Where healthcare environments and digital futures converge

Health 2.0

Subscribe to Health 2.0: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Health 2.0: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Health 2.0 Authors: Robin Woods, Progress Blog, OnPage Blog, Mat Rider, shagar bormon

Related Topics: Cloud Computing, Health 2.0

Blog Feed Post

HIPAA Compliance: Cloud Encryption Options

A complete security risk assessment is the sensible starting point for HIPAA compliance

Data is arguably the most prolific and most valuable of resources. As such, it needs to be protected both as a company asset and in keeping with data privacy laws. Data protection is most acute in healthcare, which is something of a latecomer to fast-evolving heterogeneous electronic environments in the cloud. Indeed, healthcare had to “fast forward” to meet a rush of legislation and new working methodologies. In the blink of an eye, the playing field has changed dramatically. It continues to evolve as medical practitioners bring their own devices into hospitals and surgeries, patients consult with their physicians over Skype and online chat, and Electronic Health Records transit between healthcare Business Associates and government and reimbursement agencies.

A complete security risk assessment is the sensible starting point for HIPAA compliance, one which reviews cloud, mobile, users, access controls, legacy systems, and the entire data operation. When it comes to cloud computing in the age of HIPAA Compliance, encryption has become the accepted best practice for ensuring privacy and control of patient data.

The U.S. Department of Health and Human Services (HHS), its Office for Civil Rights, and the National Institute of Standards and Technology (NIST) have all published lengthy guidelines on how organizations can ensure compliance. The goal, however, is short and clear: electronic Patient Health Information (ePHI) must be made unusable, unreadable, and/or indecipherable to unauthorized users.

The HIPAA Security Rule incorporates two encryption implementation standards: 164.312(a)(2)(iv), which sets out the method for encrypting and decrypting ePHI; and 164.312(e)(2)(ii), which dictates how to implement a mechanism for encrypting ePHI “whenever deemed appropriate.”   The good news is that if you implement encryption–especially the management of encryption keys–correctly, the HHS guidance enables you to claim safe harbor. This means that even in the case of a breach, no patient data would be exposed since it was all encrypted in the first place.

Proper management of encryption keys has to do with ownership. To reach a safe harbour status, you should be able to show that you kept the encryption keys to yourself and that the “master keys” were not in the cloud when (or if) a breach occurred. Take a look at technologies like split-key encryption or homomorphic key management to see how this can be achieved.

Ultimately, whatever type of cloud you use for processing your data, not to mention the apps or services you source from the cloud, the rule of thumb holds true: your data is secure and enjoys HIPAA “safe harbor” when it’s encrypted. And encryption only makes sense if you hold onto the encryption keys.

The post HIPAA Compliance: Cloud Encryption Options appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.