[ Monday, February 12, 2007 ]
Fallout from Johns Hopkins:
As you know, Johns Hopkins lost some backup tapes with patient and employee data. This has apparently led
to calls from privacy advocates to encrypt data.
This matches what I've been saying for a while. I've never been the fan of encryption that lots of my geekier HIPAAcrat brethren are, mainly because their focus has always been on how unsafe the internet is as a network, and how important it is to encrypt data in transit if you're sending it over the internet. I've always thought that encrypting data in transit is generally a silly concern for people who don't regularly encrypt data in storage. It is possible, but incredibly unlikely, that someone could catch an email in transit and use the unencrypted data. But it's much more likely that someone would obtain the data while it's "at rest" on a computer hard drive or server. A typical scenario would be a document residing on a hospital's server somewhere that contains PHI; the hospital encrypts the data, emails it via the internet to the patient's physician, who decrypts it and reads it, where it sits decrypted in his Outlook inbox. That data is much more likely to be improperly accessed while on the hospital's server or on the physician's computer than it is while being transmitted over the internet. It's like leaving your car unlocked while in the driveway or parked at work, but locking it while you're flying down the interstate.
Encryption of data "at rest" is where the focus should be.
Jeff [9:48 AM]
Blogger: HIPAA Blog - Edit your Template