Regulation of Medicine
Decoding the Importance of Encryption: Why it’s essential for any cyber security strategy
January 26, 2015
Encrypting data is very important in healthcare, not only for HIPAA compliance, but also for protecting your patients’ health data from potential cyber threats. As a physician it remains your responsibility to protect your patients’ data from cyber risks. Many physicians, however, are not entirely clear on what encryption does or how it makes a difference in their security efforts.
By definition, encrypting data makes it unreadable. When encrypted, data is converted into a form often called ciphertext that cannot be understood by another party without the key. If data is encrypted, even if it has been stolen, the data can still remain unreadable. Encryption is achieved through software programs that apply algorithms to the original data. This scrambles it into a new, unreadable, form. These algorithms change frequently making it even more difficult to unencrypt, but a key will help you decrypt your data.
The HIPAA security rule is very specific about encrypting patient data whether at rest or in transit. If your patient data remains unencrypted in either of these states the Department of Health and Human Services will fine you. If unencrypted data is stolen from your practice, not only will you experience a huge financial loss, you’ll have to notify all your patients, possibly damaging your reputation. If encrypted data is stolen you will not be charged a fine nor do you have to notify patients.
In addition to properly encrypting and protecting your patient’s data, it’s important to be aware of the things that put it at additional risk. Taking data out of your EHR by e-mailing it to yourself, pasting it into documents for easier review, etc. puts it at further risk. Data that resides in an on-premise server or in-house server could also be at risk—especially if the secret to decryption is stored on the desktop. Here are a few tips for avoiding these additional risks:
- Encrypt data between uses
- Avoid regular email, only use encrypted emails
- Get IT help – having someone with the right expertise help you could make all the difference in keeping data secure
- Be careful with Gadgets – any device that is or can be taken off site should be encrypted
Though going through the necessary steps to ensure your patients’ data is encrypted may be a hassle, in the long run it will help protect you and your reputation from financial and personal damage, as well as your patients’ data. Overall, encryption is an essential part of your practice’s or hospital’s cyber security strategy.
 Torrieri, Marisa. Data Encryption 101 for Medical Practices. http://www.mckessonpracticesolutions.com/resources/editorials/data-encryption
 Maliyill, Tim. 2014, July 31. Why encryption is crucial to your organization. http://www.healthcareitnews.com/blog/why-encryption-crucial-your-organization
 Rose, JD, MBA, Rachel V. 2014, May 8. The Importance of Encrypting Protected Health Information. http://www.physicianspractice.com/blog/importance-encrypting-protected-health-information
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.