Encryption for data at rest

Part of the proposed requirements for Meaningful Use Stage 2 addresses encrypting data at rest. Let’s take a look at the exact wording

conduct or review a security risk analysis in according with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

Many of you may read that statement and really have no idea what that actually means. Don’t feel bad, I am sure you are not alone. Let’s dive into that paragraph and shine more light on the subject.

By now HIPAA and encryption are synonymous. One of the best ways to protect patient information is to encrypt the data. According to Wikipedia

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted).

So data that is encrypted cannot be read without the encryption key or password. Even better, data that is encrypted is a safe harbor under the HIPAA regulations. This means encrypted data is not subject to breach notification requirements that apply to unencrypted data.

Now that we cleared up any confusion over data encryption let’s take a look at the meaning of data at rest. Simply, data at rest is not data in motion. Data in motion (or not at rest) is data that is being transmitted. Data that is being transmitted includes uploading or downloading to a website, sending data via email, using protocols such as FTP to transmit data, etc.

Data at rest means data that is not being transmitted so that includes data that is sitting on a file server, data stored in a spreadsheet on a desktop or laptop, ultrasound images on the hard drive of the ultrasound machine, files or images on an iPad, tablet or smartphone. You may be saying to yourself that data at rest includes almost all patient data, and you would be correct.

There are many software packages and services to encrypt data. Some of the packages are free while other cost around $5/month per machine and others cost a lot more. The free encryption packages usually require IT skills to setup and install. Some of the other encryption packages are provided via a monthly subscription and are installed on your hardware (desktops, laptops, servers, tablets and smartphones) remotely. If you have 20 desktops and 5 laptops and the encryption service costs $5/per machine per month then you are looking at $125/month to encrypt the data at rest on your desktops and laptops. As you can see, encrypting data at rest is not only affordable but it is the right thing to do to protect patient information. And if you are not ready to encrypt all your desktops then focus on the higher risk laptops which can easily be lost or stolen. Encrypting 5 laptops would cost $25/month.

Encrypting data a rest could save you money, regulatory fines and lost patients. And if you are responsible for protecting patient information it may just save your job.