Spotlight on Protecting Stored DataTiger Team Calls for New EHR Incentive Requirement
The tiger team decided to call attention to the value of encrypting stored data in light of recent breach incidents involving the loss or theft of unencrypted computer devices and storage media. "Encryption isn't happening at a sufficient enough rate," Deven McGraw, co-chair of the group, said at its Wednesday meeting. McGraw is director of the health privacy project at the Center for Democracy & Technology.
Encryption of data at rest as well as data in motion is an "addressable" requirement under the HIPAA security rule, not an explicit mandate. That means that if an organization determines that encryption is not "reasonable and appropriate," it can choose to document another method of protection.
The tiger team, which advises federal regulators, wants to "shine a spotlight" on the importance of encrypting stored data, reinforcing the existing HIPAA rule, McGraw said.
At the recent Healthcare Information and Management Systems Society Conference, Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Services' Office for Civil Rights, noted that software certified for the EHR incentive program must include encryption capabilities (See: HIPAA Audits Still in Development). As a result, he stressed, "For electronic health records, it is generally reasonable and appropriate to encrypt." OCR enforces the HIPAA privacy and security rules.
Preventing BreachesThe EHR incentive program's requirements can help prevent breaches by highlighting the need to protect stored data, team members said Wednesday.
"The breach headline news is bad for all of us; it reduces public confidence," said software entrepreneur Paul Egerman, the other co-chair. By spelling out in the EHR incentive program's meaningful use requirements that hospitals and physicians need to attest to how they protect data at rest, "we can shine a spotlight on that to help mitigate the problem," he said.
"I'm very strongly for including this as a Stage 2 criteria because it addresses a very well-documented problem that we have with disclosures through lost or stolen media," said Dixie Baker, a team member who is senior vice president and chief technology officer for health and life sciences at SAIC.
McGraw, however, stressed that the proposed requirement for Stage 2 merely reinforces the existing HIPAA requirement, and does not explicitly mandate encryption. Similarly, a Stage 1 criteria, which the team wants continued in Stage 2, reiterates the need to comply with the HIPAA requirement to conduct a risk assessment and take action to mitigate any risks identified.
Privacy, Security RecommendationsOn April 13, the tiger team will present a series of recommendations to the Health IT Policy Committee for approval. HHS will eventually determine whether to include those recommendations in the EHR incentive program Stage 2 criteria or other federal rules.
For example, the tiger team has drafted recommendations that:
- Spell out security and privacy guidelines for patient portals used to access electronic health records. (Federal authorities are considering requiring portals for Stage 2 of the incentive program.) These guidelines address authenticating patients' identities; using audit trails to track portal use; identifying the sources of all data accessible in the portal; and providing a way for a user to securely download their health information to a third party, such as a personal health record provider.
- Require the use of at least two-factor authentication for those using the Nationwide Health Information Network standards to exchange information.
- Require healthcare organizations to use digital certificates when exchanging information.
- Call for creating standard formats for data fields that are used for matching patients to the right records.