Wednesday, August 19, 2009, The U.S. Department of Health and Human Services released new regulations regarding the "breach notification" provisions that were part of the American Recovery and Reinvestment Act of 2009 that was passed in January.
The new regulations will go into effect 30 days after they are published in the Federal Register. As of today, August, 21 they haven't been published, but since HHS has made copies available, it can be expected that the publication of them in the Federal Register is imminent.
In short, the new rules require notification to affected individuals as well as the Secretary of HHS when it is discovered that unsecured protected health information has been breached. A breach generally means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information. In some circumstances, media notification is also required.
The rules do provide some exemptions to the breach notification – most noticeably through the use of encryption technology. In April, HHS issued guidance regarding the use of encryption technology, and that guidance has been revised and reissued as part of the new rules.
In this guidance, HHS makes it clear that the rule does not supersede the HIPAA Security rule, nor does it require encryption of all protected health information. Quoting from the document:
"Many commenters expressed concern and confusion regarding the purpose of the guidance and its impact on a covered entity’s responsibilities under the HIPAA Security Rule (45 CFR part 164, subparts A and C). We emphasize that this guidance does nothing to modify a covered entity’s responsibilities with respect to the Security Rule nor does it impose any new requirements upon covered entities to encrypt all protected health information."
"To encrypt, or not to encrypt, that is the question". Every covered entity will need to assess its own risk and risk tolerance to determine whether or not to encrypt. DISCLAIMER – FOLLOWING IS A PERSONAL OPINION. IT IS NOT A RECOMMENDATION. If the PHI is on a device that can easily be removed from the security of my office – I want to have that data encrypted. I do not want to run the risk of a backup tape or laptop being lost/stolen and have to go through the notification process.
Assuming that you want to encrypt some information, then the question becomes "What and How?" The guidance references an NIST document – Guide to Storage Encryption Technologies for End User Devices (http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf).
For blanket protection of laptops, a full disk encryption solution is likely the simplest to deploy, and it will protect data from all applications stored on the laptop.
There are many different full disk encryption products available, and within most of those products, you have options for the encryption algorithm to be used to encrypt the data. Because the guidance is not exactly clear on this point – I recommend that when selecting an encryption solution you select a FIPS 140-2 validated product. This is the level of encryption required for the Federal government agencies, and by selecting one of these technologies, there should not be any argument over whether the encryption used is adequate.
As you research full disk encryption options, you may want to check out these:
http://www.safenet-inc.com/products/data_at_rest_protection/Protectdrive.asp
http://mcafee.com/us/local_content/datasheets/ds_endpoint_encryption.pdf
http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/
http://www.checkpoint.com/products/datasecurity/pc/index.html
http://www.pgp.com/products/wholediskencryption/index.html
Some of these vendors have evaluation versions available that you can try out for yourself.
Many popular backup programs offer FIPS 140-2 validated encryption for the backups that they create. As you assess risk, you should consider your backup systems and the capability to encrypt.
Finally, data in motion must also be considered. This means that data sent over remote connections must be considered. The guidance refers to a couple of NIST publications for technical information. http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf, http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf, and http://csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf provide guidance on implementation of VPNs. In the case of data in motion, the guidance is specific that the encryption process must be compliant with the listed publications or must be some other mechanism which is FIPS 140-2 validated.
The complete document from HHS is available at:
http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment