How Unvalidated Encryption Threatens Patient Data Security

July 1, 2016 •Ray Potter

HealthcareGraphic2 Originally posted in its entirety at HealthITSecurity.com.

Proper healthcare encryption methods can be greatly beneficial to organizations as they work to improve patient data security.

Technology vendors building solutions for deployment in healthcare love to talk about encryption and how it can help patient data security. It’s the silver bullet that allows physicians and patients alike to embrace new apps and tools. Symptoms may include increased confidence, decreased stress, and a hearty belief in the power of technology.

But what if that encryption was creating a false sense of security? What if the technology wasn’t providing a shield for ePHI at all?

Say goodbye to privacy, say goodbye to HIPAA compliance… and say hello to breach notifications and financial penalties.

Safe Harbor, as outlined by the HITECH Act, provides for the good faith determination of whether ePHI has indeed been exposed when a device with access has been stolen or misplaced.

It is based on the concept that strong encryption, properly deployed, would thwart even a determined attacker with physical access to an authorized device. Thus, even when a laptop or mobile device or external hard drive is lost, the data is considered to be intact and uncompromised inside the device if the data was properly encrypted.

This is a key distinction, and it is the difference between a breach notification (causing a significant hit to the brand and future revenues as well as serious financial penalties) and Safe Harbor (causing a large exhale of relief and a flurry of high-fives).

Click to Tweet: #FIPS140 #encryption: the difference between breach notification & Safe Harbor #HIPAA #Healthcare #Privacy

Here’s the rub – how is strong encryption differentiated from weak encryption for the purposes of HIPAA compliance?

Keep reading at HealthITSecurity.com!

Ray Potter

Ray Potter is the Founder of SafeLogic, which was spun off from his previous venture, the Apex Assurance Group consulting firm. He brings over 20 years of security and compliance experience, including leading teams at Cisco and Ernst & Young, to the operations team at SafeLogic. Ray loves playing guitar and flying airplanes.

CryptoComply• FIPS validation• physician• HITECH Act• PHI• ePHI• HIMSS• Dual EC DRBG• healthIT• health IT• cryptographic module• CMVP• lab• HIPAA• compatible• HHS• health• cryptography• EHR• compliance• doctor• algorithm• HITECH• OCR• CAVP• Safe Harbor• Ray Potter• privacy• FIPS 140• patient• NIST• RapidCert• testing• RSA• Encryption• healthcare• Cybersecurity• federal• SafeLogic

Back to posts

The SafeLogic Blog