![]() A more efficient way to determine which programs are appropriate is to consult online sites that review encryption software for a variety of different devices. Simple internet searches will turn up dozens-if not hundreds- of those programs. Once you determine which devices need protection, you are then in a position to explore the range of programs and applications that are available for professionals and consumers. Do you have protected health information on your computer at the office? A laptop or tablet? On your smartphone? On a home device? Please note that even portable devices that only have client names or contact information are subject to the HIPAA Privacy, Security and Breach Notification rules in the same way as is more detailed information on computers or tablets. The first step is to consider which devices you are using for professional purposes. Thus, when professionals are seeking to employ encryption, they should look for assurances that this standard has been met. The standard for encryption of protected health information has been set by HIPAA’s BNR (128 bit encryption is the minimum). Though it is not a perfect solution1, it is an increasingly widely accepted method for the protection of digital information. ![]() ![]() Encryption, however, makes the information almost impossible to comprehend even if the password is bypassed. Though passwords can limit access to information by unsophisticated users, hackers can easily get around those passwords and gain access to the information in a device. ![]() It offers a much higher level of protection than passwords. Only recently has it become more publicly available, and in a form that is significantly easier to use. It has been used for thousands of years to protect trade, military, and other secrets (Schneier, 1996). Only people who have a key-usually a string of alphanumeric symbols that permit the coded information to be translated back into meaningful form-can read the document (Taube 2013). In other words, encryption translates meaningful information into a hidden form or code. Encryption is the ‘scrambling’ or camouflaging of information-such as progress notes or names and diagnoses-by changing it into a form that cannot be understood by others. Defining encryptionīefore we make those recommendations, though, a brief explanation of encryption is useful. As you will see below, we have some suggestions for professionals who previously used Truecrypt, or who are seeking to begin using encryption software for the first time. Although there is some disagreement about how quickly users should transition away from Truecrypt, we recommend that Truecrypt users transition as soon as it is feasible to do so. As a result, we no longer recommend its use. Truecrypt’s website (2014), however, announced that its security may have been compromised, and the program is no longer being supported. In the past, we suggested using Truecrypt for encrypting hard drives and other computer devices (such as external drives, and flash, thumb, and key drives). This is one of the main reasons that The Trust Risk Management Team had recommended the use of encryption over the past few years. The reason is that encryption, when used correctly, can offer a fairly high level of protection for protected health information. Put another way, if professionals adequately encrypt their protected health information on digital devices, and those devices get lost, stolen, or hacked, professionals are not required under the BNR to notify clients or report to the U.S. Though these regulations do not require such use, it exempts protected healthcare information that is encrypted, at a sufficient level, from its requirements for notification of breaches. The BNR is structured in such a way as to strongly encourage healthcare professionals to use encryption. One response to these breaches in the healthcare arena has been the addition of the Breach Notification Rule (BNR DHHS, 2013 HITECH Act, 2009) as a component of HIPAA (2003, 2013). Unofficial reports of breaches of private healthcare, financial, and business information have reached over 11.5 billion records in the past 14 years (Privacy Rights Clearinghouse, 2019). The Breach Notification Rule and Encryption
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |