Is Encryption Really Necessary For Protecting Electronic Records?

dr_EHR / February 4, 2016

With the integration of computers in healthcare, our lives have become both simplified and more complicated at the same time. While new technology has certainly made daily tasks easier, it also comes with an assortment of rules, security patches, and passwords that can be almost unpleasant to use. Although these safeguards may seem onerous, they are necessary. As digital technology has grown more sophisticated and user-friendly, it has also become a great deal easier for hackers and cyber-criminals to access and exploit. The solution is for digital providers to continually monitor systems for vulnerabilities and make corrections. While these cyber wars go on behind the scenes, actual users of these systems can contribute to the “war effort” with frequent password changes and encrypted data.

But studies show that simply updating a password might not increase its security. Users allowed to pick an initial password tend to make updates a variation on the original one: “starfish1,” “starfish2,” “starfish3,” etc. This definitely makes it easier for users to remember frequent changes, but it also makes it easier for hackers – provided they have access to original passwords. However, they find encrypted text a little more challenging.

Why Encryption Is Superior to a Password Security System

A password security system for work-based computers certainly has its uses, but such passwords will be most effective against those with limited technological skills. To truly protect computer systems with sensitive information like e-PHI, such systems should be encrypted. Access to these files is no longer limited to large computers in an office; they can now be accessed by various laptops and devices in a variety of settings. Encrypted systems can limit the amount of electronic devices that can access them as well protect against both employee and patient identity theft.

If a system-accessible computer is lost or stolen, encryption means that this missing machine can’t have its files opened and read by unauthorized parties. Additionally, when clinic and hospital machines are turned in for upgrades, the older machines end up in other hands, as do stored files. Encryption guarantees that protected data doesn’t live on with refurbished machines.

Encryption and e-PHI

HIPAA requirements state that all electronically transmitted sensitive patient information must be encrypted. To be in violation of this means serious sanctions. These sanctions also apply to files being stored but not in active use as well as machines and areas that these files may be stored within. Should a theft of data occur and an investigation reveal that encryption was not used, practices and clinics could face both lawsuits from patients and fines and sanctions from HHS. The resulting price tag in such a scenario could conceivably be millions of dollars – spending a few hundred dollars on encryption programs is a bargain in comparison.

However, be sure to use caution in selecting encryption programs to protect e-PHI. The provisions of HIPAA Encryption Safe Harbor state that it’s not simply enough to encrypt files; the encryption system used must be in compliance as well. So practice or clinic IT departments should check with suppliers before purchasing to make sure that all office-use machines have hard drives that meet FIPS 140-2 and other NIST certifications. The cost of these drives start around a hundred dollars – a small price to pay for e-PHI files that end up in the wrong hands.

Related blog: 5 Actions to Protect Your Practice Against Ransomware