Chris Apgar Andy Nieto 2015
A PRACTICAL GUIDE TO
USING ENCRYPTION FOR
REDUCING HIPAA DATA
BREACH RISK
How to get started – assessing your risk What your options are – how to protect PHI What’s the budget
Balancing the need to encrypt with getting work done
Maintaining ease of use and efficient workflow
Mobile devices and encryption Q&A
Encryption decision making starts with knowing your risk aversion level
Risk determinations not made in a vacuum – need to look at whole environment
Risk analysis is a great place to start Remember Meaningful Use (MU) Stage 2
requires assessing risks to data at rest (stored data)
HOW TO GET STARTED –
ASSESSING YOUR RISK
Yes – the HIPAA Security Rule lists encryption (at rest in in transit) as addressable
implementation specifications
On the other hand – OCR fining entities for lost unencrypted laptops and OCR emphasized need for encryption in 2014 HIPAA/CLIA Rule Don’t just focus on compliance/regulatory
risks
Important to know where data is and where it’s going
HOW TO GET STARTED –
ASSESSING YOUR RISK
Start with a sound infrastructure including:
Policies and procedures Role based access control Workforce training
Audit controls
Incident response planning (including breach) Contingency planning
And so forth…
HOW TO GET STARTED –
ASSESSING YOUR RISK
Make a detailed compliance project/risk assessment plan
Don’t assume you know where your data is Key risks – how can data walk out the front
door?
Do you know who your vendors are – are they an even bigger risk?
HOW TO GET STARTED –
ASSESSING YOUR RISK
A good place to start – your desktops and mobile devices
Mobile devices and portable media represent one of the highest risks to healthcare
organizations today
Risk to reputation, risk of lost business, risk of legal action and risk of a visit from OCR
HOW TO GET STARTED –
ASSESSING YOUR RISK
Next place to look – transmission of PHI and other sensitive data
Unencrypted email may result in interception and breach
Unsecure “secure” websites may lead to unauthorized access
Use of secure transport a must for HIPAA transactions, large files that can’t be emailed and so forth
Just password protecting does not work
HOW TO GET STARTED –
ASSESSING YOUR RISK
When looking for a vendor, keep in mind the NIST encryption standards
Secure email solutions are affordable and effective
Some support large file transfer solutions Costs range from less than $100 per user per
year to well over $100,000 to implement Assess solution that works for you and
implement!
WHAT YOUR OPTIONS ARE – HOW
TO PROTECT PHI
Mobile device and portable media encryption:
Pre-boot encryption for laptops Encrypted USB drives
Tablets and smartphones
Apple – natively encrypted but need strong passcode
Android – need to turn on encryption Windows – need to turn on encryption
WHAT YOUR OPTIONS ARE – HOW
TO PROTECT PHI
Large file transfer
Dedicated transmission of HIPAA covered transactions
Secure file transfer protocol (SFTP)
Use cloud vendors for data sharing (e.g., Box®, ShareFile®, etc.)
Direct project – HIEs and secure transmission between EHRs
WHAT YOUR OPTIONS ARE – HOW
TO PROTECT PHI
Secure web portals including patient portals Most secure websites use secure socket layers
(SSL) for encryption
SSL no longer an accepted NIST standard Where feasible use transport layer security
(TLS)
Keep in mind many websites do not support TLS
WHAT YOUR OPTIONS ARE – HOW
TO PROTECT PHI
Does it always need to be encrypted – not necessarily
Determine what compensating security controls are present
If data stored in secure data center or other secure facility, it may not need to be
encrypted
Balance response time with security of data
WHAT YOUR OPTIONS ARE – HOW
TO PROTECT PHI
For Discussion Today
■ What’s the budget
What’s the Budget
15
What’s the budget
17
Source: Infographic from Shred-it. Data from Ponemon Institute 2010 Benchmark Study on Patient Privacy and Data Security
What’s the budget
19
What’s the budget
21
Role of budgeting security
■ Prevention ■ Vigilance ■ Training Ease of Use Security Cost Functionality
Using encryption appropriately
■ Engaging in the workflow is imperative. ■ If you don’t
use it, it does not matter.
Using encryption appropriately
25
Using encryption appropriately
■ Look for opportunities to increase security and efficiency
» Replacing fax machines with Direct » Replacing couriers with encrypted email » Get actionable data not a picture of the data
■ Leverage technology to improve workflow and insure privacy and security
Efficient workflow in action – using Direct
27
Using encryption appropriately
■ Protecting PHI is not the end game
■ Protecting information, efficient information flow, and getting actionable information is the goal
Using encryption appropriately
29
If it’s not easy, it won’t get used
Select tools that support your organization’s work environment
Know your data transfer points – where data enters and leaves your organization
Look for solutions that are in your budget, secure those transfer points and will actually be used by your workforce
MAINTAINING EASE OF USE AND
EFFICIENT WORKFLOW
Ask the question – will the solution work within the current work environment (e.g., within your EHR, within Microsoft Outlook, etc.)
Training is crucial – if they don’t know how to use it or even know it’s there, it won’t happen You need to enforce it – proper sanctions need
to be realistic or can your solution support policy enforcement?
MAINTAINING EASE OF USE AND
EFFICIENT WORKFLOW
In 2014 Concentra agreed to pay OCR $1,725,220 following the theft of an unencrypted laptop
Also in 2014 QCA agreed to a $250,000 for the same reason
In February 2014 the HIPAA/Clinical
Laboratory Improvements Amendments (CLIA) rule was finalized
The preamble to the rule included an edict – you need to encrypt
MOBILE DEVICES AND
ENCRYPTION
The myth – encrypting laptops will slow everything down
It all depends on the solution…
Tablets and smart phones are easy to encrypt, may come encrypted and encryption is
included at no cost (not necessarily true for older mobile devices)
If it can be easily carried out the door, it should be encrypted
MOBILE DEVICES AND
ENCRYPTION
Mobile devices – some stats
■ 64% of physicians use email on a smartphone1
■ 30% of physicians email patients1
■ 80% of physicians use smartphones for work1
■ 93% of adults would choose a doctor who will email them2
■ 85% of hospitals allow clinicians and staff to connect personal devices to hospital network3
■ 69% view patient info on mobile3
■ 96% physicians use smartphone as primary device to support clinical communications4
1. Kantar Media Sources & Interactions Study, September 2014- Medical/Surgical addition 2. Catalyst Healthcare Research Study, May 2014, “What’s Reasonable?”
Mobile Devices and Encryption
■ Communication on mobile devices is here and growing
■ BYOD policy is a must have ■ Encrypt data in motion
» Text messaging
35
Questions?
Andy Nieto
Health IT Strategist, DataMotion 973-532-5718
AndyN@datamotion.com Chris Apgar, CISSP
CEO & President, Apgar & Associates capgar@apgarandassoc.com