Deploying a HIPAA Compliant Encryption Policy

2015-08-06 16_53_39-Hipaa.jpg (JPEG Image, 950 × 500 pixels)HIPAA, or the Health Insurance Portability and Accountability Act, presents a fairly robust set of standards and rules that any organization within the United States handing PHI (Personal Health Information) are compelled by law to address.

On the surface, many of HIPAA’s rules appear strait forward, but as I quickly learned while performing a recent AT601 Compliance Attestation, things are not always as they seem.

For example, Section 164.312(a)(2)(iv) Encryption and decryption (Addressable), states:

“Implement a mechanism to encrypt and decrypt electronic protected health information.”

Considering the requirement as stated above, which of the following controls concerning encryption meet HIPAA standards for devices containing ePHI?

  1. All laptops are encrypted using the Operating System’s AES-256 bit native encryption (i.e. Microsoft Bitlocker, Apple Firevault).
  2. Remote office file servers are encrypted using TrueCrypt AES-256 bit encryption. A comprehensive EKCM is in place for the safe guarding of all keys and certificates.
  3. All external drives and flash drives utilize hardware encryption utilizing AES 256-bit encryption with secure, local key management.

It might surprise you to find out that none of them do!

A Breakdown of HIPAA Encryption Standards

There are several legal reasons why all three of these options fail despite all three being perfectly secure methods of protecting data. Let’s explore each control in further detail.

  • All laptops are encrypted using the Operating System’s AES-256 bit native encryption (i.e. Microsoft Bitlocker, Apple Firevault).

This control does not meet HIPAA standards due to the use of native encryption (i.e. a non-centrally managed solution like Active Directory or McAfee ePO). Without the use of a centralized solution, an organization may find difficulty proving a device containing ePHI was encrypted after it was lost or stolen.

  • Remote office file servers are encrypted using TrueCrypt AES-256 bit encryption. A comprehensive EKCM is in place for the safe guarding of all keys and certificates.

This control fails to meet HIPAA standards due to the use of an encryption product that is out of support. While TrueCrypt is still widely trusted, it does not meet NIST or FIPS requirements due to being out of support.

  • All external drives and flash drives employ hardware encryption utilizing AES 256-bit encryption with secure, local key management.

This control fails to meet HIPAA standards due to there not being a way to decrypt the device in the event that the key/passcode was lost, since the key only exists locally on the device. The organization could prove the device was encrypted in the event it was lost or stolen due to the use of Hardware Encryption.

HIPAA Encryption Requirements in Short

In order to avoid a Breach (in the legal sense), an organization must do more than simply encrypt drives and media that contain ePHI. It must also meet certain requirements as directed by HITECH, the HIPAA Omnibus Rule, HHS Safe Harbor Rules and even a NIST and FIPS standard.

In short, an organization’s encryption policy must:

  • Require a strong encryption algorithm
  • Make use of strong passwords (if applicable)
  • Provide for proof of encryption after the device is missing
  • Allow for emergency access to the ePHI.

2 thoughts on “Deploying a HIPAA Compliant Encryption Policy

  • Shane,
    Back when I was doing HIPAA projects, I always heard the best way to manage many HIPAA requirements was to segregate servers that dealt with credit cards and the resulting transactions on a separate network.

    I have never seen a Fortune 500 company segment servers like that, and never smaller companies. It is one of those things that creates as many challenges as it solves. Good to do when you first start taking credit cards.

    Does encrypting a server have the same effec? I can’t imagine that it does….

    • Mack,
      In my opinion and experience you’re right- always segregate networks with any kind of sensitive info (ePHI, PCI, PII, etc). This way you can scope down the extra safeguards needed to secure the network and more closely control logical access.

      I think hard disk (or full disk) encryption of the systems that contain sensitive info is mitigating a different risk- the risk of losing files or databases to an outsider. It doesn’t help if the threat is already within the network and gained access.

Leave a Reply