A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

Chris Apgar Andy Nieto 2015

A PRACTICAL GUIDE TO

USING ENCRYPTION FOR

REDUCING HIPAA DATA

BREACH RISK

How to get started – assessing your risk What your options are – how to protect PHI What’s the budget

Balancing the need to encrypt with getting work done

Maintaining ease of use and efficient workflow

Mobile devices and encryption Q&A

Encryption decision making starts with knowing your risk aversion level

Risk determinations not made in a vacuum – need to look at whole environment

Risk analysis is a great place to start Remember Meaningful Use (MU) Stage 2

requires assessing risks to data at rest (stored data)

HOW TO GET STARTED –

ASSESSING YOUR RISK

Yes – the HIPAA Security Rule lists encryption (at rest in in transit) as addressable

implementation specifications

On the other hand – OCR fining entities for lost unencrypted laptops and OCR emphasized need for encryption in 2014 HIPAA/CLIA Rule Don’t just focus on compliance/regulatory

risks

Important to know where data is and where it’s going

HOW TO GET STARTED –

ASSESSING YOUR RISK

Start with a sound infrastructure including:

Policies and procedures Role based access control Workforce training

Audit controls

Incident response planning (including breach) Contingency planning

And so forth…

HOW TO GET STARTED –

ASSESSING YOUR RISK

Make a detailed compliance project/risk assessment plan

Don’t assume you know where your data is Key risks – how can data walk out the front

door?

Do you know who your vendors are – are they an even bigger risk?

HOW TO GET STARTED –

ASSESSING YOUR RISK

A good place to start – your desktops and mobile devices

Mobile devices and portable media represent one of the highest risks to healthcare

organizations today

Risk to reputation, risk of lost business, risk of legal action and risk of a visit from OCR

HOW TO GET STARTED –

ASSESSING YOUR RISK

Next place to look – transmission of PHI and other sensitive data

Unencrypted email may result in interception and breach

Unsecure “secure” websites may lead to unauthorized access

Use of secure transport a must for HIPAA transactions, large files that can’t be emailed and so forth

Just password protecting does not work

HOW TO GET STARTED –

ASSESSING YOUR RISK

When looking for a vendor, keep in mind the NIST encryption standards

Secure email solutions are affordable and effective

Some support large file transfer solutions Costs range from less than $100 per user per

year to well over $100,000 to implement Assess solution that works for you and

implement!

WHAT YOUR OPTIONS ARE – HOW

TO PROTECT PHI

Mobile device and portable media encryption:

Pre-boot encryption for laptops Encrypted USB drives

Tablets and smartphones

Apple – natively encrypted but need strong passcode

Android – need to turn on encryption Windows – need to turn on encryption

WHAT YOUR OPTIONS ARE – HOW

TO PROTECT PHI

Large file transfer

Dedicated transmission of HIPAA covered transactions

Secure file transfer protocol (SFTP)

Use cloud vendors for data sharing (e.g., Box®, ShareFile®, etc.)

Direct project – HIEs and secure transmission between EHRs

WHAT YOUR OPTIONS ARE – HOW

TO PROTECT PHI

Secure web portals including patient portals Most secure websites use secure socket layers

(SSL) for encryption

SSL no longer an accepted NIST standard Where feasible use transport layer security

(TLS)

Keep in mind many websites do not support TLS

WHAT YOUR OPTIONS ARE – HOW

TO PROTECT PHI

Does it always need to be encrypted – not necessarily

Determine what compensating security controls are present

If data stored in secure data center or other secure facility, it may not need to be

encrypted

Balance response time with security of data

WHAT YOUR OPTIONS ARE – HOW

TO PROTECT PHI

For Discussion Today

■ What’s the budget

What’s the Budget

15

What’s the budget

17

Source: Infographic from Shred-it. Data from Ponemon Institute 2010 Benchmark Study on Patient Privacy and Data Security

What’s the budget

19

What’s the budget

21

Role of budgeting security

■ Prevention ■ Vigilance ■ Training Ease of Use Security Cost Functionality

Using encryption appropriately

■ Engaging in the workflow is imperative. ■ If you don’t

use it, it does not matter.

Using encryption appropriately

25

Using encryption appropriately

■ Look for opportunities to increase security and efficiency

» Replacing fax machines with Direct » Replacing couriers with encrypted email » Get actionable data not a picture of the data

■ Leverage technology to improve workflow and insure privacy and security

Efficient workflow in action – using Direct

27

Using encryption appropriately

■ Protecting PHI is not the end game

■ Protecting information, efficient information flow, and getting actionable information is the goal

Using encryption appropriately

29

If it’s not easy, it won’t get used

Select tools that support your organization’s work environment

Know your data transfer points – where data enters and leaves your organization

Look for solutions that are in your budget, secure those transfer points and will actually be used by your workforce

MAINTAINING EASE OF USE AND

EFFICIENT WORKFLOW

Ask the question – will the solution work within the current work environment (e.g., within your EHR, within Microsoft Outlook, etc.)

Training is crucial – if they don’t know how to use it or even know it’s there, it won’t happen You need to enforce it – proper sanctions need

to be realistic or can your solution support policy enforcement?

MAINTAINING EASE OF USE AND

EFFICIENT WORKFLOW

In 2014 Concentra agreed to pay OCR $1,725,220 following the theft of an unencrypted laptop

Also in 2014 QCA agreed to a $250,000 for the same reason

In February 2014 the HIPAA/Clinical

Laboratory Improvements Amendments (CLIA) rule was finalized

The preamble to the rule included an edict – you need to encrypt

MOBILE DEVICES AND

ENCRYPTION

The myth – encrypting laptops will slow everything down

It all depends on the solution…

Tablets and smart phones are easy to encrypt, may come encrypted and encryption is

included at no cost (not necessarily true for older mobile devices)

If it can be easily carried out the door, it should be encrypted

MOBILE DEVICES AND

ENCRYPTION

Mobile devices – some stats

■ 64% of physicians use email on a smartphone1

■ 30% of physicians email patients1

■ 80% of physicians use smartphones for work1

■ 93% of adults would choose a doctor who will email them2

■ 85% of hospitals allow clinicians and staff to connect personal devices to hospital network3

■ 69% view patient info on mobile3

■ 96% physicians use smartphone as primary device to support clinical communications4

1. Kantar Media Sources & Interactions Study, September 2014- Medical/Surgical addition 2. Catalyst Healthcare Research Study, May 2014, “What’s Reasonable?”

Mobile Devices and Encryption

■ Communication on mobile devices is here and growing

■ BYOD policy is a must have ■ Encrypt data in motion

» Email

» Text messaging

35

Questions?

Andy Nieto

Health IT Strategist, DataMotion 973-532-5718

AndyN@datamotion.com Chris Apgar, CISSP

CEO & President, Apgar & Associates capgar@apgarandassoc.com