How Health Care Data Encryption Fits Into Your Security Strategy
Hospitals, government health agencies and other health care entities have a growing need to securely store and transfer personal data, both from patient to provider and with relevant agencies, insurers and regulators. Considering the exponential rise in cyberattacks, it has never been more crucial for health care organizations to take the risk out of data portability for personally identifiable information (PII) and protected health information (PHI).
Patient and enterprise-wide data security is a multifaceted challenge that extends across data at rest and data in transit. It is a challenge complicated by heightened patient sensitivity to how their data is accessed and used. A 2022 survey by the American Medical Association (AMA) found that more than 92% of patients believe privacy is a right and that their health care data should not be available for purchase. Nearly three-fourths of those surveyed had concerns about protecting the privacy of personal health data.
The survey indicated patients are most comfortable with physicians and hospitals having access to personal health data and least comfortable with social media sites, employers and technology companies having access to the same data.
Ultimately, data encryption should be a part of an effective layered approach to store and share patients’ protected health information while preventing unauthorized users from accessing the data and best secure devices, even if they are lost, misplaced or stolen. However, it is not always clear how best to proceed in leveraging and deploying data encryption solutions—particularly when it comes to software versus hardware encryption.
There are several key considerations for healthcare decision-makers to consider before moving forward with data encryption as part of a broader security strategy.
The Value of Data Encryption for Regulatory Compliance
First, there is a need to look at how to protect critical health care data. With current federal, state and even international regulations, there should be little difference between how an organization needs to handle its PII and PHI data when considering security and creating safeguards. As the health care world becomes more interconnected, the mobility of patient health records becomes more crucial for patient service and research, development, and funding for health care initiatives across the globe. While there are several strategies for safeguarding patient data both in transit and on-premises, data encryption is a crucial component of any truly practical solution.
Data encryption is also crucial to comply with the litany of laws and rules from organizations like HHS, which established the HIPAA Privacy Rules over 25 years ago, giving patients rights over their data but also permitting the disclosure of appropriate information required for patient care and other essential purposes. HIPAA also specifically requires the encryption of patient data when at rest, such as when stored on SSD or USB devices. There are also similar requirements on the international stage with GDPR in EMEA and in states like California’s CCPA. These growing multi-level compliance requirements have elevated the need for encryption of protected data classes from ethical business practice to mandated requirements via regulation. Despite these mounting regulatory requirements, loss of patient-protected data is still a reality across the health care industry and continues to grow each year—further highlighting the need for robust encryption.
The Hard Truth of Proper Encryption
With so many interconnected pieces of the data privacy puzzle, it can be intimidating for organizations to adequately protect themselves. However, an organization’s capacity to comply with the stringent regulations governing health care data access and management could be jeopardized if data security concerns are not anticipated. A key decision point when developing any data encryption plan is whether the devices used to store and transport the data should be hardware- or software-based. While there are different approaches to protecting patient data in transit and at rest, data encryption plays a central role. With current budget constraints and strategies focusing on investments not focused on expanding data encryption, many solutions only work to exacerbate the problem, opening the door for increased risk and vulnerability.
Software encryption appeals to budget-conscious organizations as it can be deployed at a lower cost point than hardware encryption. However, there are tradeoffs to a software-based approach, which has proven vulnerable to sniffing, brute force, and computer memory sniffing attacks, to name a few.
Software encryption also introduces performance issues as many solutions are not compatible with older networks and systems and are known to slow down entire machines as data is encrypted and decrypted. Determining a comfortable balance between cost, performance, and level of security is an eternal struggle for security and IT decision-makers, one that will factor into the desired path forward.
Relative to software encryption, a hardware-based approach is self-contained in devices like USBs and SSDs, and is better equipped to fend off constantly shifting cyber threats. Hardware-encrypted devices are self-contained, which offers protection against the potential of even the most prevalent types of attacks. Because authentication takes place on the hardware rather than in software, using a dedicated processor reduces the amount of computing that is placed on the system. This makes the process of encrypting and decrypting data far quicker. In addition, the encryption key is never exported to the system where it can be compromised, whereas, with software encryption, the actual encryption/decryption is done in the computer’s memory.
Hardware encryption, in contrast to software encryption, prevents repeated password guessing through software dictionary attacks by restricting the number of times a password can be attempted to no more than ten times and then deletes the data if an incorrect password is entered too many times. Hardware encryption is also hardwired into the device to protect the data. Users and bad actors have no way to access any mechanisms that would allow them to disable encryption, change password rules, or remove brute force attack protection. For example, compliance with regulations may require companies to deploy drives that enforce security–but with software encryption, a rogue employee can reformat the drive, thereby removing the encryption, and then store data that can become a breach if lost or compromised. As a result, software encryption for data in transit is subject to removal, thereby negating IT security compliance.
Don’t Be Tomorrow’s Headline
With the rapid growth and innovation of the health care industry, the security of patients’ and organizations’ data faces an ever-expanding set of threat vectors. A costly data breach can undermine the trust of patients, partners, and regulators alike and is not something anyone can afford to leave to chance. A hardware-encrypted storage device from a trusted vendor is the safest option for compliance with HIPAA, GDPR, and CCPA and to mitigate the risk and cost of data breaches by the mobile workforce.
