MU2: Encryption of Data at Rest - What it means
By: Susan Gnann, Consultant, Elevation Healthcare, LLC
The Department of Health and Human Services (HHS) continues to report that a large percentage of data breaches involve the loss or theft of mobile devices. If the data on these devices had been encrypted, the patient data would have been secure, no breach notification would even have been required and the patients would have been protected from theft or fraud. CMS has responded with a greater emphasis on encryption of data at rest for eligible providers seeking Meaningful Use Stage Two attestation.
So, what does this mean for you?
It is not just enough to conduct a security risk analysis to meet MU. Stage 2 Core Measure for Security Risk Analysis states:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
As noted in the final rule, “due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. It is for these reasons that we specifically call out this element of the requirements under [HIPAA] for the meaningful use measure.”
The final rule confirms that its requirements do not create additional burdens beyond existing HIPAA requirements: “We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”
This means that practices must either implement encryption or come up with a 'reasonable and appropriate' solution to meet the regulatory requirement. It is not optional. To comply, practices need to evaluate each location where electronic personal health information (ePHI) is stored and all transmission mechanisms to decide if encryption is necessary or if compensating controls will suffice.
There are obvious storage locations to consider like servers, but this evaluation extends to other, less obvious storage locations, such as:
- Desktops that store reports users create and save to their local drive or are “previewed” in the temp folder that are not deleted regularly
- Mobile devices like laptops, mobile phones and tablets
- Backup devices such as tapes, removable flash drives, removable external, hard drives and cloud backup services
- Office equipment like fax machines and copiers
- Biomedical devices like ultrasound machines and infusion pumps
Practices need to engage their IT Services Provider and other equipment vendors to understand the movement and storage of ePHI within their network. The good news is that there are many solutions available to keep practices compliant and their patients’ data safe.
Additional information on this and the other security requirements of Meaningful Use Stage Two, go to the CMS website for the detailed specification sheets.
Susan Gnann is a consultant with Elevation Healthcare, LLC specializing in Meaningful Use consulting services including EHR selection and replacement and recurring Meaningful Use support services. Elevation provides consulting, education, training and professional development services to practices and their physician, clinical and administrative staffs in Ohio, Kentucky and Michigan.