Health Information Compliance Alert

Encryption:

Encryption Doesn't have to cost an armful

Solutions that work for the little guy


Even the smallest covered entities can obtain safe and secure encryption systems. Here are a few tips that you can use to make your systems safe and secure from Fred Langston, CISSP, senior principle consultant at Guardent in Seattle, one of Eli's IT security experts. 
 
Look to a virtual private network for remote connections to the office from home or satellite offices using technology native to your office's main operating system in use.  "If Microsoft platforms are the standard, choose the MS L2TP/IPSec server that can be installed on a server at the office with no new client required on Windows 2000 or newer desktops," advises Langston.
 
Langston says you can also pick an easy-to-configure VPN/FW appliance that guarantees interoperation with the MS LT2P/IPSec or IPSec solutions. "If it's an open source or Unix, S/WAN is a great open source alternative VPN. You can also use OpenSSL to connect two remote offices as long as both sides of the connection require a certificate. Don't rely on only one side requiring a certificate for interoffice SSL-based connections. OpenSSL is the open source version," he says.

For data-at-rest, you can implement encryption at many levels - in applications, databases, or file systems. Both Windows and Unix/Linux OSs offer some level of native file system encryption: EFS (Encrypting File Systems) for Windows 2000 or above and CFS (Cryptographic File Systems) for Unix. Take a look at PGP Corp's shareware version, says Langston.


"Full-blown public key infrastructure" - an authentication system favored by some covered entities - "would be overkill for small offices or companies with less than about 300 people," says Langston, adding that some say PKI would be too much for companies with fewer than 1,000 employees. "They're very expensive and hard to manage, though there are some solid benefits if [public key infrastructure] will be the foundation of more than just encryption," he notes. 
 
As for PKI's benefits, Langston says it provides economies-of-scale benefits such as automated distribution of certificates through registra-tion authorities (RAs), centralized administration of certificates and certificate revocation lists (CRLs) as well as integration of certificates into all aspects of enterprise operations, including authentication, PKI-enabled applications, desktop/server encryption, browser certificates, and VPN certificates. "Anything that can be certificate-enabled can come under this enterprise management system. Any application developed in-house can be certificate-enabled with proper coding. Another benefit is that certificates can be portable using smart cards or USB tokens; though, if you use tokens, they must be specialized USB-tokens that have protected storage," he offers. Problems with PKI include its high initial cost and very high management overhead, says Langston.
 
In Short: When obtaining encryption solutions for any organization, the key is to: 1) determine the requirements for your overall encryption strategy; 2) make sure you've made every effort to incorporate efficiencies; and 3) eliminate multiple solutions wherever possible. "Make sure you understand the requirements for properly managing your encryption/public key infrastructure required to manage the encryption solutions," he cautions.
 
Additionally, Langston says you must have a method to obtain emergency access to PHI in case the need arises, so more than one person should be able to decrypt PHI at a moment's notice. Also, never allow data to be encrypted in such a way that one or more administrators can decrypt it, should the normal data owner quit or otherwise be unable to decrypt the data.
 
"Even without large capital expenditures for technology, there is a significant amount of encryption solution design and management that must be done to operate it effectively and securely."
 
Tip: Your best option is to have someone who's both tech- and HIPAA security rule-savvy design and maintain your solutions is. 

Other Articles in this issue of

Health Information Compliance Alert

View All