Encrypting PCs, laptops and peripheral devices is a vital step toward protecting personal health information (PHI) and avoiding hefty fines for data breaches. Hardware shouldn't be the only focal point of a PHI encryption strategy, however.
Many health care CIOs don't worry about PHI breaches when a server is in a secured data center. But it can happen -- and it can be expensive. A server obviously will contain significantly more PHI than a PC or laptop, and data breach fines are based in part on the number of patients whose PHI data has been compromised.
It's important to remember these three levels of encryption on any servers containing PHI:
- Software encryption. Many software encryption systems for PCs and laptops cannot be used on servers. When you purchase a software encryption product, verify how it can be implemented. Consider "on-the-fly encryption" for servers. In this process, data is encrypted or decrypted automatically before it is loaded or saved, invisible to the user. PHI stored on an encrypted volume can be accessed only if the user has the correct password or encryption keys. The PHI at rest on the server's disk is completely encrypted. If a hacker obtains unauthorized access, the data is unreadable.
- Network encryption. To prevent unauthorized server access, a health care institution should encrypt its entire network, both wired and wireless. Network encryption ensures that hackers attempting "sniffing attacks" will not see any PHI in transmission.
- Database encryption.Database encryption is by far the most overlooked encryption strategy in health IT. The major database vendors sell a transparent data encryption (TDE) product, and most have offered it since 2005: Oracle Corp. with Oracle 10g, InterSystems Corp. with Caché, and Microsoft with SQL Server 2005 and SQL Server 2008. If you have purchased an electronic health record (EHR) system that uses one of these listed databases, verify that TDE is in fact enabled within the application -- just because the database is capable of TDE doesn't mean the vendor automatically uses it. Finally, remember that for TDE in databases, it is an encryption best practice to make sure that the encryption keys are kept on a different server from the one where the database resides.
Encryption strategy mustn't forget backup tapes
In 2008, the University of Utah reported that a container of backup tapes with the billing records of some 1.7 million patients was stolen from the vehicle of a courier from the university's off-site storage vendor. These tapes contained the names, demographic information and Social Security numbers of patients of the University of Utah Health Care Hospitals & Clinics.
Health care CIOs must be aware of the risks associated with unencrypted backup media. If tapes are encrypted, anyone who steals them will have useless media -- there will be no breach of medical information; and there will be no fines, penalties or restitution requirements. If tapes are not encrypted, however, the Health Information Technology for Economic and Clinical Health, or HITECH, Act's data breach compliance requirements kick in. An organization could pay millions in federal fines, on top of the millions that must be spent on breach notification, consumer credit monitoring and other fees.
For backup media encryption, here are a few tips to keep in mind:
- Hardware-encrypted tapes are the best media to use. They do not use CPU cycles to encrypt while they are backing up data, and they can encrypt at hardware speed. Many of the newest hardware-encrypted backup storage offerings on the market also are the fastest to provide backup services.
- Don't lose the encryption keys. Otherwise, you can't retrieve the data.
- Store the keys separately from the tapes. Storing the keys with the tapes is like printing the combination of the office safe on the safe's front door.
- Use the highest level of tape encryption available. It's worth the money.
Encryption strategy help from the PRC
The Privacy Rights Clearinghouse (PRC) is a nonprofit organization that assists consumers with privacy issues related to banking, credit, debt collecting, background checks, identity theft and now, medical information privacy. Since 1992 it has represented the interests and rights of individuals regarding consumer information and consumer advocacy.
One of the PRC's primary goals is to raise consumer awareness of how technology affects personal privacy. Most consumers pay attention only to banking, credit and debt-collecting privacy issues -- but the amount of medical information being stolen has risen significantly.
The PRC website includes several pages that every health care CIO should read. For example, I consider the Checklist of Responsible Information-Handling Practices, which is available on the organization's Facts Sheets page, a best-practice guideline to securing any data, including health care information. The checklist covers data transactions ranging from faxes to voicemail messages to wireless communications, and it provides advice for developing security policies related to internal communications.
Network encryption also a key strategy
Many health care CIOs forget about wired and wireless network encryption. This is an important encryption strategy that should not be overlooked -- there are so many ways that the bad guys can sniff a network and pull the data as it goes by.
In February 2010, the Federal Trade Commission (FTC) notified more 90 organizations that personal information had been taken from their computer networks. The primary method used in the data breach was peer-to-peer (P2P) file-sharing.
"[W]e found health-related information, financial records, and driver's license and Social Security numbers -- the kind of information that could lead to identity theft," FTC Chairman Jon Leibowitz said in a statement. "Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs, and that authorized programs are properly configured and secure."
The following network encryption basics will help you protect data:
- Be sure the routing works before you try to do encryption. A remote peer may not have a route for the interface, which means you will not be able to have an encryption session with that peer.
- Encrypt your network at the endpoints. Encrypting routers redundantly (decrypting and re-encrypting all traffic) really just wastes CPU cycles.
- Pay attention to network bottlenecks. Low-end routers should not be used in main network cores. You will get a "CPU hog"-type message, because the volume of traffic uses all the router's CPU cycles to encrypt the traffic.
- If you need to encrypt other than IP traffic, use a tunnel.
- Network encryption encrypts only the data in transmission. The data does not stay encrypted when it lands at the destination. If the destination server is breached, that data gets stolen, and all the work to encrypt the transmission is for naught.
- Guard against P2P network applications. If they are allowed to run on your health care network, EHR data will be compromised.
Overall, infrastructure encryption is worth the investment. Though it can never be considered the "silver bullet" for medical record security, it is a best practice for securing EHR data if it's used appropriately and at multiple hardware levels.
About the author:
Al Gallant is the director of technical services at Dartmouth-Hitchcock Medical Center in Lebanon, N.H. Let us know what you think about the story; email firstname.lastname@example.org.