in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Does HIPAA Or HITECH Require It? No, But Strong Encryption Is Required If Used

The answer is "no," as I've often pointed out.  But, there is a very strong reason to use laptop encryption software and other cryptographic solutions like AlertBoot when protecting and securing protected health information (PHI).  Namely, the fact that safe harbor from sending notifications is given when electronic PHI is breached.

If Using Encryption, Use Strong Encryption

Eagle-eyed readers may have noticed I used the expression "when PHI is breached" and not "if PHI is breached."  Call me a pessimist, call me a realist, call me a fear-monger: what history tells us is that data breaches involving PHI is a matter of "when" and not "if."  When it comes to protecting electronic PHI the use of encryption software is a no-brainer if you're serious about protecting patient information.

The fact that safe harbor is granted from the HIPAA/HITECH breach notification rule is the cherry on top.

There is a caveat to the use of encryption, however: you have to use an encryption package that lives up to the standards.  In other words, you have to use strong encryption.  Something the 16 year-old computer-whizz next door cooked up doesn't count.

NIST: National Institute of Standards and Technology

What is strong encryption?  Well, it's essentially any encryption package that has passed NIST's testing for strong encryption.  I've covered this before, but I thought I'd provide an outside link that provides the same information in a different way.

In a nutshell, as of 2011, you're looking for anything that uses AES-128 or equivalent (or stronger).

I Sometimes Forget About This Caveat

The world is littered with attempts to create the latest and greatest encryption algorithm: the creators believe the encryption to be secure and release it into the wild, only to receive notice that someone found a vulnerability that can be exploited.

It's also littered with the remains of once-strong encryption algorithms: while they may have provided good protection in their heyday, advances in technology and science mean that they cannot be relied on to protect information.  Hence the requirement that strong encryption be used if you are actually using encryption as a security tool.

I sometimes forget about this, no doubt because AlertBoot keeps on top of the security landscape.  For example, right now the encryption algorithm used in AlertBoot is AES-256, stronger than AES-128, although the latter is deemed adequate for most uses that don't require "top secret" status (a doubtful classification for medical records).

I was reminded of the caveat, though, because of this post at phiprivacy.net, where it mentions why a HIPAA-covered entity might notify the HHS of a data breach even if the laptop was encrypted.  If you follow this link, you'll see that I ruminated on that same exact issue just two days ago:

Regardless, encryption was used and that's what matters.  In fact, one wonders why OrthoMontana decided to send notification letters.  Not only is their customer information safe, HIPAA-covered entities are given safe harbor from the Notification Rule when PHI is encrypted. [my emphasis]

While your average thief might take a look at the contents of a stolen laptop, just to see if there's any information of value that he can use, it's quite improbable that the thief will engage in cracking a weak encryption algorithm.

But, that doesn't mean such a risk ought to be tolerated.  After all, there is a reason why the experts insist on the use of encryption over the ubiquitous password-protection (better security), and there's no viable reason why anyone should insist otherwise when it comes encryption itself.

(Looking back on the OrthoMontana issue, it looks like I may have lowered my guard on a couple of other issues as well.  For example, I had taken them at their word that encryption had been used, whereas an updated account of the situation seems to imply that perhaps they hadn't.  What can I say?  Sometimes I don't feel as cynical as I ought to be.)


Related Articles and Sites:
http://information-security-resources.com/2009/08/12/lack-of-encryption-and-the-hitech-act/

 
<Previous Next>

Disk Encryption: Health Net Has Second Gargantuan Data Breach

HIPAA Data Breach Cost: Health Net Being Probed For Second Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.