Five years ago encryption was not common, nor cheap. Today, it’s everywhere and inexpensive to implement. Yet, healthcare still considers it a nuisance, ignores it or assumes their EHR or patient management software provides complete encryption. Consider the fact that ePHI is worth $500 per record and a credit card number is worth $0.50 (50 cents), it’s time for healthcare providers and their business associates to batten down the hatches on their ePHI. Cyber criminals want it and will find it. Meaning they will breach your defenses. Therefore, you must defeat the cyber theft from occurring by preventing the data from leaving in a usable format. Data encryption is the best way to protect it. Properly encrypted data is almost impossible to unencrypt, forcing cyber criminals to move on to the next easier set of valuable data.
Steps to take regarding ePHI and encryption:
- Perform a Security Risk Assessment to identify everywhere you have ePHI.
- Create a diagram of the ePHI at rest and in motion.
- Create policies and procedures that address protecting, accessing and handling ePHI.
- Ensure your software encrypts the ePHI in the database, in transmission and on the client.
- We have found many EHRs and patient management tools cache unencrypted ePHI on the local hard drive of workstations accessing the information. This is NOT good.
- Encrypt your hard drives
- Encrypt your backups.
- Check that your encryption is working.
- Check that your backups are working.
Hope this helps!