In an era of electronic health records, encryption can minimize your exposure in the event of a breach.
Today?s providers are challenged with matching up document imaging technology with data encryption needs, which is being driving by HIPAA and other compliances. Encryption is rapidly changing from a ?best practice? into an impending requirement for many industries, especially health care. Hospitals, imaging centers, and other health care facilities need to understand the current opportunities associated with implementing encryption and how to leverage it as a risk reduction technique for confidential data.
In today?s Information Age, organizations that have a lot of written records?and diagnostic images, too?have moved to a paperless system using some document imaging and management system. This is most predominant in the health industry where it is difficult to find any health record that has not been scanned. While this may have simply been about ease of access to the original record, it has quickly evolved to include varying levels of technology that convert the document into text for further indexing of the original document. Essentially, we are no longer dealing with a ?bunch of images? but now an entire warehouse including text. However, this rapid growth has not been parallel with the need for security around this data?especially with respect to encryption. With the current compliances, we need to better understand the need to encrypt data and the steps that should be taken.
Matthew T. Davis,
CISSP, CISA
Often we think of data as the digital text. Data also includes information and other sources like document images, paper documents, and even voice/video. Most document imaging and management systems can scan areas of the document, convert them to text, index that text information, and database the document information that references the document image. When it comes to security, we have the basic premise that we are simply trying to protect data based on its value. We typically see the ?why? expressed as confidentiality, integrity, and availability. We see the ?how? using administrative controls, physical controls, and logical controls. Given that most data today is electronic, there is an emphasis on logical security controls.
When it comes to security, some say, ?No one does security unless they have to.? This is the very reason we have regulations and standards with which we must comply. Simply put, the average organization isn?t doing enough. The major security compliance efforts that organizations need to be concerned with each have their own requirements. Many organizations have incorporated most of the common security compliance areas, eg, policies, firewalls, logging, and password controls. However, most have not addressed the area of encryption that is now more prevalent. For example, PCI requires encryption of all cardholder data at rest while HIPAA requires consideration of encryption as a control. In many other regulations, such as state laws, encryption can be leveraged such that breach notification may not be required if the data was encrypted properly at the time.
Encryption has become the ultimate confidentiality control. Encryption has become an increasingly common best practice that is part of any good security architecture. Given the focus of medical documents imaging and management, an organization should be aware that the new HIPAA HITECH provision in the ARRA stipulates that encrypted information is considered ?rendered useless.?
Encryption is more involved than selecting a trusted algorithm. The key to encryption is the keys themselves, which may be passwords. For it to work properly, the keys need to be split so that at least two people know part of it and at least two people manage it. Also, the location of where the keys are stored needs maximum protection. From an organizational perspective, encryption needs to be considered from a life cycle approach, for example, when it first enters the organization is ideal and decryption occurs only when absolutely needed. With respect to imaged documents, we must identify solutions to encrypt both images and the extracted text. Today, most of the document imaging vendors have not identified how this can be done with their products or third-party products.
Today?s hospitals and imaging centers are dealing with massive amounts of sensitive patient information. The fact is that you are stuck with security and likely stuck with encryption. Unfortunately, most organizations don?t know how to deal with it?nor do many vendors. Health care facilities need to start evaluating what sort of compliance or other business drivers they have that may lead to encryption. It is simply a matter of ?when? and not ?if? you will need enterprise encryption architecture.
Matthew T. Davis, CISSP, CISA, is a principal at SecureState. As the practice lead for Audit and Compliance, Davis handles the business side of security, conducting interviews and reviewing policies and procedures.
