HIPAA Blog

[ Monday, February 12, 2007 ]

 

Fallout from Johns Hopkins: As you know, Johns Hopkins lost some backup tapes with patient and employee data. This has apparently led to calls from privacy advocates to encrypt data.

This matches what I've been saying for a while. I've never been the fan of encryption that lots of my geekier HIPAAcrat brethren are, mainly because their focus has always been on how unsafe the internet is as a network, and how important it is to encrypt data in transit if you're sending it over the internet. I've always thought that encrypting data in transit is generally a silly concern for people who don't regularly encrypt data in storage. It is possible, but incredibly unlikely, that someone could catch an email in transit and use the unencrypted data. But it's much more likely that someone would obtain the data while it's "at rest" on a computer hard drive or server. A typical scenario would be a document residing on a hospital's server somewhere that contains PHI; the hospital encrypts the data, emails it via the internet to the patient's physician, who decrypts it and reads it, where it sits decrypted in his Outlook inbox. That data is much more likely to be improperly accessed while on the hospital's server or on the physician's computer than it is while being transmitted over the internet. It's like leaving your car unlocked while in the driveway or parked at work, but locking it while you're flying down the interstate.

Encryption of data "at rest" is where the focus should be.

Jeff [9:48 AM]

Comments:
Critical data, that is data that has been determined as business critical, should be encrypted in transit and in storage. The hard part is not the encryption but the identification of the critical data. This is a challenge in larger organizations.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template