Use encryption to avoid health care data breaches

The recently released 2014 California Data Breach Report, published by the Office of the Attorney General, reports that 70 percent of health care sector data breaches in 2012 and 2013 were the result of lost or stolen hardware or portable media containing unencrypted data.

More than half of the health care breaches in the report included Social Security numbers, which can be abused in many ways, some of which consumers, including patients, have no effective defense strategies.

Rami J. Zreikat, an experienced information privacy and security compliance vendor, says many dentists need to take the necessary steps to protect their patients' information.

"Most people are worried about credit card theft and its financial implications, but identity theft continues to be on the rise. Dental practices can be a target because they store health data, which has more information than the financial data of a credit card and the essential components for hackers to build an identity theft profile," Zreikat said. "Social Security numbers, date of birth, address — it's all in health data."

The question becomes, how do dentists protect their patients' information, and their practice from fines and penalties? The Attorney General's report states, "The need to use encryption is a lesson that must be learned by the health care industry and we recommend that it be applied not only to laptops and portable media, but also to many computers in offices."

Encryption can be done on everything from the practice's server, email, mobile devices (laptops, phones and tablets) and USB drives. If done correctly and efficiently, encrypting stored data can be a "get out of jail" card for a practice in the eyes of the state and the U.S. Department of Health and Human Services should a computer, laptop, mobile device, hard drive, flash drive or any mobile media with patient information be stolen or lost. Breach notification requirements apply in the theft or loss of patient information. An exception to the requirement is allowed to an entity that can successfully demonstrate that the stolen or lost media was encrypted and the encryption key is not known to any unauthorized entity.

Encryption takes readable data and obscures (garbles) it so that someone who steals the data can't read it. Dentists can encrypt both "data in motion" (data that is in transit either through the Internet, email or being sent to a printer, etc.) and "data at rest" (data stored on a hard disk, external USB stick/flash drive or on an external drive).

A practice can seek encryption software from several companies. Newer data storage devices include encryption. Zreikat recommends dentists consult with an IT professional and ask the right questions to ensure the encryption process causes minimal disruption.

Full disk encryption is yet another area of concern that dentists should evaluate for their practice. "This technology protects your media (e.g. mobile devices, servers, etc.) when they are powered off. When a server is stolen, the power is disconnected and the data is automatically encrypted." Zreikat said. When dealing with disk encryption, Zreikat recommends dentists work closely with their IT advisor and their practice management software company to ensure that their system can handle full disk encryption. Together, the IT advisor and the software company can look for the following components when selecting an appropriate disk encryption product and advise the dentist accordingly:

  • Operating system support.
  • Authentication methods.
  • Support for Intel AES-IN instructions.
  • FIPS-140 compliant encryption methods.
  • Key management systems/recovery updates.
  • Information technology support and knowledge.

HIPAA allows covered entities to transmit patient information electronically, provided they apply reasonable safeguards when doing so. Zreikat said certain precautions should be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending and sending an email alert to the patient for address confirmation prior to sending the message.

"There are several services available to ensure secure transmission of patient information," Zreikat said. "It is much cheaper to simply purchase a service for encrypting emails and attachments and many service providers offer such services at a very low cost nowadays."

While encryption is the focus of this article, the dental practice must look at the HIPAA Security Rule to understand the security controls that are required for its practice. "Remember that the first step is to conduct a risk assessment and understand what your existing security controls are and the gaps you need to close" Zreikat said.

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information, and thus, the HIPAA Security Rule was created. A Security Rule risk analysis as required by HIPAA is a good baseline for a practice to establish protection.

The U.S. Department of Health and Human Services (HHS) outlines a risk analysis as follows: "onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."

The HIPAA Security Rule: A Summary can be found on cda.org. HHS has on its website, Guidance on Risk Analysis.

Information technology security with regard to HIPAA requirements is the subject of several guides and reports produced by the National Institute of Standards and Technology (NIST), a federal agency that sets computer security standards for the federal government. One guide, for example, looks at Secure Sockets Layer (SSL) virtual private networks (VPN), and another one reviews transport layer security implementations. A list of its publications is available at hhs.gov.

For more information on HIPAA compliance, visit cda.org/privacy-HIPAA.