Healthcare Data Protection and Encryption
Encrypting data is the best way to implement healthcare data protection. Encryption turns sensitive information into unreadable text, known as ciphertext, that requires a decryption key to decipher text. Although not explicitly mandated by HIPAA, encryption is the easiest way to implement healthcare data protection. The Department of Health and Human Services (HHS) does however require organizations working in healthcare to have comparable protection if they decide not to use encryption.
The HIPAA Security Rule states, “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
VPN for Healthcare HIPAA Compliance
Implementing VPN in healthcare addresses several components of HIPAA technical safeguard requirements. HIPAA requires the confidentiality, integrity, and availability of PHI to be maintained. As such healthcare entities, and their business associates, must implement access controls, audit controls, integrity controls and transmission security.
- Access Controls: HIPAA requires healthcare entities to stick to the “minimum necessary” rule in regards to accessing PHI. This means that employees should only have access to the minimum necessary PHI to perform their job functions. Access controls enable this by providing users with unique login credentials, so that different users have different levels of access to data based on their job role. In addition, it allows for access to data during an emergency and establishes automatic logoff.
VPN in healthcare can be utilized for access control. VPN stores data in a centralized cloud management platform, enabling administrators to delegate different levels of access to data for individual users. It also allows for easy access to data in emergencies.
- Audit Controls: refers to the means of tracking network access to individual users. HIPAA mandates that healthcare entities track user access to PHI to ensure that it is accessed appropriately. Audit logs should be maintained enabling organizations to determine normal access patterns for individual users. This ensures that insider breaches can be detected quickly. In addition, audit logs should also list users that attempted to access sensitive data and were denied access.
VPN offers detailed activity reports that record who accesses data, what data they access, which applications they are using to access data, and how much bandwidth is consumed. VPN in healthcare can also provide network visibility and identify vulnerabilities and risks in an organization’s internal network.
- Integrity Controls: as previously discussed, PHI must maintain its integrity. As such healthcare entities must have policies and procedures preventing the improper destruction or alteration of PHI.
Healthcare data protection is enabled through the use of VPN as they authenticate users before allowing access to sensitive data. VPN uses pre-shared keys to identify users to ensure that data is not accessed by unauthorized parties.
- Transmission Security: when sending data outside of an internal network, to an outside party, data should be encrypted. Data sent externally passes through a third-party server putting unencrypted data at risk of unauthorized access.
VPN uses advanced encryption when sending data externally. Advanced encryption ensures healthcare data protection as data cannot be read without a decryption key.
VPN Providers and Business Associate Agreements
Under HIPAA, VPN providers are considered business associates. Before healthcare entities are permitted to transmit PHI to their business associates they must have a signed business associate agreement (BAA). A BAA states that both parties agree to be HIPAA compliant and each is responsible for their own compliance. Additionally, when looking for any cloud service it is important to ensure that they are compliant with SOC 2 and ISO 27001 standards.