Data Encryption 101 for Medical Practices

April 3, 2013

What you need to know about encryption, and why you should care.

Like many practices, staff at the Hospice of Northern Idaho (HONI) didn't intend to have a laptop containing easily accessible protected health information stolen. But when it happened, the small medical organization was asked to pay a $50,000 settlement fee - even though only 441 of its patients had protected health information exposed.

In addition to blasting out a press release in December that called HONI's payment "the first settlement involving a breach of unsecured electronic protected health information affecting fewer than 500 individuals," HHS Office for Civil Rights Director Leon Rodriguez had another message for small practices: Encrypt your data to make it unreadable, and you'll be in line with key HIPAA privacy and security regulations.

"There are a whole lot of breaches being reported in small and large practices," says Sharona Hoffman, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland. "If you're seeing more media coverage, it's because the government is being more aggressive about enforcement."

The problem: Most docs don't have an IT degree, and don't know the first thing about encryption, though it will become more important in the scheme of things.

Here's what your practice needs to know about encryption, in layman's terms, why it's important, and how to go about encrypting data.

Encryption: The basics

Encryption is the conversion of data into a form, often called ciphertext, which cannot be understood by another party - man or machine - without being decrypted first. There are many types of encryption available that offer different levels of protection. The process of encryption is typically done by software programs that apply algorithms to the original data to scramble it into a new form.

Because algorithms are frequently changed on a timely basis, not only do you have to have the algorithms themselves, you have to have a "key" that tells you which algorithm to use and how to use it to decrypt your data. So if someone "cracked" the encryption software yesterday, it may not help them today because today's algorithm has a different key, notes Marion Jenkins, executive vice president of Denver, Colo.-based IT firm 3t Systems.

Keys come in many forms: They can be tangible (a key fob that generates new algorithms at specific time intervals), or intangible (residing in an internal software program that is accessible via a password-protected interface).

And while the category of healthcare IT security is laced with big ideas and complex vocabulary, encryption is important because the HIPAA Security Rule is pretty specific about using it to make data unreadable, and thus keep it protected.

In January, HHS moved forward to strengthen the privacy and security protections for health information established under the 1996 HIPAA law.

The final omnibus rule, based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, greatly enhances a patient's privacy protections, provides individuals new rights to their health information, and strengthens the government's ability to enforce the law. Under the rule, electronic protected health information (ePHI), whether at rest (e.g., on a server) or in transit (e.g., through e-mail), must be encrypted. If it is, even in the event of a security breach, a covered entity will not have to notify patients of the breach nor pay up to $1.5 million in fines.

And while encryption is not 100 percent fool-proof (nothing is), it strongly decreases the likelihood of patient data being sabotaged, says Jenkins.

"There are many layers and systems to protect data, including physical, technical, and operational," says Jenkins, who has worked with hundreds of practices to meet federal healthcare IT requirements."A firewall protects data from outside/hacker access. Software and hardware systems like RAID, replication, DR or disaster recovery, archiving, and other things can protect data from hardware failure and power outages. Strong password policies protect data from unauthorized user access. Generally those core systems are encrypted as a matter of course. Additional encryption comes into play if or when all those methods fail, or the data is taken outside of the realm of those systems, such as a user making a local copy to a laptop or USB drive, and then the data gets into the hands of someone who shouldn't have it. If the data is not encrypted, the unauthorized user is able to access it easily."

Practices at risk

The greatest risk to patient data isn't a lone hacker sitting in a basement targeting medical practices from afar. Rather, it's negligent physician practices that don't take the threat of theft seriously.

"People don't hack into EHRs, that's not the problem," says Jenkins. "Almost all HIPAA breaches are the result of physicians or other users doing something called 'sneaker net,' making a copy of the data and sending it to themselves via e-mail or putting it on a portable USB drive, and those systems generally have no encryption."

The scenario usually plays out at medical practices when a user copies EHR data (which is internally protected by encryption) onto his desktop screen, intending to analyze or manipulate it with a program such as Excel, and then his laptop is stolen.

"If you're taking data out of your EHR, you're playing with fire," says Jenkins.

And with the growing proliferation of mobile devices into the medical workforce, the threat of data breach looms larger. Smartphones and tablets are smaller and easier to snatch than larger laptops, a reality that has prompted HHS to issue detailed guidance on securing mobile devices (see http://bit.ly/managemobile_health).

Data that resides on an on-premises server or in-house computer is also at risk, especially if the secret key to decrypt the information is stored on the computer's desktop, says Andy Podgurski, a computer science professor at Case Western Reserve University who coauthored the study "E-Health Hazards: Provider Liability and Electronic Health Record Systems" with Hoffman, his wife.

"Someone could find that key and use it to decrypt information," says Podgurski, adding that there's a downside of being super cautious. "If you had to enter a key every time you want to access data, that's incredibly tedious."

Yet in spite of these risks, a late 2011 HIMSS survey of 329 healthcare organizations revealed only 44 percent of respondents encrypt their mobile devices. Only 29 percent said that all of their data on laptops is encrypted, while 42 percent said none of their desktop data is encrypted. About one out of four respondents (23 percent) said none of their e-mails is encrypted, though a growing number of physicians are using patient portals to send secure, HIPAA-compliant messages.

Encrypting and protecting data

Ready to take encryption and data seriously? Here's how to beef up security and stay HIPAA compliant:

Encrypt data between uses. If you're working on sensitive data that isn't protected within the firewalls of a program such as an EHR, consider encrypting it before you log off. "If you encrypt medical data between uses of the computer, and then decrypt it when you start using it, that ensures that, as long as you use a secure key, if the laptop is stolen or lost, no one can understand that data without the secret key," says Podgurski. Not sure how to do this? Consult your in-house IT staff or hire an IT security contractor.

Avoid regular e-mail. While sending e-mail can be more convenient than making a call (not to mention, physician e-mailing has been linked with better outcomes in those patients with diabetes and other chronic diagnoses), practices have gotten in trouble for sending unencrypted e-mails full of patient information. Sending encrypted e-mails or using a secure patient portal offers some protection for practices and removes them from liability.

Get IT help. As physicians become increasingly digital, technology is becoming much easier to use. "No software a physician should get for their private practice should require them to be knowledgeable about encryption," says Podgurski. Still, you might want to enlist the help of a professional to make sure your practice provides staff secure ways to access data when they are off premises. Jenkins works with practices to establish a VPN or thin client-based system for accessing data off premises.

Be careful with gadgets. Taking a device off-site? Make sure to encrypt protected health data that resides on the device's interface. Or, better yet, don't touch data unless it's accessed through a secure remote desktop application or password-protected Internet interface. "Don't take data out of your system, don't put it on portable media," warns Jenkins. "You should only access it over a secure network, never download it to or use it on a local device."

Marisa Torrieri is an associate editor for Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the April 2013 issue of Physicians Practice.