Protect ePHI, Maintain HIPAA/HITECH Compliance​​

Encryption and Administrative Controls are Key​​

HIPAA, the Health Insurance Portability and Accountability Act and the follow-on HITECH (Health Information Technology for Economic and Clinical Health) Act are broadly speaking a set of rules designed to protect the confidentiality and integrity of ePHI, electronic protected health information. Any covered entity (CE, insurance companies, healthcare providers etc.) is required to take a number of steps to protect this important patient data including security, administrative and technical.

Non-compliance can result in civil or criminal penalties that can reach $1.5M per incident per year. In addition to fines, organizations also face the onerous task of notifying the public in the event of a serious data breach and the resulting loss of reputation.

The loss of a large number of ePHI records in a single incident is the biggest risk healthcare providers face. When data is held within major clinical applications, the controls of the application itself usually offer sufficient protection from mass data exfiltration.  However ePHI is commonly exported or available in other systems with far less protection, and that’s where the risk of large-scale data loss is significant.

Fortunately, the Safe Harbor provision of the HHS HIPAA rules allow covered entities to avoid breach notification if the data is encrypted to an acceptable standard.  And obviously using encryption also means that the data will not be mis-used if it gets into the wrong hands.

HyTrust DataControl is a transparent data-at-rest encryption solution that satisfies the Safe Harbor provision. With support for virtual machines running Linux or Windows and centralized key management, DataControl is a simple but effective way to drastically lower the risk of a bulk ePHI data breach.

HyTrust also meets HIPAA/HITECH control requirements on virtual infrastructure. As more and more applications are virtualized, the virtual infrastructure supporting those applications also becomes in-scope for HIPAA, and a source of risk. The native controls in solutions such as VMware vSphere, are not sufficient to meet HIPAA/HITECH, however HyTrust CloudControl provides the most comprehensive audit solution available for the VMware platform:

  • Comprehensive vSphere/vCenter administration controls: Two factor authentication, authorization segmentation of duties, and audit-quality activity and exception reporting;
  • Configuration hardening for vSphere/ESXi, including a pre-defined template for HIPAA compliance

Finally, a word from the government on encryption:

“…If a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ‘unsecured protected health information’ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals.”
Breach Notification Interim Final Regulation (74 FR 42740) – August 2009​

Solution Briefs

Can You Be HIPAA/HITECH Compliant in the Cloud?

As more organizations virtualize their clinical and ePHI applications, their virtual servers must now be brought into compliance with HIPAA/HITECH. The native capabilities in virtualization platforms such as VMware vSphere are not sufficient to meet all HIPAA/HITECH control requirements. 

Download

White Papers

A Practical Guide to HIPAA Compliant Virtualization

Healthcare enterprises have achieved major cost savings, operational benefits, and great ROI from virtualizing lower tier workloads. However, many of these organizations are finding that further data center transformation presents new and daunting challenges.

Download

Presentations

HyTrust Heals Healthcare

Employee negligence, use of public cloud services, malicious insiders, and process failures can all be mitigated with strong, auditable user access controls are all actions that keep Healthcare CIOs up at night.

Download

Webinar

HIPAA/HITEC Compliance in the Virtual Data Center

Compliance, including HIPAA and HITECH, need to get in the way of virtualization. We explore further in this informative webinar.

Watch Video