A thumbprint illuminated in gold on a dark circuit board with orange and blue glowing circuits

Secure Data in Transit

If you are involved in data security for healthcare organizations, one thing you may be wondering is why regulations and legal liability play such an important role in influencing the data-in-transit technologies your organization opts for. One of the biggest stress factors around IT for the healthcare sector is the importance of compliance with data security regulations such as the Healthcare Insurance Portability and Accountability Act (better known as HIPAA).

This stress is not unfounded: healthcare data breaches are generally the most expensive and damaging in terms of revenue and organizational reputation by far. The average cost of a data breach in the healthcare sector grew from US$7.13m in 2020 to $9.23m in 2021, compared to the global average of $3.86m in 2020 and $4.24m in 2021.

Even potential HIPAA violations are punished, such is the severity of the regulation. In 2019, an unencrypted laptop and flash drive were stolen from The University of Rochester Medical Center. This event, and URMC’s handling of it, required a US$3m payout to the Office for Civil Rights in a settlement for potential HIPAA violations.

HIPAA rules and security requirements

HIPAA has three foundational rules to protect patients and their information:

  • Privacy Rule: protected health information and documentation
  • Breach Notification Rule: how organizations report security breaches to authorities and patients
  • Security Rule: establishes security standards for protected health information (PHI) storage and transmission
Medical doctor sitting and operating a tablet with a health app; a hex-based app interface is overlaid

These rules ensure that organizations bear responsibility for ePHI (electronic PHI) confidentiality & security, as well as anticipating and protecting from threats to that data. However, they do not specify a particular protocol, technology, or standard for doing so. This is because as cybersecurity threats evolve, so too must HIPAA security technologies. Rather than specify which encryption protocols were necessary, a step which would have undermined the efficacy of the law by tying it to specific technologies, the legislation simply stipulated the strength and reliability of security standards when used to protect ePHI. This was done under the advice of NIST (the National Institute of Science and Technology), so as to render the law more future-proof. Entities can choose the most appropriate solution for their circumstances and apply it to their system.

HIPAA requires different things of encryption software depending on whether it’s ‘at rest’ or ‘in transit’.

At rest: data is inactive, stored in a hard drive or SSD, or on a device like a tablet. Data should be protected by advanced cryptography, full-disk/virtual disk security, and mobile device encryption (where applicable).

In transit: actively moving between a sender and destination, such as via email, transmitting to cloud, or between a server and a mobile device.

HIPAA compliance is made possible by measures such as AES-256, nearly impossible to brute force and approved for confidential data handling by the US government. TLS (Transport Layer Security) is another protocol for secure data transmission, such as HTTPS, email, or IMs. It also uses AES-256, combined with other security measures. OpenPGP (Pretty Good Privacy) and S/MIME also comply with HIPAA but have public key management requirements that many find laborious to use in comparison to AES-256 and TLS 1.2.

The common recommendation is that secure systems use AES-256 encryption for data at rest, and TLS for data-in-transit. However, this is not the be-all and end-all of your security measures. It is important to identify and mitigate weaknesses in your HIPAA-compliant security.

  • Staff & training (social engineering): it’s clichéd because it’s true– humans are the weakest link in cybersecurity, and it’s no different in the healthcare industry
  • Lost or stolen devices: as previously mentioned, lost laptops, flash drives, phones, or other devices containing ePHI can necessitate seven-figure payouts
  • Third-party partners: any third-party cloud or IT vendor handling ePHI must have the same dedication to technical security standards as the healthcare provider or service they work with
  • Unsecured email systems/servers: if anyone in your organization still uses unsecured email clients or servers, shut them down
  • Weak encryption: breakthroughs in computer technology, especially quantum computing, mean that old encryption standards long-thought sufficiently secure may in fact be dangerously porous to modern cybercriminals
  • Stagnating encryption keys and certificates: encryption keys that are used beyond the lifespan recommended by NIST, or after a data breach, can open organizations up to compromise

HIPAA’s technical safeguards can be confusing because the encryption requirements are called ‘addressable’. The wording for encryption of PHI is vague: “…entities should implement a mechanism to encrypt PHI whenever deemed appropriate”.

In this context, ‘addressable’ means a safeguard or equivalent alternative should be implemented, or else a justifiable reason for why the safeguard was not employed must be documented. For example, internal comms via an internal server protected by a firewall may present no risk to PHI integrity from outside sources. However, communication containing ePHI that leaves an entity protected by firewalls must now be dealt with using an addressable safeguard.

A padlock and key resting on a modern laptop; the lock has a glowing blue padlock and shield design on it, surrounded by glowing blue electronics circuits

Entities can only transmit ePHI via email over open networks if that information is adequately protected. A risk analysis should be taken to find the risks to the confidentiality, integrity, and availability of ePHI, so that a risk management plan can be devised to reduce those risks to an appropriate level.

Universal encryption for messages is a common method of risk management, though levels of protection that are equivalent can be used in place of encryption.

As well as lost or stolen laptops and flash drives, personal mobile devices in the workplace can undermine PHI integrity. Around 4 in 5 healthcare professionals use a tablet for workflow management. Forbidding the use of unencrypted devices in healthcare organizations would cause massive disruption to communication and other aspects of the healthcare industry besides.

Secure messaging platforms offer a possible solution to this problem, as they comply with HIPAA encryption requirements by encrypting PHI both at rest and in transit. Communications containing PHI are undecipherable if intercepted or accessed unauthorized. Secure messaging solutions not only meet HIPAA email encryption requirements, but also requirements for access control, audit controls, integrity controls, and ID authentication. This solution is much more useful than pagers, allowing medical information (including images) to be shared securely.

As technology marches on and cybercrime grows more sophisticated, the need for regulatory compliance with HIPAA and other legislation to protect patients’ protected health information in transit will only become more stark.

#KingstonIsWithYou

Ask and Expert - SSD

Ask an Expert

Planning the right solution requires an understanding of your project's security goals. Let Kingston's experts guide you.

Ask an Expert

Related Articles