Encryption — It’s more than just a cipher
In our third issue of our blog series on HIPAA compliance, we look deeper into the level of encryption security required by HIPAA. You can read the second installment about the OCR’s Phase 2 audit program and it’s implications for cloud services users here and our first installment about the importance of risk management to ensure compliance here.
A couple of years ago when we were interviewing clients about security features, we realized that encryption technology had very low awareness. Many people didn’t really know what it was or how it worked. How the world has changed!
Encryption is making news
There has been a huge focus on the value and tradeoffs of using strong encryption. Just think about all the debate and media attention around Apple’s iPhone encryption and FBI requests for access to encrypted data.
Now, we’ve seen the first (to my knowledge) accusations and charges by the FTC about misleading encryptions claims by a software provider.
HIPAA compliance and “industry standard” encryption
Earlier this year, a dental software provider was fined for falsely advertising their level of encryption as “industry-standard” to protect patient data as required by HIPAA.
The FTC investigation alleged that the encryption was not, in fact, “industry-standard” Advanced Encryption Standard (AES), in accordance with the National Institute of Standards and Technology (NIST) recommendations for HIPAA. And that resulted in the vendor settling the case for $250,000.
Is your encryption “industry standard”?
This case illustrates that the government puts the onus on vendors to implement “strong” encryption using the industry standard. And it also stresses that the healthcare organizations that are buying encryption service need to look beyond simplistic marketing claims about encryption and verify that AES is being used.
Make sure your encryption is strong
Now that you know what to look for, make sure your encryption solution meets the strong standard that NIST recommends. Don’t fail your next HIPAA audit because your encryption isn’t good enough!
If you’re in the market for HIPAA compliant cloud IT services, you might consider Intermedia. We have put together a comprehensive package of IT services with powerful security and reliability baked right in. If you have any questions, feel free to call our experts at 800-379-7729.