The Security Scrutinizer with Howard Anderson

Using Incentives to Boost Encryption

Final HITECH Rules Highlight Importance of Data Protection

The two final rules for Stage 2 of the HITECH Act electronic health record incentive program, which were released Aug. 23, don't include firm data encryption mandates (see: HITECH Stage 2 Rules Unveiled.) But they come very close, indeed. And that's an important step forward.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

If encryption was more widely used in healthcare, far less patient information would be breached. A majority of the breaches listed on the federal "wall of shame" tally stem from lost or stolen unencrypted devices or storage media. And that means a majority of breaches would have been fairly easy to prevent with encryption - or by not storing patient information on so many devices in the first place.

If encryption was more widely used in healthcare, far less patient information would be breached. 

As I've said earlier, some sort of encryption mandate, at least for mobile devices that store patient information, is merited. But modifying the HIPAA Security Rule to include such a mandate might require pressure from Congress, or so it seems.

In the meantime, it's great to see the value of encryption highlighted in rules for how to qualify for federal financial incentives in Stage 2 of the HITECH program. After all, if the federal government is going to invest billions in electronic health records, it needs to make sure those records are adequately protected.

What the Rules Say

The Stage 2 software certification rule, which sets standards for EHRs that qualify for the incentive program, requires that the software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

The rule points out that an EHR vendor would not have to demonstrate this encryption capability "if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops."

This comes pretty close to an encryption mandate for those hospitals and physician groups using EHR applications certified for the incentive program. And that's welcome news.

The Stage 2 meaningful use rule, which spells out the steps hospitals and physician groups must take to qualify for further incentives, requires them to conduct a risk assessment - as was required for Stage 1. But the Stage 2 rule specifically requires that the analysis address the encryption/security of data stored in electronic health records.

"We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA," an explanation within the rule states. Instead, the rule is designed to emphasize the importance of including in a security risk analysis "an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."

That's virtually exactly what the HIPAA Security Rule already requires. But it's worth re-emphasizing, given that so many healthcare organizations, apparently, aren't compliant.

Modifications to HIPAA are still pending in a long overdue omnibus package of regulations. But we don't expect to see an encryption mandate included in the final HIPAA modifications rule, based on what was included in the proposed rule. So it's good to see regulators point out in the HITECH rule the need to carefully consider encryption of data at rest.

More Action Needed

Because a large number of hospitals and physicians groups won't be applying for the HITECH incentives, these new rules won't apply to them. That's why we'd still like to see beefed-up requirements within HIPAA, which applies to all providers.

Meanwhile, it's good to see federal authorities making progress in releasing overdue rules. In addition to releasing the HITECH rules last week, federal authorities published a final rule firming up plans to delay the deadline for a shift to ICD-10 codes for hospital claims a full year until Oct. 1, 2014.

We're hopeful the omnibus package, containing HIPAA modifications and a final version of the HIPAA breach notification rule, also is released soon. That's because once all the rules and deadlines are in place, healthcare organizations will be much better prepared to complete detailed compliance plans.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.