Regulation of Medicine

article

Decoding the Importance of Data Encryption in Healthcare 

Executive Summary 

The need to encrypt patient data has become more important than ever with the increase in the number of practices using EMR and mobile devices and transmitting patient healthcare information by email. As such, it’s imperative that healthcare providers understand their responsibilities regarding encryption to reduce the risk of a HIPAA cyber security violation. 

Recommended Actions  
  • Ensure that your healthcare practice has an up-to-date cybersecurity breach policy that addresses encryption of patient data. 
  • Regularly conduct self-audits of your cybersecurity system, specifically looking for any vulnerabilities or patches. 
  • Ensure that patients are signing an informed consent document before exchanging any emails with them. 

Electronic communication with patients creates liability in mainly two ways: failing to protect confidential information and failing to transmit essential information. The first gets more discussion, but the second causes greater harm. MagMutual sees many claims — some of the more serious ones — regarding vital messages that did not reach people who needed them. When in doubt, err on the side of communicating. 

Messaging is either synchronous (real-time, with no storage) or asynchronous (when the content is held somewhere for retrieval). A phone conversation is synchronous. A fax is asynchronous. Emerging standards demand protection for electronic messages both in transit and at rest. It is important to keep in mind that static data (documentation, result reporting, etc.) has different risks when in transit. 

Your cyber security breach plan should describe how you protect all sensitive data that leaves your devices 

Encrypting data is very important in healthcare, not only for HIPAA compliance, but also for protecting your patients’ health data from potential cyber threats. As a physician, it remains your responsibility to protect your patients’ data from cyber security risks. Many physicians, however, are not entirely clear on what encryption does or how it makes a difference in their security efforts. 

By definition, encrypting data makes it unreadable. When encrypted, data is converted into a form often called ciphertext that cannot be understood by another party without the key. If data is encrypted, even if it has been stolen, the data remains unreadable. Encryption is achieved through software programs that apply algorithms to the original data. This scrambles it into a new, unreadable form. These algorithms change frequently, making it even more difficult to unencrypt, but a key will help you decrypt your data. 

The HIPAA Security Rule is very specific about encrypting patient data whether at rest or in transit. If your patient data remains unencrypted in either of these states, the Department of Health and Human Services could fine your practice. If unencrypted data is stolen from your practice, not only will you likely experience a huge financial loss, but you’ll also have to notify all your patients, which could damage your practice’s reputation. If encrypted data is stolen, you will not be charged a fine nor do you have to notify patients. 

In addition to properly encrypting and protecting your patient’s data, it’s important to be aware of actions that put it at additional risk. Taking data out of your EHR by e-mailing it to yourself or pasting it into documents for easier review puts it at further risk. Data that resides in an on-premise server or in-house server could also be at risk — especially if the secret to decryption is stored on the desktop. Here are a few tips for avoiding these additional risks: 

  • Encrypt data between uses. 
  • Avoid regular email; only use encrypted emails. 
  • Get IT help. Having someone with the right expertise help you could make all the difference in keeping data secure. 
  • Be careful with the use of mobile devices. Any device that is or can be taken off site should be encrypted. 

Though taking the necessary steps to ensure that your patients’ data is encrypted may be a hassle, in the long run it will help protect you and your reputation from financial and personal damage, as well as your patients’ data.  

Finally, it’s possible that the convenience of asynchronous messaging might sometimes be a barrier to communication. As our inboxes swell with notices, results and requests, the certainty of missing, deleting or mishandling critical content grows. Simply firing off an email does not guarantee it will be received, appreciated or acted on. 

When patients are injured by dropped tasks, both the sender and the receiver can be blamed. The “inbox problem” is a serious issue for patient safety. 

Lessons Learned 
  • Conduct annual HIPAA cybersecurity training for all employees and maintain documentation of this training.  
  • Share all vital information with patients via two methods of communication (i.e., a secure email and telecommunication) to ensure that they receive information in a timely manner.  
  • Document all communications with patients, in whatever form, and place a copy of the documentation in the patient’s medical record. 
Potential Damages 

Healthcare practices that do not adequately encrypt their patient data could face a HIPAA violation and associated fines and financial penalties. Although the frequency of such violations is relatively low, the amount of these fines can quickly add up. 

Quiz

1. Patient data must only be encrypted when it is in transit.
2. There are no additional cybersecurity breach risks by emailing patient data.
3. Patient data that resides in an on-premise server or in-house server is not at risk of a cybersecurity breach.

12/22

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.