Going beyond ‘addressable’ with HIPAA and doing what’s right with data encryption
Many Health Insurance Portability and Accountability Act (HIPAA) covered entities such as insurance companies, hospitals, and clinics along with their business associates and subcontractors, have taken certain steps to address information security risk. Some have a formal information security program with well-established policies, procedures, and technologies to meet HIPAA’s requirements. Many others have a less structured security environment that is facilitating clear and tangible information risks. Regardless of where your organization falls within the security maturity spectrum, there’s always more to do. More opportunities for locking down protected health information (PHI), improving network visibility, and so on. There’s one aspect of HIPAA where large improvements can be made: the ‘addressable’ components of the Security Rule’s 18 security standards.
Understanding Security Rule 18
The HIPAA Security Rule is not very prescriptive as it is. Things become more challenging when the Security Rule’s implementation specifications for each standard are ‘addressable’. What that means is that the implementation specifications are not explicitly required as long as the standard is still being met. The specific wording from the HIPAA Security Rule is as follows:
“In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable implementation specification or an alternative security measure. In all cases, the covered entity must meet the standards…”
In the context of encryption – one of the addressable implementation specifications under the Access Control standard – there’s a lot to be gained in terms of security and risk mitigation. Many people try to do what they can to avoid encryption because they incorrectly assume there will be too great a performance impact or it will be too difficult to implement or manage. So, many people will do what they can to let encryption remain addressable by either a) incorrectly assuming that PHI is not at risk or b) implementing compensating controls such as physical security, network segmentation, and strong passwords to ensure that PHI is protected. These approaches can create more security challenges than they’re solving.
When it comes to PHI, details matter
In many cases, when PHI is deemed to be safe and secure, that just means that the risk assessor hasn’t looked hard enough. Perhaps they didn’t properly evaluate the threats. Maybe they didn’t use good security testing tools to uncover security vulnerabilities. Even tunnel vision can lead IT and security pros, among others, to assume that PHI is not at risk because they’re not looking at the bigger picture and all the moving parts and complexities associated with their operations. The outcome is that PHI is not considered at risk, therefore no access controls such as encryption are needed. This internal justification is a shortsighted view that has gotten many businesses in the healthcare industry into a lot of trouble. What must be considered are other risks to PHI that can arise when someone finds a loophole or an existing security control fails. This includes threats and vulnerabilities that you’re not even aware of or prepared for. Encryption is not only a great security control up front, it’s also a great fallback measure when all else fails or an unexpected event occurs.
In the case of people considering implementing compensating controls to keep from having to use encryption, such security measures may not be adequate for two main reasons:
- They are often not enforced consistently across the environment, from mobile to cloud and everything in between. This is especially true for password, storage, and endpoint-related controls.
- They can create network and security complexity that ends up negating any benefits of the compensating controls. You can’t afford to overlook the reality that any time you take on something new, something else must give. In other words, there can be diminishing returns by adding on new security controls. They look good on paper and will, no doubt, keep you busy. But at what cost?
The best path forward
A layered security model is certainly needed for protecting PHI. That means not just protecting it at the login prompt, network communication layer or wherever it makes sense to add on compensating controls. It means protecting PHI at every layer: in transit and at rest across every reasonable mechanism and workflow across the organization. Encryption is a vital component of this approach.
Encryption can have large compliance payoffs in terms of keeping your organization off the radar of the regulators and remaining in their good graces when a PHI-related incident does occur. It can also minimize your response efforts and costs given the safe harbor protections that come along with encrypted PHI. Just because you’re not required to address certain HIPAA Security Rule implementation specifications doesn’t mean you shouldn’t. Nor does it mean that you don’t have tangible risks that still need to be addressed.
Ultimately, every security decision is a business decision. You not only have to do what’s right in the eyes of the law but you also have to do what’s best for your business. Determine how your PHI is at risk and whether you need the security benefits provided by encryption. Odd are that you do.
Need more information about how to reduce your security risks and protect PHI? Thales has you covered.
About Kevin Beaver
Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 28 years of experience in the industry, Kevin specializes in performing independent security assessments to help his clients uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at through his website at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.