Are Organizations Really Protecting Cloud Data?

HIPAA’s unclear stance on Data Encryption

October 1, 2017

For the past few years, cloud security has become a topic of increasing attention and relevance as consumers find themselves concerned over the safety of their personal information. Recently, HyTrust Inc., a leading security firm, announced the results of a survey conducted to analyze how healthcare and biotech organizations protect the data they store in the cloud.

If the security of cloud data is a top concern, why aren't all organizations taking initiatives towards proper storage?

HIPAA regulations dictate that health information stored electronically must be protected, meaning unable to be linked to a specific individual. Protected health information falls into three categories:  

HIPAA Protected Health Information isn't clearly addressing the issue of encrytion.

Any information of this type becomes electronic protected health information (ePHI) if it has an identifier that ties it back to an individual. There are 18 types of identifiers: some are obvious such as name, address, social security number; some less so, like a health plan beneficiary number, a serial number for a vehicle, your electronic devices, even a voice print.

In October 2016, the Department of Health and Human Services released updated HIPAA cloud computing guidance. In doing so, their goal was to help covered entities, business associates, and cloud service providers understand their HIPAA obligation to protect ePHI.

The guidance provides a complex Q & A including

  • the relationship of cloud service providers to covered entities and business associates
  • storage protocols
  • encryption/decryption practices
  • reporting of security incidents
  • the use of mobile devices to access ePHI

HIPAA regulations do not specifically require data encryption for ePHI; instead qualifying it as an addressable aspect of ensuring that ePHI is protected. However, encryption is clearly integral to compliance with HIPAA’s Security Rule, which states that ePHI must not be available to those unauthorized to have it.

The HHS guidance states that while encryption alone “cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule,” it does protect ePHI by “significantly reducing the risk of the information being viewed by unauthorized persons.”

As a best practice, healthcare organizations should regularly review their safeguards and procedures to ensure that ePHI is secure and that encryption is in place.

Written By:

Imran Deshmukh
Chief Technology Officer

Want More?

Exclusive Content
directly to your inbox. 

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Articles You May Like