A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the budget Balancing the need to encrypt with getting work done Maintaining ease of use and efficient workflow Mobile devices and encryption Q&A 1
HOW TO GET STARTED ASSESSING YOUR RISK Encryption decision making starts with knowing your risk aversion level Risk determinations not made in a vacuum need to look at whole environment Risk analysis is a great place to start Remember Meaningful Use (MU) Stage 2 requires assessing risks to data at rest (stored data) HOW TO GET STARTED ASSESSING YOUR RISK Yes the HIPAA Security Rule lists encryption (at rest in in transit) as addressable implementation specifications On the other hand OCR fining entities for lost unencrypted laptops and OCR emphasized need for encryption in 2014 HIPAA/CLIA Rule Don t just focus on compliance/regulatory risks Important to know where data is and where it s going 2
HOW TO GET STARTED ASSESSING YOUR RISK Start with a sound infrastructure including: Policies and procedures Role based access control Workforce training Audit controls Incident response planning (including breach) Contingency planning And so forth HOW TO GET STARTED ASSESSING YOUR RISK Make a detailed compliance project/risk assessment plan Don t assume you know where your data is Key risks how can data walk out the front door? Do you know who your vendors are are they an even bigger risk? 3
HOW TO GET STARTED ASSESSING YOUR RISK A good place to start your desktops and mobile devices Mobile devices and portable media represent one of the highest risks to healthcare organizations today Risk to reputation, risk of lost business, risk of legal action and risk of a visit from OCR HOW TO GET STARTED ASSESSING YOUR RISK Next place to look transmission of PHI and other sensitive data Unencrypted email may result in interception and breach Unsecure secure websites may lead to unauthorized access Use of secure transport a must for HIPAA transactions, large files that can t be emailed and so forth Just password protecting does not work 4
WHAT YOUR OPTIONS ARE HOW TO PROTECT PHI When looking for a vendor, keep in mind the NIST encryption standards Secure email solutions are affordable and effective Some support large file transfer solutions Costs range from less than $100 per user per year to well over $100,000 to implement Assess solution that works for you and implement! WHAT YOUR OPTIONS ARE HOW TO PROTECT PHI Mobile device and portable media encryption: Pre-boot encryption for laptops Encrypted USB drives Tablets and smartphones Apple natively encrypted but need strong passcode Android need to turn on encryption Windows need to turn on encryption 5
WHAT YOUR OPTIONS ARE HOW TO PROTECT PHI Large file transfer Dedicated transmission of HIPAA covered transactions Secure file transfer protocol (SFTP) Use cloud vendors for data sharing (e.g., Box, ShareFile, etc.) Direct project HIEs and secure transmission between EHRs WHAT YOUR OPTIONS ARE HOW TO PROTECT PHI Secure web portals including patient portals Most secure websites use secure socket layers (SSL) for encryption SSL no longer an accepted NIST standard Where feasible use transport layer security (TLS) Keep in mind many websites do not support TLS 6
WHAT YOUR OPTIONS ARE HOW TO PROTECT PHI Does it always need to be encrypted not necessarily Determine what compensating security controls are present If data stored in secure data center or other secure facility, it may not need to be encrypted Balance response time with security of data For Discussion Today What s the budget Using encryption appropriately 14 7
What s the Budget 15 What s the budget 16 8
What s the budget Source: Infographic from Shred-it. Data from Ponemon Institute 2010 Benchmark Study on Patient Privacy and Data Security 17 What s the budget 18 9
What s the budget 19 What s the budget 20 10
What s the budget 21 Role of budgeting security Prevention Vigilance Training Ease of Use Cost Security Functionality 22 11
Using encryption appropriately Engaging in the workflow is imperative. If you don t use it, it does not matter. 24 12
Using encryption appropriately 25 Using encryption appropriately Look for opportunities to increase security and efficiency» Replacing fax machines with Direct» Replacing couriers with encrypted email» Get actionable data not a picture of the data Leverage technology to improve workflow and insure privacy and security 26 13
Efficient workflow in action using Direct 27 Using encryption appropriately Protecting PHI is not the end game Protecting information, efficient information flow, and getting actionable information is the goal 28 14
Using encryption appropriately 29 MAINTAINING EASE OF USE AND EFFICIENT WORKFLOW If it s not easy, it won t get used Select tools that support your organization s work environment Know your data transfer points where data enters and leaves your organization Look for solutions that are in your budget, secure those transfer points and will actually be used by your workforce 15
MAINTAINING EASE OF USE AND EFFICIENT WORKFLOW Ask the question will the solution work within the current work environment (e.g., within your EHR, within Microsoft Outlook, etc.) Training is crucial if they don t know how to use it or even know it s there, it won t happen You need to enforce it proper sanctions need to be realistic or can your solution support policy enforcement? MOBILE DEVICES AND ENCRYPTION In 2014 Concentra agreed to pay OCR $1,725,220 following the theft of an unencrypted laptop Also in 2014 QCA agreed to a $250,000 for the same reason In February 2014 the HIPAA/Clinical Laboratory Improvements Amendments (CLIA) rule was finalized The preamble to the rule included an edict you need to encrypt 16
MOBILE DEVICES AND ENCRYPTION The myth encrypting laptops will slow everything down It all depends on the solution Tablets and smart phones are easy to encrypt, may come encrypted and encryption is included at no cost (not necessarily true for older mobile devices) If it can be easily carried out the door, it should be encrypted Mobile devices some stats 64% of physicians use email on a smartphone 1 30% of physicians email patients 1 80% of physicians use smartphones for work 1 93% of adults would choose a doctor who will email them 2 85% of hospitals allow clinicians and staff to connect personal devices to hospital network 3 69% view patient info on mobile 3 96% physicians use smartphone as primary device to support clinical communications 4 1. Kantar Media Sources & Interactions Study, September 2014- Medical/Surgical addition 2. Catalyst Healthcare Research Study, May 2014, What s Reasonable? 3. Caradigm Infographic, http://www.caradigm.com/en-us/resources/#privacybreachesthreatenhealthcareorganizations 4. Point of Care Communications for Physicians 2014, Spyglass Consulting Group 34 17
Mobile Devices and Encryption Communication on mobile devices is here and growing BYOD policy is a must have Encrypt data in motion»email» Text messaging 35 Questions? Andy Nieto Health IT Strategist, DataMotion 973-532-5718 AndyN@datamotion.com Chris Apgar, CISSP CEO & President, Apgar & Associates capgar@apgarandassoc.com 503-384-2538 36 18