HITECH Gives Encryption a Boost

(Part one)

For years, healthcare organizations have faced federal requirements to comply with HIPAA privacy and security rules. But those rules had no teeth because they were rarely enforced.

Last year's passage of the HITECH Act toughened the rules, mandated ramped-up enforcement and stiffened penalties for violations. And that means hospitals, physician group practices, health insurers and even their business partners are scrambling to make sure they comply.

Taking action

As a result of the new law, healthcare organizations are:

The ramped-up enforcement of security regulations at both the federal and state levels is proving to be a powerful catalyst for action. The Office of Civil Rights within the U.S. Department of Health and Human Services will start enforcing the breach notification requirements Feb. 22 (See Part 4 in this series).

Part of stimulus package

The Health Information Technology for Economic and Clinical Health Act was included as Title XIII of the American Recovery and Reinvestment Act, which is best known as the federal economic stimulus package.

(For a summary of HITECH's major security provisions click here.)

The HITECH Act toughens the standards originally included in the Health Insurance Portability and Accountability Act of 1996. Most notably, it requires healthcare organizations to notify patients affected by a data security breach within 60 days. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals.

Emphasis on encryption

Under the HITECH Act, hospitals, physician group practices, health plans and others that appropriately encrypt electronic health records and other personal healthcare information will not have to report breaches because the data is presumed to be secure and unreadable. Data encryption, however, must meet the NIST Federal Information Processing 140-2 Standard.

Security consultant Kate Borten, president of the Marblehead (Mass.) Group, says that more healthcare organizations are beginning to follow the best practice of encrypting all confidential information transmitted over the Internet or wireless networks, as well as encrypting data at rest on portable devices.

But encrypting internal databases, while desirable, remains relatively rare, she says, because of the cost involved as well as perceptions that it can affect the performance of the applications involved.

In fact, a recent survey by the Healthcare Information and Management Systems Society found that only 44 percent of hospitals encrypt data "at rest" or stored in internal databases, notes Lisa Gallagher, senior director for privacy and security at Chicago-based HIMSS.

Vendor inaction

Many healthcare software companies that sell clinical applications do not yet routinely offer encryption of their databases, says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. As a result, many users have to add encryption on their own if they want it. Read: Encryption is 'Get Out of Jail Free' Card

Some vendors argue that their databases' "proprietary formats" render them secure, the consultant adds. But information stored in those proprietary formats is considered unsecure under the HITECH Act, Walsh stresses.

Encrypting these databases, Walsh argues, is a small price to pay to help ensure security, especially relative to the cost of reporting a security breach.

For example, under HITECH, a hospital has to send out a first-class letter to any patients who might have been affected by a breach. And if 10 of those letters are returned for a bad address, the hospital must then post notification of the breach on its home page and offer a toll-free breach information number for 90 days. "And none of that is cheap," Walsh says.

Encryption strategy

Johns Hopkins Medicine, a Baltimore-based, four-hospital academic medical center, is making widespread use of encryption. But, at least for now, it's stopping short of encrypting all of its large clinical databases, says Stephanie Reel, vice president of information services.

The medical center uses secure e-mail and encrypts mobile devices and USB drives, she notes. "For databases that reside within our secure data center, we have invested less in encryption," she adds. Johns Hopkins, however, is in the early stages of encrypting its most critical databases, she adds.

Southwest Washington Medical Center in Vancouver, Wash., is taking most of those same steps and is now assessing whether to encrypt hardware housing its databases, says Christopher Paidhrin, security compliance officer. "The costs are coming down and the performance is going up for this hardware encryption," he notes. "It could be our next layer."

Related regulations

Two other recently released federal regulations also call attention to the value of encryption.

In a separate interim final rule issued late last year, federal regulators spell out standards for certified EHR software. To earn EHR incentive payments from Medicare or Medicaid, hospitals and physicians must implement certified software. The software certification standards require, among other criteria, that the software include encryption capability and offer access controls.

In another proposed rule, federal regulators spelled out requirements for demonstrating "meaningful use" of EHRs to qualify for the incentives. Those requirements include conducting a risk assessment of the software, which could point to the need for encryption. Read: "Meaningful Use" Requires Risk Analysis

More than technology

Although encryption can play a key role in keeping data secure, experts stress that technology is just one of many components to a successful data security strategy.

"Make sure your security activities move beyond just compliance to really implementing an active risk management process," says Gallagher of HIMSS.

Part two of this series takes a look at security planning issues.