“Could encrypting everything result in a more simplified strategy for security technology, saving costs and improving security posture now and in the future?” – Dave Shackleford, IANS Faculty Member and SANS Analyst
Under HIPAA regulations, organizations that create, receive, maintain or transmit electronic protected health information (ePHI) are required to protect the privacy and security of this data. Both covered entities and their business associates must remain in compliance with HIPAA regulations—and although protecting your assets requires extra technology and processes, it’s a necessary “evil”.
Businesses that fall under HIPAA are searching for cost-effective solutions to help protect ePHI and adhere to federal regulations. To meet market demands and solve these business and IT concerns, OnRamp recently added Vormetric’s data security platform to their suite of solutions to enhance security for data at rest within our data centers and local networks.
Understand ePHI Requirements in HIPAA & HITECH Regulations
Current regulations governing healthcare information security and data privacy do not require encryption as a mandatory form of data protection, but they do require businesses to take reasonable measures to protect ePHI. Specifically, HIPAA charges organizations with the responsibility of choosing reasonable privacy and security solutions for sensitive information, and the HIPAA Security Rule provides examples of regulatory compliant encryption methods.
The language within HIPAA is purposefully vague to allow for reasonable advances in technology. It does not mean ePHI encryption or alternative protections are optional (noted below as addressable). Every organization that stores, transmits, or manages ePHI must enact some form of protection for data in use and data at rest.
Encryption solutions provide efficient and relatively simple security within the cybersecurity marketplace today. Section 13407 of the (Health Information Technology for Economic and Clinical Health) and HIPAA Breach Notification Rule both require that covered entities and their business associates report an unsecured ePHI breach.
Figure 1: Detailed HIPAA/ HITECH Compliance Requirements
Recognize the Need to Protect Data at Rest
Data at rest faces the same vulnerabilities as data in motion. In the field of healthcare, organizations must use the same degree of care when handling both types of data, because both include ePHI. While businesses rely on secure pathways to protect data in motion, they must use a different method to protect data at rest.
Encrypting the data allows businesses to control access to and transmission of all data at rest within a storage system. Strong data encryption solutions enable organizations to maintain data privacy with multiple encryption levels, including file/volume encryption and field/column encryption.
In the wake of several healthcare data breaches in 2015, including the Anthem breach in February that involved 78.8 million patient records, consumers, technology firms, and healthcare organizations saw the gravity of data privacy and security. Businesses must protect all data in a way that limits access control to maintain compliance and avoid reputational damage and future lawsuits. If a cybercriminal accesses the network after an unsuspecting employee clicks on an email link, encryption at the point of data storage significantly minimizes the amount of information a hacker could access.
Secure All Data with an Enterprise Class, HIPAA-Compliant Security Platform
In regards to regulatory compliance solutions and their standardization, companies cite system performance and lack of time or money as their main concerns. Compliance requirements aside, businesses must consider the risks associated with data breaches. In addition to the financial cost of disaster recovery, healthcare data breaches cost data management providers their reputations.
Client trust means everything in the world of healthcare technology. Every business that touches HIPAA and HITECH protected health data should recognize the value of investing in a scalable, enterprise-class data security platform.
Get to Know OnRamp’s Encryption Service for HIPAA
The Encryption Service powered by Vormetric enables companies to maintain ePHI compliance in a transparent way without interfering with end users’ workflows. The solution provides comprehensive health data protections:
- Encryption offers more control. HIPAA-compliant encryption capabilities offer multilevel encryption to provide organizations with better control over individual files and large data sets.
- Access control limits for data at rest. Only pre approved users and programs can access data protected within the data security platform. Using the encryption solution, businesses can eliminate the amount of data at rest a cybercriminal might access from a user’s unlocked phone or during a data breach.
- Monitor control with encryption key management. Multiple, distinct encryption keys combined with strong access control policies enable organizations to manage and monitor data access for better security scanning.
- Platform improves security intelligence. The platform provides automated access logs and alerts key personnel to potential threats. The platform seamlessly integrates with existing security information and event management (SIEM) systems for improved security intelligence across all data-related activities.
As a compliance tool, the platform provides clear information without interrupting application and system performance. In addition to improving your organization’s ability to protect ePHI, the platform’s security intelligence logs simplify the audit trails that your business must maintain. Using the system and any SIEM system in place, you can identify potential threats and provide evidence of access control compliance.