Achieving Safe Harbor in Healthcare - Episode 3

Welcome back! If you need to catch up, please see Episode 1 and Episode 2.

Yesterday, we established that our interest in the HITECH Breach Notification for Unsecured Protected Health Information; Interim Final Rule was limited to part (a), which refers to the cryptographic protection of actively-accessed PHI. We discarded part (b) for our purposes, because it only covers devices that have been decommissioned. For your reference, here is the passage again:

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:

(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800– 77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated.

Moving forward! Within part (a), the Interim Final Rule refers to NIST for judgment and testing in two categories: data at rest and data in motion.

First, part (i) for data at rest, refers to NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices. Yes, NIST governs this category (spoiler alert - they govern them all!) so expect more cross-referencing. In this case, to another Special Publication.

Organizations should select and deploy the necessary controls based on FIPS 199’s categories for the potential impact of a security breach involving a particular system and NIST Special Publication 800-53’s recommendations for minimum management, operational, and technical security controls.

FIPS Publication 199 dates back to 2004, but is still widely used. It's a relatively short document and is a reference guide provided by NIST to assist with control classifications. 800-111 explains further.

Organizations should select and deploy the necessary security controls based on existing guidelines. Federal Information Processing Standards (FIPS) 199 establishes three security categories - low, moderate, and high - based on the potential impact of a security breach involving a particular system. NIST SP 800-53 provides recommendations for minimum management, operational, and technical security controls for information systems based on the FIPS 199 impact categories. The recommendations in NIST SP 800-53 should be helpful to organizations in identifying controls that are needed to protect end user devices, which should be used in addition to the specific recommendations for storage encryption listed in this document.

So depending on the FIPS 199 classifications, you should consult NIST Special Publication 800-53 and act accordingly.  This is even more confusing, because 800-53 is a catalog-style document used to map controls from a variety of other Special Publications, so it does not have breadcrumbs to lead us directly from Interim Final Rule to Safe Harbor. Luckily, SafeLogic's whitepaper on HIPAA security controls covers this exact topic. Rest assured, NIST connects every encryption requirement back to their own standard which they certify - FIPS 140-2. Go ahead and download the whitepaper and review at your leisure. Regardless of the FIPS 199 classification, SP 800-53 is satisfied by deploying FIPS 140-2 encryption. In the interest of space and time, I will not rehash all of the controls, but it's all in the whitepaper.

Part (ii) is for data in motion and is subdivided into four categories as applicable: TLS, IPsec VPN, SSL VPN, or else the catch-all "others", which goes straight to - yes, you guessed it - FIPS 140-2. Have I already mentioned that NIST wants everyone to use FIPS 140-2 validated encryption? It's almost like NIST is promoting the use of their own standard...

These categories will be covered tomorrow, with excerpts from the referenced NIST Special Publications, in the final episode. Kudos if you're still with me!