Healthcare: Encrypting Data in Transit for Compliance Is Easy
According to a HIMMS survey report, less than half non-acute providers encrypt patient information when moving it from one place to another, and about a third of acute-care aren’t encrypting data in transit as well. From the report:
“This means that the providers that are not encrypting data are sending protected health information and other data in the clear, leaving such data susceptible to being breached by eavesdropping, packet sniffing, or other means. Additionally, the lack of encryption means that data may be tampered in transit—thus, there is little assurance that the sender’s data has fidelity with the receiver’s data. Tampering with such information may have an adverse effect on clinical operations, administrative operations, and/or patient care.”
Modern Healthcare News reporting on the survey, published this quote: “People view encryption and security in general as a hindrance to their work,” said Lee Kim, director of privacy and security at HIMSS North America. “They have to swallow that vitamin. It’s yucky, but it’s good for you.”
Good news! Encryption does not have to be a hindrance to workflows. Applying automation and integrating encryption into email and file attachment processes is pretty easy to do – and doesn’t even cost that much. Many healthcare providers are using desktop email encryption to share PHI with patients and other providers securely, and in compliance with HIPAA. Subscriptions to cloud based email encryption services work with any email provider and client, and on any device (desktop or mobile).
Larger organizations can easily add a policy filter which scans all email and attachments for PHI – and if found – routes them for encryption automatically. New techniques leverage widely used TLS encryption, which makes it transparent for the recipient too by delivering the message and files securely, but without the need for portals, downloads or encryption keys.
Almost all EHR systems now support Direct Messaging – which can be used to exchange medical records and structured C-CDA documents with other EHR systems at other providers and healthcare facilities. Direct Messaging is similar to email encryption, but it is a specialized service designed for clinical applications, and requires a separate Direct Messaging address and service provider (HISP). Direct is often integrated as a messaging and file exchange feature of the EHR, but it can also be used as a standalone messaging service – just like web-based email.
All this enables providers to easily encrypt data in transit – and in so doing – achieve HIPAA compliance for their data exchanges with other clinicians, and even with patients.