Add another layer of security to your organization’s PHI with encryption.
Did you know that only 63% of healthcare organizations encrypt PHI on their work devices? Yet encryption is an essential aspect of data security. Without it, your data is more vulnerable to hackers.
See also: Snapshot of HIPAA and Healthcare Data Security
HIPAA requires that all electronic PHI that’s created, stored, or transmitted in all work devices must be encrypted.
If a hacker is able to break into a work device, any data on that device is now available to him. But if the data is encrypted, it makes the data worthless to the hacker, unless he has the encryption key. Encryption is an extra layer of security that prevents stolen data from being used by hackers.
Many confuse encryption with masking. Masking only hides part of the data from view, while encryption runs the data through an algorithm that makes it indecipherable without a key. Masking doesn’t protect your data like encryption does.
While HIPAA doesn’t specify what types of encryption to use, it’s best to use AES-256 or better.
To encrypt your PHI, you need to know where it is. Keeping track of where your PHI is created, stored, and transmitted is the first step to properly securing your data. Make a diagram to find out where PHI enters, leaves, and resides in your organization. You should focus on entry, transmission, and storage.
Where is your PHI entering your entity? Is it just at the reception desks or are you getting information from other areas of your organization? Figure out where you are getting your patient information and from where. Here are some possible points of entry.
Just like you need to document where PHI is entering your environment, you need to know where it’s leaving your environment. PHI exiting your organization can be vulnerable to hackers. Some points of exit to consider are:
See also: How to Permanently Delete Files with Sensitive Data
See also: SecurityMetrics HIPAA Guide
Storage
You should know where PHI is being stored. Is it copied and transferred directly to a department, or is it stored automatically in your EHR system? You also need to record all hardware and software devices, and other data storage mediums that can access PHI.
Here are some common places where PHI is stored:
Need help managing your PHI? Talk to one of our experts!
Most mobile encryption isn’t as secure as other devices. Mobile technology is only as secure as the device’s passcode. The best security practice with mobile devices is setting up policies and procedures, such as:
See also: 5 Tips to HIPAA Compliant Mobile Devices
If you can, avoid storing sensitive information on mobile devices to eliminate the threat of a data breach altogether.
See also: 5 Ways Your Mobile Device Can Get Malware
According to the HHS Breach Portal, over 100 organizations since 2009 have had PHI stolen through insecure emails. It’s crucial to secure your emails through encryption.
Since email is difficult to secure properly, it’s best to avoid sending PHI through email whenever possible. Experts recommend a patient portal for sending information to patients and secure file transfers to send files to other covered entities.
If you have to use an internet-based service, make sure the service signs a business associate agreement with you. This still makes you ultimately responsible for protecting data, but it gives you extra protection. Make sure that all PHI in the emails you send are encrypted.
See also: How to Send a HIPAA Compliant Email
You need to encrypt sensitive data in your organization, not only for your sake, but for your patients' sake as well.
It’s just another layer of security than can keep you from having a costly breach on your hands.
Want to learn more about encryption? Read our white paper Medical Data Encryption 101.
.svg)