[BreachExchange] How Evolving Cyber Threats Affect Health Data Encryption

[Audrey McNeil]

http://healthitsecurity.com/news/how-evolving-cyber-
threats-affect-health-data-encryption

Data encryption options are quickly becoming a top security choice for
healthcare organizations that are looking to remain innovative but still
keep patient data out of the wrong hands. With a recent survey showing the
quick growth of the global encryption software market, covered entities
should ensure they understand how data encryption could be implemented at
their organization.

By 2024, the global encryption software market is expected to reach $8.4
million, according to  Grand View Research, Inc. A combination of data loss
and new governance and compliance regulations are expected to drive the
need data encryption, the report found.

“Organizational best practices point towards data encryption as a key
solution for data privacy,” read a press release discussing the findings.
“However, the lack of budget is the key reason cited by organizations for
being unable to make extensive investments in encryption solutions and this
is presumed to challenge the industry demand.”

The study also found that last year, the on-premise deployment segment
accounted for over 60 percent of the market share, and is only expected to
continue to grow. This growth is fueled by the increasing need for
organizations to minimize the scope of compliance audits along and also
avoid public disclosures following data breaches.

Data encryption can be especially beneficial in the healthcare industry, as
more organizations connect to HIEs, implement EHRs, and continue to the
push toward nationwide interoperability. With healthcare data encryption,
organizations make health data unreadable without the applicable key or
code to decrypt it.

CEs and BAs can then convert the original form of the information into
encoded text, helping entities ensure that unauthorized individuals are not
able to “translate” the data for their own use.

While HIPAA rules state that encrypting health data is “addressable” rather
than “required,” organizations should not ignore health data encryption or
automatically assume that it does not apply to their operations.

The National Institute of Standards and Technology (NIST) also published
guidance to help healthcare entities better understand this gray area in
data protection. Titled, “An Introductory Resource Guide for Implementing
the HIPAA Security Rule,” the guidance was meant to provide more depth and
insight by mapping HIPAA security controls to a standard security controls
framework.

Earlier this year, NIST also released the final draft describing the
channels for establishing cryptographic standards and guidelines. NIST
addressed the importance of encrypting sensitive data by transforming it
into an incomprehensible format until a recipient with a key can unlock the
information.

“While our primary stakeholder is the federal government, our work has
global reach across the public and private sectors,” NIST’s Chief
Cybersecurity Advisor and Associate Director for the Information Technology
Laboratory Donna Dodson said in a statement. “We want a process that
results in standards and guidelines that can be used to secure information
systems worldwide.”

NIST also reiterated the need for collaborations between all stakeholders,
such as security professionals, researchers, standard developing
organizations, and users, to establish strong encryption standards and
processes.

Data encryption in healthcare is no longer a topic that providers can
ignore, especially as healthcare cybersecurity threats continue to evolve.
For example, ransomware attacks can be devastating to a covered entity, as
they could potentially disrupt patient care. However, if patient data is
kept secure, it will be more difficult for unauthorized third parties to
capture the information and attempt to sell it on black markets or the deep
web.

By taking advantage of available tools and guidance, healthcare
organizations can ensure they are taking necessary steps in data security.
Whether that includes implementing a new encryption option, or another
tool, covered entities should understand how multiple legislation and
security frameworks apply.

The Office for Civil Rights (OCR) released a crosswalk in February 2016,
explaining the “mappings” between the HIPAA Security Rule and NIST
Cybersecurity Framework. While covered entities may have aligned their
security program to one or both approaches, the crosswalk can help identify
any potential gaps.

“Although the Security Rule does not require use of the NIST Cybersecurity
Framework, and use of the Framework does not guarantee HIPAA compliance,
the crosswalk provides an informative tool for entities to use to help them
more comprehensively manage security risks in their environments,” the
crosswalk explained.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161212/890c63e2/attachment.html>