Encryption: What Are You Waiting For?
by Donna Koger, 1.26.17
No, seriously, what is keeping you from complete HIPAA compliance? Are you afraid it will cost too much and take up too much of your time? Do you know it’s not that difficult to be fully compliant - and it is very important for your survival as a business?
Data Encryption for HIPAA Compliance
We have posted several articles about HIPAA compliance and how to get there; but do you know how it affects your bottom line? For example, encryption of hard drives (computers and laptops), portable drives (flash drives or other mobile technology) and email. All of these are subject to improper use and hacking that can cost your entire business enough to shut you down. Yes, there is some fear but many of the solutions are not too difficult to carry out.
According to DataMotion, the average cost of resolving a data breach has reached nearly $4 million . . . encryption provides additional gains often overlooked.
When your equipment and email are encrypted, it sends a message to others that you are serious about your business, protecting the privacy and security of your clients’ information. It can also rank you higher in the marketplace for having up-to-date technology. Encrypted email can strengthen your relationships + reputation and, of course, it protects you from awful, expensive audits.
So how do you encrypt your drives? What kinds of problems can it create?
Alternatively, you can have your tech support person install the required Windows version (Windows 7 or 10 PRO) on each computer and utilize the included encryption software. Some newer computers have a “chip” on the motherboard that stores the encryption key. Since most don’t yet have the chip, you will need to use an external drive (flash drive) to encrypt your hard drive (computer or laptop).
You should be able to add the encryption key to a mobile drive that, when removed, protects the computer from use. There should also be a second backup mobile drive that has a copy of the encryption key. When devices are not in use, the mobile drive with the encryption key can be removed to protect your data from anyone who should not view private files.
When a drive is encrypted on a computer or laptop and the encryption key is installed, users can work on the computer, even if the device goes to sleep. The drive encryption is mainly to prevent access to files if the hardware is lost or stolen. However, all devices should be set to automatic logoff when the computer is not in use. There should always be a username/password to access the device.
What are the Problems?
• On some devices, such as computers or laptops, there will be a slowdown - but it is negligible on most.
• There could be problems recovering files if the hard drive fails, however, a competent tech support person should be able to get around this problem.
The only way to send encrypted email is to use one of the email services that are HIPAA compliant, such as EmailPros, Mailfence or ProtonMail (free). [the listed services are not necessarily endorsed by SMIS]
Remember, however, that the emails you receive are not HIPAA compliant unless the sender also has encrypted email. Your encrypted email will show you are HIPAA compliant on your end, which is acceptable.
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.