Protect ePHI, Maintain HIPAA/HITECH Compliance
Encryption and Administrative Controls are Key
HIPAA, the Health Insurance Portability and Accountability Act and the follow-on HITECH (Health Information Technology for Economic and Clinical Health) Act are broadly speaking a set of rules designed to protect the confidentiality and integrity of ePHI, electronic protected health information. Any covered entity (CE, insurance companies, healthcare providers etc.) is required to take a number of steps to protect this important patient data including security, administrative and technical.
Non-compliance can result in civil or criminal penalties that can reach $1.5M per incident per year. In addition to fines, organizations also face the onerous task of notifying the public in the event of a serious data breach and the resulting loss of reputation.
The loss of a large number of ePHI records in a single incident is the biggest risk healthcare providers face. When data is held within major clinical applications, the controls of the application itself usually offer sufficient protection from mass data exfiltration. However ePHI is commonly exported or available in other systems with far less protection, and that’s where the risk of large-scale data loss is significant.
Fortunately, the Safe Harbor provision of the HHS HIPAA rules allow covered entities to avoid breach notification if the data is encrypted to an acceptable standard. And obviously using encryption also means that the data will not be mis-used if it gets into the wrong hands.
HyTrust DataControl is a transparent data-at-rest encryption solution that satisfies the Safe Harbor provision. With support for virtual machines running Linux or Windows and centralized key management, DataControl is a simple but effective way to drastically lower the risk of a bulk ePHI data breach.
HyTrust also meets HIPAA/HITECH control requirements on virtual infrastructure. As more and more applications are virtualized, the virtual infrastructure supporting those applications also becomes in-scope for HIPAA, and a source of risk. The native controls in solutions such as VMware vSphere, are not sufficient to meet HIPAA/HITECH, however HyTrust CloudControl provides the most comprehensive audit solution available for the VMware platform:
- Comprehensive vSphere/vCenter administration controls: Two factor authentication, authorization segmentation of duties, and audit-quality activity and exception reporting;
- Configuration hardening for vSphere/ESXi, including a pre-defined template for HIPAA compliance
Finally, a word from the government on encryption:
“…If a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ‘unsecured protected health information’ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals.”
Breach Notification Interim Final Regulation (74 FR 42740) – August 2009