igor - Fotolia

Ask the expert: Encryption is key for a HIPAA covered entity

David Reis, CISO at Lahey Hospital & Medical Center, discusses important steps a healthcare organization, as a HIPAA covered entity, should take to remain compliant.

In this Ask the Expert, David Reis, vice president of information services and CISO at Lahey Hospital & Medical Center in Burlington, Mass., discusses the two vital steps a HIPAA covered entity needs to take in order to better ensure compliance.

In your opinion, what do you think are the main issues in terms of healthcare organizations not being HIPAA compliant? What can healthcare organizations do to ensure they remain a compliant HIPAA covered entity?

David Reis: There's a range of things, they kind of go up a complexity scale starting with lacking data at rest encryption. Data at rest encryption is just the single biggest thing that any healthcare organization can do to help prevent breaches and help ensure compliance with HIPAA. On laptops encrypt the drives, use encrypted USB storage devices, enable encryption on mobile devices that interact with email and then be very sensitive about backup tapes because they can get lost. We can see from CMS data that lost backup tapes contribute a lot of breaches of HIPAA covered data. These things, at a very foundational level, are enormously important to helping prevent breaches and to be compliant with HIPAA.

Over and above that, capability level two ... make sure that HIPAA covered entities have a thorough, complete, and accurate inventory of applications and devices that store patient data and that they do a National Institute of Standards and Technology (NIST) SP 80-30 based risk assessment.

These two things -- do a NIST-based risk assessment with a thorough and complete inventory of applications and devices that store patient data and use encryption -- are huge in remaining compliant with HIPAA.

Let us know what you think about the story and any tips you have for a HIPAA covered entity to remain compliant; email Kristen Lee, news writer, or find her on Twitter @Kristen_Lee_34.

Next Steps

Most doctors remain unprepared for HIPAA audits

HIPAA cautionary tale: A $750,000 settlement

HIPAA audits: Covered entities to be tested in 2016

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)