Covered entities and business associates subject to HIPAA Security Rule are closer to getting a benchmark for encryption standards with the release of the Standards and Guidelines Development Process in late March by the National Institute of Standards and Technology (NIST).
This is good news for the healthcare industry as it considers how it needs to encrypt sensitive health data. With more than 100 million individuals whose healthcare information was compromised as a result of a data breach last year, covered entities as well as business associates must take extra care to secure their healthcare data. California Attorney General Kamala Harris strongly recommended in a report released in February that healthcare organizations adopt stronger encryption practices as “health care was experiencing a much higher rate of breaches of stolen equipment containing unencrypted data than other sectors” and it is “lagging behind other sectors” in its use of encryption to protect sensitive data.
Encryption and HIPAA
Although not mandatory, the HIPAA Security Rule makes encryption an addressable implementation specification – in other words, entities must implement encryption if it is a “reasonable and appropriate safeguard” to protect electronic Protected Health Information or “e-PHI.” However, there is no one uniform standard of encryption. The US Department of Health and Human Services (HHS) has stated that the current NIST Guide to Storage Encryption Technologies for End User Devices for encrypting data at rest and the NIST Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for encrypting data in motion have been judged to meet the definition of “encryption” as required by the HIPAA Security Rule. In February, the Office for Civil Rights of HHS published a HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework to map HIPAA Security Rule Standards and implementation specifications to applicable NIST Cybersecurity Framework Subcategories. This Crosswalk includes data security and serves as a tool to identify potential gaps in a security program whether initially developed under either the NIST Cybersecurity Framework or the HIPAA Privacy Rule.
Updating NIST’s Standards
Donna Dodson, the Chief Cybersecurity Advisor of NIST, recognized in 2013 the need to ensure that NIST’s cryptographic standards are further developed “according the highest standard of inclusiveness, transparency and security.” NIST commenced a formal review of its standard development efforts. NIST’s goal in this undertaking was to develop “strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders.” The culmination of these efforts was the release of the final version of the NIST Cryptographic Standards and Guidelines Development Process (the Process) on March 31, 2016. The process by which NIST will establish encryption standards and guidelines will be based on nine principles: Transparency, Openness, Balance, Integrity, Technical Merit, Global Acceptability, Usability, Continuous Improvement and Innovation and Intellectual Property. Two points of note: the Global Acceptability principle was added by NIST in response to public comments that the Process needed to reflect the global and interconnected nature of the world, and the Innovation and Intellectual Property Principle is based on NIST’s strong preference for cryptographic solutions that are not proprietary or otherwise encumbered by intellectual property claims.
The bottom line is healthcare entities that handle sensitive health information should strongly consider adopting more robust encryption standards, regardless of whether mandatory under HIPAA, and monitor new developments, standards, and guidelines released by NIST relating to encryption so as to keep their encryption security up to date.