Why DD Organizations Must Encrypt Their Data & Devices

In 2018 the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA financial penalty of $4.34 million. This civil monetary penalty is the fourth largest HIPAA penalty ever issued. This was all because the covered entity didn’t encrypt their devices and data.

What Is The Risk Of Not Encrypting?

In 2018 the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA financial penalty of $4.34 million. This civil monetary penalty is the fourth largest HIPAA penalty ever issued. This was all because the covered entity didn’t encrypt their devices and data.

The University of Texas MD Anderson Cancer Center (MD Anderson) had 3 data breaches that resulted in the exposure of 34,883 patients’ electronic protected health information (ePHI).

  1. A laptop computer was stolen from the home of a physician. The laptop wasn’t encrypted or protected with a password and contained the ePHI of 29,021 individuals.
  2. A summer intern lost a zip drive that contained ePHI of 2,264 patients. Once again, the device wasn’t encrypted nor was it protected with a password.
  3. A visiting researcher lost an unencrypted and non-password protected zip drive containing the ePHI of 3,598 patients.

On a number of occasions, MD Anderson identified the risk to their ePHI, yet failed to implement encryption on all of their devices. OCR investigated the breaches and determined that MD Anderson had failed to comply with multiple HIPAA requirements.

If I Don’t Encrypt, Could I Violate HIPAA Security Rules?

While encryption isn’t mandatory, if you don’t encrypt ePHI, you’re setting up your Developmental Disabilities Organization for a HIPAA violation. The penalty of a HIPAA violation is a minimum of $1,000 per violation and up to a maximum of $1.5 million per calendar year.

The HIPAA Security Rule offers a framework to protect ePHI. HIPAA regulations mandate that any personal identifiers in written, verbal or electronic form be protected.

The Security Rule was enacted to be flexible in order to apply to all kinds and sizes of healthcare organizations. The rules fall under two categories: Required and Addressable. The Addressable category is sometimes confused as being optional – It’s not.

The US Department of Health & Human Services says:

“a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

For your DD Organization to achieve HIPAA Compliance, everything in the Security Rule must be complied with, including the way you handle electronic health information. This means adhering to their rule for Transmission Security – guarding against unauthorized ePHI access when data is transmitted over an electronic communications network or when it’s stored.

If I Don’t Encrypt, Could Both My Data and Devices Violate HIPAA Requirements?

There are many DD Organizations in Ohio that aren’t 100 percent compliant. Because HIPAA has defined encryption as an “addressable” concern, meaning, if it’s reasonable and appropriate, you must do it, some believe this isn’t required – It is. Encrypting your data is both reasonable and appropriate.

Ask your IT Service Provider about best ways to encrypt your data. You must encrypt it when it’s both in transit and at rest. Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information.

Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt them. And when your IT provider encrypts your devices intruders won’t be able to access your ePHI without the key. Even if your data or device is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.

If you don’t encrypt and you lose a laptop that contains ePHI, or one is stolen, you’ll be in noncompliance. If the data AND device are encrypted, and they’re lost, you won’t have to report this to the authorities nor to your clients. And remember that your IT provider can deploy Mobile Device Management to wipe the data from a lost device. They can also direct you to new laptops that automatically self-encrypt when you turn them off or close the lid.

Don’t Want To Take Chances? Encrypt Your Data & Devices

Contact GO Concepts for advice and help to encrypt your data and devices.

For Microsoft Windows computers, we use Bitlocker, which is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista.

Bitlocker protects data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. It provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

For Mac OS computers, we use FileVault. FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.

We will encrypt all your supported hardware; both your desktops and laptops. And we monitor to ensure it’s implemented. Encryption is often only deployed on laptops, but our standard practice is to deploy encryption wherever we can. The deployment has minimal impact on your workflows and provides additional layers of protection. There’s no reason not to implement encryption on all of your devices.

GO Concepts has been providing managed information technology services for Ohio County Boards of Developmental Disabilities since 2013 and consulting to numerous other governmental subdivisions since 1997.

You can reach us at: (513) 934-2800 OPTION 3, sales@ITforDD.com or on the Web.