(2) Implementation specifications:
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Tell Me More:
The Encryption implementation specification requires covered entities to address implementing a mechanism to encrypt electronic protected health information (EPHI) whenever deemed appropriate. The process of encryption transforms plaintext into ciphertext and the process of decryption transforms ciphertext into plaintext.
Covered entities and business associates must seriously consider the use of encryption technology for transmitting electronic PHI over the Internet. As business practices and technologies change, there might be situations where electronic PHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis show such risk to be significant, covered entities should seriously consider encrypting such transmissions. As a rule, any electronic PHI transmitted over an open network (such as the Internet) should be encrypted
Almost in credibly, at the time of this writing, the use of encryption in the transmission process is an addressable implementation specification rather than required. Covered entities and business associates are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet.
As business practices and technology change, there may arise situations where electronic protected health information being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, covered entities are expected to encrypt those transmissions, if appropriate, under the addressable implementation specification for encryption. It is understood that encryption may not be a feasible option for all covered entities, for example, in the case of small providers.
The manner in which electronic protected health information is received by a covered entity does not affect the requirement that security protection must subsequently be afforded to that information by the covered entity once that information is in possession of the covered entity.
The Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general standard for transmission security when necessary and depend on covered entities to specify technical details.
Industry best practices include implementing encryption and integrity controls based upon sensitivity and criticality needs, respectively. Since these controls are often expensive in terms of cost and performance, they should be used judiciously; however, care must be taken such that the “reasonable and appropriate” criteria are satisfied.
Questions to consider:
- Has your organization evaluated the need to encrypt some or all of its data in transit?
- Does the organization use or need to use electronic signatures? The electronic signature is currently the best way to verify that the data has not been altered.
- Does the organization need to use encryption? If you are sending ePHI electronically via e-mail or over the Web, you should consider using encryption.
- Are portable media devices used to create, receive, maintain or transmit ePHI?
- If your organization does use encryption, does it meet HHS/OCR guidance?
- NIST SP 800-12 chapter 16 & 19 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-42 Guideline on Network Security Testing
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST SP800-77 Guide to IPsec VPNs
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP800-113 Guide to SSL VPNs