Tony's ramblings on Open Source Software, Life and Photography

HHS Final Guidance for PHI Security

Published September 4, 2009, 3:28 pm | by tony

I've been pouring over the HHS finalized guidance on acceptable conditions for data encryption of PHI. One interesting section reads:

Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

Data at rest, meaning the data being stored in a hospital server / datacenter. With one interpretation, given the wide range of technologies and systems out there, this will eliminate in my opinion about 95% of the products out there as valid players. With another interpretation, it provides no additional security at all.

For instance:

Based on the wording I've seen so far, I could use whole-disk encryption to state that health information on my server at rest is stored in an encrypted form and is compliant. However, this only protects the information if the machine is physically stolen - as long as the server is running, an external hacker could get access to everything, because the operating system will be decrypting data on the fly.

But, placing that server in a physically secured location already provides 100% better security that the storage of patient record with relation to physical theft. Hard drive encryption really provides no additional security.

Having decryption keys that remotely decrypt the stored data after downloading it may seem like the logical thing to do, but in some cases, like ours, that would literally place hundreds of decryption keys spread out among 30+ US states. The chances of one of those keys falling into the wrong hands, be it hardware or software keys, is very high.

Encrypting transportation of data is much easier - VPN's, HTTPS (SSL), etc. easily protect the data stream as it goes from the server to the client. User logins with passwords that are encrypted on the server side are standard. No amount of storage encryption helps if a login / password / client decryption key are compromised, so perhaps I'm missing something but I'm unclear of what the real goal is with the storage encryption mentioned.

The last interpretation of this revolves around "Data at rest" which would cover backup data, and not data that is live and currently being used. Encrypting backup data is a definite must for any organization in my opinion.

This is why lawyers shouldn't write technical specifications...


Categories:

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account associated with the e-mail address you provide, it will be used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <p>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for preventing automated spam submissions. It is case sensitive.
Image CAPTCHA
Enter the characters shown in the image.