Encryption- or the lack of it- has been at the center of security concerns both within and outside of the tech world for years. But it was the recent debate between Apple and the FBI brought the encryption conversation to a public stage. Although opinions differ on the topic of encryption, there is a big obstacle to this conversation: many people don’t truly understand encryption, or how it impacts them on both a personal and professional level. With each new app or product developed, there comes added security threats and more opportunities for hackers to steal personal information from unexpecting end users.
Before understanding the benefits of encryption it’s important to first take a closer look at what encryption means, and understand that “encryption” has differentiated forms. Let’s take a closer look at what encryption is and what the most advanced encryption standards offer today.
What is encryption?
Encryption is essentially technology that scrambles data- such as a simple message or image- into an undecipherable, “encrypted” format. After the data is encrypted, the only people who can make sense of the data and decrypt it are those that know the specific key to unlock it.
The most popular standard for encryption today is AES, the advanced encryption standard. Encryptions under the AES have keys of 128, 192, and 256 bits in length, and the longer the bit length is, the harder the encryption key is to crack. It is for this reason that currently 256-bit encryption is the most advanced key out there, and it is so hard to crack that it would take even a modern supercomputer hundreds of billions of years to get the code through brute force.
Encryption of Healthcare Data
HIPAA encryption “requirements” were addressed with the updated HIPAA Security Rule in 2013, but they refer to encryption as an addressable, not required, standard which leads to confusion. They note recommendations for patient data in motion and at rest with the following,
“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”
Essentially, this means that if a healthcare organization are facing a HIPAA audit and have chosen not to implement advanced encryption for some reason, they will need an incredibly thorough explanation to justify the decision not to encrypt the data. With the increasing number of attacks on healthcare organizations, reasons not to implement will become increasingly hard to cite.
That is why healthcare organizations need to make sure that they are being proactive about their encryption decisions. Electronic patient health information (ePHI) is some of the most private and sought after information for hackers, it needs to be protected by the highest encryption levels. Organizations that ignore this necessity are not only putting their patients confidential information at a high risk, but they also creating future obstacles for themselves in the event of a HIPAA audit.
The important conclusion for healthcare organizations, and any organization that deals with confidential information, is that encryption is critical. They must take measures to ensure both their own programs, and any other apps and softwares being utilized by employees, are encrypted. The potential risks imposed by hackers will only increase, and it is the responsibility of company leaders, and the SaaS programs they depend on, to be proactive about encryption policies before it’s too late.
To ensure security and HIPAA compliance Lua keeps data protected and fully encrypted at all stages, . Read our recent blog, 4 Ways to Ensure Patient Privacy, to learn more ways to keep your patients and your staff safe and compliant.