Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve

HIPAA Safe Harbor in the Cloud

Contents

The Obligation to Protect Patient Data in the Cloud

Complying with the HIPAA Security Rule in the Cloud

Using Porticor to Address the Technical Safeguards

HIPAA Safeguard: Access Control

HIPAA Safeguard: Audit Controls

HIPAA Safeguard: Integrity Controls

HIPAA Safeguard: Transmission Security

How Porticor Helps to Achieve Safe Harbor

The Obligation to Protect Patient Data in the Cloud

While the cloud offers many benefits in terms of cost, scale, and business agility, it poses new challenges in terms of security and compliance.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defined guidelines for protecting the privacy and security of electronic patient information. HIPAA applies to both “covered entities” – health care providers, plans and clearing houses – and their “business associates. ” Business associates include any organization that is engaged by a covered entity to help it carry out its health care activities and functions, such as claims processing or

administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing. In January 2013, the HH Supdated the HIPAA requirements with the publication of the HIPAA Final Omnibus Rule. The Final Rule expands all requirements to business associates, which have been responsible for some of the largest breaches. Penalties for non-compliance were also increased.

For organizations that store data in the cloud, the Security Rule is of particular concern. While the cloud offers many benefits in terms of cost, scale, and business agility, it poses new challenges in terms of security and compliance. This paper takes a look at the HIPAA Security Rule and Techni-cal Safeguards, and how data encryption can be used to comply with the Rule and achieve a safe harbor.

Complying with the HIPAA Security Rule in the Cloud

To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable.

The Security Rule protects all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). It is designed to protect information privacy while still allowing organizations to adopt new technologies, such as the cloud, that have the potential to improve the quality and efficiency of patient care. It also builds in flexibility to enable very diverse organizations to implement safeguards that are appropriate to their size, technical operation, risk exposure, etc.

In case of data exposure, HIPAA reporting requirements are stringent and

resource-intensive. Significant fines may ensue, as well as damage to reputation. To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable. If those technologies are implemented, the organization can usually claim to have achieved a “safe harbor.”

Data encryption is one of the key technologies that enable you to achieve safe harbor status. If it can be proven that the lost or stolen data was encrypted, and that the encryption keys were well protected, Safe Harbor may usually be claimed.

HIPAA includes two main rules for protecting patient data:

The Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.

All of these guidelines must be considered whether you have an on-premise data center or use the cloud, but HIPAA allows some flexibility in terms of how you address them. Since many of the physical controls – such as walls, doors and locks - that are available in physical data centers do not exist for Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) clouds, there is wide consensus that encryption is a best practice for ePHI. Many experts believe that in the near future, encryption will become a required standard.

Porticor Virtual Private Data is a cloud encryption and key management solution that enables you to comply with HIPAA and achieve safe harbor. It is a complete solution that combines state of the art encryption with patented cloud key management. Porticor Virtual Private Data encrypts the entire data layer including virtual disks, databases, files, object storage and more. It also addresses the processes necessary for managing your encryption environment and encryption keys. It provides the strong security needed for compliance in a convenient, cost-effective, fully cloud-based solution.

Porticor’s key management solution is the first of its kind. Like a Swiss banker offering a traditional safe deposit box, Porticor requires two keys to encrypt or decrypt an object. In addition, each key is encrypted - to protect it while it is resident in your cloud account - using patent-pending homomorphic key management technology.

With Porticor, you hold a Master Key which is never present in the cloud in a plain, unencrypted form. Therefore, you retain control of your encrypted data - without having to install and main-tain expensive key management servers on premise. Porticor Virtual Private Data is the only pure cloud solution where you – and only you – hold the key to your data.

Using Porticor to Address the Technical Safeguards

There is wide consensus that encryption is a best practice for ePHI. Many experts believe that in the near future, encryption will become a required standard.

The Security Rule provides a list of technical safeguards that address four areas: Access Control

Audit Controls Integrity Controls Transmission Security

HIPAA Safeguard: Access Control

“Covered entities and Business Associates must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).”

Porticor Capabilities

Porticor automates the key management process so that administrators cannot access or see key values used for encrypting e-PHI data. Keys are managed by name, not value.

Porticor requires a different User ID and password for each administrator, and each adminis-trator is assigned only to projects that he or she may administer.

HIPAA Safeguard: Audit Controls

“Covered entities and business associates must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”

Porticor Capabilities

HIPAA Safeguard: Integrity Controls

“Covered entities and business associates must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”

Porticor Capabilities

Passwords are stored using a salted one-way hash, which cannot be decrypted.

Specific administrators may be assigned the rights to add, delete and change other users. Users can be temporarily disabled or entirely deleted by an administrator at any time. API access uses separately managed API keys.

Porticor allows customers to assign encryption keys to end-users at different levels:

individual, role or group. This allows combinations of access-based and strong cryptographic isolation of user data.

Porticor allows a full range of granular controls. Fine-grained control can be at the level of an individual database field, column, row or table, and coarser controls can be at the level of files or even complete disks.

Any remote access by Porticor personnel requires explicit permission from a customer administrator.

Porticor provides the ability to create a secure audit log entry for access to data down to the field level.

Audit log entries are generated for all configuration changes.

An audit log entry is created for all user logons and logoffs and for invalid access attempts. The Porticor audit log contains the User ID, the type of message, date and time, the Porticor subsystem name and the detailed message.

Audit logs located on the Porticor hardened appliance are protected from access and modification.

HIPAA Safeguard: Transmission Security

Experts understand that the biggest challenge is not encrypting the data, but managing the keys.

“Covered entities and business associates must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.”

Porticor Capabilities

How Porticor helps to achieve Safe Harbor

For both covered entities and business associates, a breach of e-PHI is a serious incident that requires risk assessment and reporting processes, as well as possible fines, penalties and damage to reputation. To enable organizations to both protect e-PHI and avoid these procedures, the Secretary of Health and Human Services published guid anceon “technologies and

methodologies that render protected health information unusable, unreadable, or

indecipherable to unauthorized individuals.” The guidance emphasizes that data encryption is not only a best practice for protecting privacy and security – it also provides a safe harbor to the organization in case of data loss.

“We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the [Guidance]. If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use of disclosure of the information.” [78 Federal Register 5644]

In the cloud, the need for encryption is all the more evident. However, experts understand that the biggest challenge is not encrypting the data, but managing the keys. Keeping the keys secure, without sacrificing the convenience and cost-effectiveness of cloud key management, is essential to HIPAA compliance.

Porticor has published exact mathematical descriptions and proofs of strength of its proto-cols. Porticor implements unique mechanisms to ensure that its virtual appliance is continu-ously provisioned with the entropy required for generating cryptographic keys. Porticor supports by default AES 256 and RSA public keys from 1024 to 4096 bits, and secure storage of keys of all major crypto systems of any length.

Secure key distribution is provided by default. Split-key encryption and homomorphic key management are always enabled, and distribution of keys to the correct project environ-ments is managed from the Porticor Virtual Key Management system. All key transport protocols are encrypted and authenticated.

All communications within the Porticor system are always encrypted. SSL/TLS is always enabled, and cannot be switched off.

Porticor Virtual Private Data is the first and only solution to offer cloud-based key management without sacrificing trust. Porticor requires two parts of a split key to access every disk – a master key and a project key. Each part of the key is encrypted to protect it while it is resident in your cloud account using patent-pending homomorphic key encryption technology. With the Master Key, you retain control of your encrypted data, without having to install and maintain key management servers on premise.

Contact us to learn more about HIPAA cloud compliance with Porticor.

An effective data encryption solution must include: Robust, fast, yet easy to use data encryption