Protecting PHI – Business & Technical Challenges

How To Protect PHI?
Loss of Brand Equity

The US Health insurance Portability and Accountability Act or (HIPAA) was passed in 1996 and Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of American Recovery and Reinvestment Act(ARRA). The HIPAA legislation requires that covered entities implement technical safeguards to protect all electronic Personal Healthcare Information or PHI whereas the HITECH Act mandates that a successful breach of “unprotected” ePHI must be publicly disclosed. Furthermore, the HIPAA Omnibus Rule holds business associates liable for non-compliance. Here are some of the main challenges associated with protecting PHI.

Business Challenges

How to protect PHI against cyber threats and insider attacks?
According to recent reports over $1B in revenue is attributable to ransomware in 2016. 25% of healthcare entities utilizing the public cloud are not encrypting their data. 38% of those surveyed have data spread across multi-cloud environments. Approximately 50% of enterprises have experienced at least 1 breach while exchanging files with their partner in last 2 years. At the same time the HIPAA Act requires covered entities to provide a public notification upon discovery of a breach of their unsecured electronic Patient Health Information involving more than 500 records. Loss of PHI can result in significant erosion in brand equity. Given these dire consequences of a successful breach covered entities are faced with a fundamental question when it comes data security – how to protect regulated data and how to regulate access to it. Even if you are using a HIPAA compliant cloud provider the ultimate responsibility of securing your PHI lies with you.

How to meet security and compliance requirements?
The HIPAA Security Rule applies to electronic Protected Health Information (PHI). The covered entity is defined as an entity who creates or receives or manages or transmits PHI and is responsible for maintaining privacy. The loss of PHI can result in fines and may expose the covered entity to litigation. However, just protecting PHI is not enough. You also have to prove that your PHI is in fact protected which is a much harder problem to solve.

How to avoid cloud vendor lock-in?
When a customer decides to use their cloud vendor’s data-at-rest encryption offering then it becomes virtually impossible for the customer to switch their cloud vendor without spending a significant amount of time and effort. It is because the encrypted PHI must be decrypted first. Let’s look at some of the challenges associated with a move:

Is your disk partition large enough to decrypt your data set before the move?

Where will you store your PHI during transition?

How will you secure your PHI during transition?

Will you be violating your business partner agreement?

Does data-at-rest encryption offered by the new vendor require you to make changes to your application, process or procedures?

How long will it take to encrypt your PHI again?

How will the change impact your cost?

Technical Challenges

From a technical perspective, you are faced with a daunting task since you know that your data is everywhere—in the cloud, in a virtual environment, and sometimes in your partner’s data center thousands of miles away. Here are the top three technical challenges when it comes protecting PHI

How to encrypt data and control access?
Encryption is a good way to protect your data, however, you will have to figure what method to use to encrypt your data; should you encrypt it within your application, at the volume level, or at the file system layer? How to ensure that data will remain available after it has been encrypted? How to stop a malicious or compromised “root” user from accessing the protected data sets?

How to technically satisfy audit requirements?
How will you prove to your auditors that you are in compliance? How will you generate tamper-resistant access trail?

How to deploy a single data encryption solution across multiple clouds and data centers?
Before you roll out a data-at-rest encryption solution you would want to make sure that the same data-at-rest solution can be used for all of your machines no matter where they are located – within your own data center or on different cloud platforms. Unfortunately the data-at-rest encryption solutions offered by most cloud vendors can only be used within their own cloud.

Server General is a data encryption and key management service that protects the sensitive information stored in a file server or a database server deployed anywhere. Contact us if you need additional information – Contact Us