent use web portals and 34 percent use encrypted e-mail. Of the respondents that used web portals, an overwhelming 98 percent stated that at least one security control was in place, while the previous year, only 21 percent cited any controls to access.
The survey’s findings imply that rising breaches and more strict enforcement of federal regulations have caused healthcare organizations to re-consider the way confidential patient information is handled. Government Health IT reported that Lisa Gallagher, director of privacy and security for HIMSS, was pleased to find an increase in the number of organizations conducting risk assessments. Gallagher explained that it has been a challenge for the healthcare industry to finally take responsibility for ensuring patient data protection because on the whole, members are not knowledgeable in security measures.
“Doctors are trained to take care of patients, not to take care of data, but we need them to take care of data,” she said.
Gallagher’s hope is that as institutions witness the significant costs that result from security breaches, there will be more of an effort to encrypt data at rest in addition to secure protocols for data in transit.
Because security professionals are almost non-existent in the healthcare community, many organizations are unaware that data loss prevention measures are inadequate. IT experts suggest that medical providers seek technological support to ensure secure data protection and file transfer.
Increasingly, enterprises are experiencing detrimental data breaches not only from external attacks, but also as a result of internal risky behavior.
While Giga Om reported that a majority of organizations have experienced a malware attack at some point, data loss prevention (DLP) primarily fails due to IT security neglecting risk assessments and general safety negligence.
As the bring-your-own-device (BYOD) trend has allowed more employee devices in the workplace and cloud services to share sensitive data, protecting information has become a continual challenge for businesses. Giga Om explained that while many firms have sought DLP solutions, many of these services are designed to minimize damage from a database attack as opposed to preventing them in the first place. Further, a majority of DLP methods are on-site solutions that are costly and complicated to both install and maintain. This not only means that companies are reluctant to seek DLP support but also that solutions are rarely updated for the most current capabilities regarding monitoring server activity and detecting abnormalities.
Giga Om reported that according to Edward Ferrara, principal research analyst for security and risk professionals for Forrester Research, only by implementing software-as-a-service (SaaS) DLP technologies can enterprises keep up with new risk factors that are constantly emerging. Firms often avoid SaaS security solutions, fearing they are too expensive, but the cloud has made these services both scalable and affordable to enterprises of all sizes. Many companies still aren’t leveraging cloud-based technologies for DLP, however, despite the fact that off-site solutions are typically far more affordable. Giga Om explained that DLP services in the cloud are estimated to cost anywhere from $250,000 to $600,000 less a year than on-premise approaches.
Kaspersky Lab chief officer Petr Merkulov told Giga Om that enterprise security depends on an approach that addresses all potential threats.
“A corporate security solution must protect against both external and internal threats using the right tools for the job: Anti-malware technologies, corporate security policies, data leakage prevention methods, and so on,” he explained.
As organizations face an ever-growing array of threats to data protection, security professionals will seek technologies that detect potential internal threats while also obstructing external offenses.