Security Risk Analysis & Drive Encryption

Lately, there’s been confusion about hard drive encryption requirements for medical practices. So, it’s important to understand the difference between “addressable” and “required” as it pertains to your Security Risk Assessment.
Shortly after the dawn of the Affordable Care Act in 2010, “addressable” was a term used to describe a vulnerability that can be fixed sometime in the future. After September 23rd, 2013, all covered entities became subject to stricter standards and maximum fines. These fines skyrocketed from thousands to $1.5 million per year for willful neglect, corrected or uncorrected. Willful neglect is the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA and implementing “required” technology such as hard drive encryption.
CMS Defines “Addressable” and “Required.”
“In your Meaningful Use Security Risk Analysis, If an implementation specification is “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility on compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the followings for each addressable specification:
(a) implement the addressable implementation specifications.
(b) implement one or more alternative security measures to accomplish the same purpose.
(c) not implement either an addressable implementation specification or an alternative.
The covered entity must document their choice. The covered entity must also decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is sensible and necessary to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as the entity’s risk analysis, risk mitigation strategy, what security measures are already in place and the cost of implementation. Covered entities must document decisions regarding addressable specifications. The written documentation should include the factors considered as well as the results of the risk assessment.”
What About Disk Drive Encryption?
The fact is, every HIPAA compliance scanning tool, including those used by auditors, will flag unencrypted storage media as non-compliant. Make no mistake, encryption is required, and a safe way to protect your practice from CMS audits, stolen workstations, and improperly disposed of hard drives.
For New Jersey Healthcare Providers, Encryption is the Law.
Starting July 2015 PHI Data and Hard Drive Encryption Mandatory for the State of New Jersey
New Jersey Governor, Chris Christie, signed a new law in January that extends the reach of HIPAA, calling for New Jersey healthcare providers to make greater efforts to keep the electronic health records of patients secure. The new law will go into effect July 2015 and requires all covered entities to use data encryption software on all electronic devices that contain Protected Health Information.
HIPAA and Encryption
HIPAA does not require encryption of all health data. That’s because HIPAA only states that “health care must address data encryption.” However, the new New Jersey law takes this one step further and mandates encryption. When the law comes into effect in the summer, all end-user computer systems, and smartphones will require PHI to be encrypted.
The New Law States:
“Health insurance carriers shall not compile digital personal information unless encrypted. Other methods can be used to render the information unreadable, undecipherable, or unusable by an unauthorized person.”
Encrypted Data Incudes
- First and Last Name
- Identifiable Health Information.
- Social Security Numbers
- Driver’s License
- ID card numbers
- Home addresses
The newly introduced law is in the wake of a number major HIPAA breaches that have plagued the state’s healthcare providers. The breaches have exposed the health data of over 1 million N.J residents since 2009 according to U.S. Department of Health and Human Services.
Blue Cross Blue Shield was one of the New Jersey’s major offenders. That’s because NJ exposed the data of 840,000 residents in late 2013. For example, Newark Beth Israel Medical Center has suffered three data breaches since 2010 and Vineland’s Inspira Medical Center also experiencing a major HIPAA breach in 2014.
HIPAA sets a minimum standard which all states must follow. However, tougher state laws can further protect residents’ health data. That’s why starting in July 2015 New Jersey will have some of the strictest laws covering data privacy and security. As a result, these laws should drastically reduce the volume of data breaches.
Our Solution
Encrypting every workstation hard drive at your medical practice is a necessity. Not only because it’s the law, more importantly, because encrypted workstations won’t expose patient health information if lost or stolen. That’s why we always recommend and install Symantec Desktop Encryption on every notebook and computer connected to our client’s networks.
Contact UsAbout Innovative Computer Systems
Innovative Computer Systems is a Managed Services Provider specializing in Healthcare Information Technology (HIT) and Corporate Business Technology. We work closely with our clients to understand their daily workflow requirements. Some of our clients include leaders in Ophthalmology, Facility Maintenance, Pediatrics, Law, Urology, Dermatology, Commercial Real Estate, Internal Medicine and Ambulatory Surgery.