You are here

Decoding the Importance of Encryption: Why it’s essential for any cyber security strategy

January 26, 2015

Encrypting data is very important in healthcare, not only for HIPAA compliance, but also for protecting your patients’ health data from potential cyber threats. As a physician it remains your responsibility to protect your patients’ data from cyber risks. Many physicians, however, are not entirely clear on what encryption does or how it makes a difference in their security efforts.

By definition, encrypting data makes it unreadable. When encrypted, data is converted into a form often called ciphertext that cannot be understood by another party without the key[1]. If data is encrypted, even if it has been stolen, the data can still remain unreadable. Encryption is achieved through software programs that apply algorithms to the original data. This scrambles it into a new, unreadable, form. These algorithms change frequently making it even more difficult to unencrypt, but a key will help you decrypt your data.

The HIPAA security rule is very specific about encrypting patient data whether at rest or in transit. If your patient data remains unencrypted in either of these states the Department of Health and Human Services will fine you. If unencrypted data is stolen from your practice, not only will you experience a huge financial loss, you’ll have to notify all your patients, possibly damaging your reputation[2]. If encrypted data is stolen you will not be charged a fine nor do you have to notify patients.

In addition to properly encrypting and protecting your patient’s data, it’s important to be aware of the things that put it at additional risk.  Taking data out of your EHR by e-mailing it to yourself, pasting it into documents for easier review, etc. puts it at further risk. Data that resides in an on-premise server or in-house server could also be at risk—especially if the secret to decryption is stored on the desktop. Here are a few tips for avoiding these additional risks[3]:

  • Encrypt data between uses
  • Avoid regular email, only use encrypted emails
  • Get IT help – having someone with the right expertise help you could make all the difference in keeping data secure
  • Be careful with Gadgets – any device that is or can be taken off site should be encrypted

Though going through the necessary steps to ensure your patients’ data is encrypted may be a hassle, in the long run it will help protect you and your reputation from financial and personal damage, as well as your patients’ data. Overall, encryption is an essential part of your practice’s or hospital’s cyber security strategy.

 

[1] Torrieri, Marisa. Data Encryption 101 for Medical Practices. http://www.mckessonpracticesolutions.com/resources/editorials/data-encryption

[2] Maliyill, Tim. 2014, July 31. Why encryption is crucial to your organization. http://www.healthcareitnews.com/blog/why-encryption-crucial-your-organization

[3] Rose, JD, MBA, Rachel V. 2014, May 8. The Importance of Encrypting Protected Health Information. http://www.physicianspractice.com/blog/importance-encrypting-protected-health-information

 

 

 

 

Disclaimer

The information presented in this Advisory is intended as general information of interest to physicians and other healthcare professionals. The recommendations and advice published herein do not reflect or establish a standard of care and do not establish rules for the practice of medicine. The publication of this information is not intended as an offer to insure such conditions or exposures, or to indicate that MAG Mutual Insurance Company will underwrite such risks for the reader. Our liability is limited to the specific written terms and conditions of actual insurance policies issued.

Footnotes