Secure Data in Transit

HIPAA requires different things of encryption software depending on whether it’s ‘at rest’ or ‘in transit’.

At rest: data is inactive, stored in a hard drive or SSD, or on a device like a tablet. Data should be protected by advanced cryptography, full-disk/virtual disk security, and mobile device encryption (where applicable).

In transit: actively moving between a sender and destination, such as via email, transmitting to cloud, or between a server and a mobile device.

HIPAA compliance is made possible by measures such as AES-256, nearly impossible to brute force and approved for confidential data handling by the US government. TLS (Transport Layer Security) is another protocol for secure data transmission, such as HTTPS, email, or IMs. It also uses AES-256, combined with other security measures. OpenPGP (Pretty Good Privacy) and S/MIME also comply with HIPAA but have public key management requirements that many find laborious to use in comparison to AES-256 and TLS 1.2.

The common recommendation is that secure systems use AES-256 encryption for data at rest, and TLS for data-in-transit. However, this is not the be-all and end-all of your security measures. It is important to identify and mitigate weaknesses in your HIPAA-compliant security.

• Staff & training (social engineering): it’s clichéd because it’s true– humans are the weakest link in cybersecurity, and it’s no different in the healthcare industry
• Lost or stolen devices: as previously mentioned, lost laptops, flash drives, phones, or other devices containing ePHI can necessitate seven-figure payouts
• Third-party partners: any third-party cloud or IT vendor handling ePHI must have the same dedication to technical security standards as the healthcare provider or service they work with
• Unsecured email systems/servers: if anyone in your organization still uses unsecured email clients or servers, shut them down
• Weak encryption: breakthroughs in computer technology, especially quantum computing, mean that old encryption standards long-thought sufficiently secure may in fact be dangerously porous to modern cybercriminals
• Stagnating encryption keys and certificates: encryption keys that are used beyond the lifespan recommended by NIST, or after a data breach, can open organizations up to compromise

HIPAA’s technical safeguards can be confusing because the encryption requirements are called ‘addressable’. The wording for encryption of PHI is vague: “…entities should implement a mechanism to encrypt PHI whenever deemed appropriate”.

In this context, ‘addressable’ means a safeguard or equivalent alternative should be implemented, or else a justifiable reason for why the safeguard was not employed must be documented. For example, internal comms via an internal server protected by a firewall may present no risk to PHI integrity from outside sources. However, communication containing ePHI that leaves an entity protected by firewalls must now be dealt with using an addressable safeguard.

Entities can only transmit ePHI via email over open networks if that information is adequately protected. A risk analysis should be taken to find the risks to the confidentiality, integrity, and availability of ePHI, so that a risk management plan can be devised to reduce those risks to an appropriate level.

Universal encryption for messages is a common method of risk management, though levels of protection that are equivalent can be used in place of encryption.

As well as lost or stolen laptops and flash drives, personal mobile devices in the workplace can undermine PHI integrity. Around 4 in 5 healthcare professionals use a tablet for workflow management. Forbidding the use of unencrypted devices in healthcare organizations would cause massive disruption to communication and other aspects of the healthcare industry besides.

Secure messaging platforms offer a possible solution to this problem, as they comply with HIPAA encryption requirements by encrypting PHI both at rest and in transit. Communications containing PHI are undecipherable if intercepted or accessed unauthorized. Secure messaging solutions not only meet HIPAA email encryption requirements, but also requirements for access control, audit controls, integrity controls, and ID authentication. This solution is much more useful than pagers, allowing medical information (including images) to be shared securely.

As technology marches on and cybercrime grows more sophisticated, the need for regulatory compliance with HIPAA and other legislation to protect patients’ protected health information in transit will only become more stark.

#KingstonIsWithYou