Protecting Personal Health Records - Data at Rest Encryption
1. Protecting Personal Health Records – Data at Rest Encryption Privacy and Security of Personal Health Information Protecting Data at Rest
2. Health Information Security Adoption and implementation of emerging health IT solutions must involve reassessment of security practices and policies Healthcare providers are expected to prevent the unauthorized access, use and disclosure of a patient’s protected electronic health information Developing a comprehensive strategy for ensuring the confidentiality, integrity and availability of electronic patient data will be required
3. Health Information Security Assessing the health IT environment requires an understanding of all technologies being used throughout the enterprise for clinical, and administrative purposes Evaluate any possible situation for unauthorized access and use. Today, many individuals and groups have access to, and can share electronic medical records and confidential patient information, including: Government and public health agencies Insurance companies Hospital and Physician office personnel IT vendors and their business associates Part of the healthcare providers comprehensive security strategy will include a professional grade encryption solution
4. Encryption Is a process that transforms plaintext data (using a certified algorithm like AES – Advanced Encryption Standard) into a format that makes it unreadable without an authorization key The authorization key is a type of password and is required to encrypt and also decrypt the data Key Management is the process of monitoring the algorithms and the employees keys, and is managed by a key custodian Changing keys regularly is referred to as Key Rotation, and is necessary in order to maintain optimum security levels
5. Encryption The key management and key rotation processes are the most critical aspects of data encryption Most conventional solutions are time consuming and can be difficult, especially with limited IT staffing and support A simple yet sophisticated technology is necessary in order to manage a continuous cycle of key creation, splitting, initialization, rotation and deletion
6. Encryption Encryption is part of a comprehensive prevention strategy when used in conjunction with other technologies, and can be a first and last line of defense against: Accidental loss or disclosure of confidential data by employees, business associates and consultants Internal access by employees (malicious) Lost or misplaced laptops Theft Office break-in External breach / Hacker (malicious)
7. Types of Encryption Solutions Software Solutions Limited security capability with inside employees Sold as individual licenses – can be very expensive Will decrease database performance Difficult and complex key management and rotation Typically requires a dedicated IT staff to manage and support May not support certain operating systems (Linux, Mac OS X)
8. Types of encryption solutions Hardware or Appliance-based Lower Total Cost of Ownership – No licensing fees Can be installed at web, application or database server Does not effect system speed or performance Minimal integration and IT expertise needed Non-proprietary, can be used with any operating system Scalable to large organizations without additional licensing costs Offloads encryption processing from servers
9. Appliance-based Encryption Resides on the network and use a hardware device to encrypt and decrypt at high speeds Offloads cryptographic processing from database for improving system performance Scalable to handle any quantity of data Not operating system (OS) dependent. Typically compatible to most IT environments and networks Integrates easily with EMR, Practice Management, Imaging and Clinical information systems Ideal for hosted solutions
10. JANA Series Technology Award-winning encryption technology Complies with state and federal security and privacy rules Powerful, yet simple key management and key rotation features Works in any operating environment Can be used simultaneously by multiple (different) business applications Scalable to any size healthcare provider, from a physician office to the large, geographically dispersed Integrated Delivery Network (IDN) Manufactured in USA by Dark Matter Labs
11. JANA Series Technology Appliance-based solution offering superior performance and security Easy upgrading and updating when required State-of-the-art software delivered on a revolutionary hardware platform Offers strict control over encryption keys Increases network performance Can be interfaced with web servers, application servers (recommended), database servers, or customized servers
12. JANA Series Technology JANA appliances are award winning encryption solutions that completely offload intense cryptographic processing from overworked servers 3 Devices designed for small to enterprise-wide applications Employs government certified algorithms Completely independent of database, operating system, and application Units differentiate based on processing power, speed, number of Ethernet ports and high availability capability
14. Dark Matter Labs Offers an advanced level of security through an appliance-based solution Highest level customer support with an industry-first perpetual hardware replacement warranty Offers comprehensive technical support and encryption training No hidden costs, licenses or vendor lock-in when purchasing appliance-based technology Simple to install and use
15. Who should encrypt? All healthcare providers who access and store protected health information. Hospitals, physician offices, pharmacies, clinics, labs, psychiatry offices, imaging centers and dentists Healthcare management organizations, i.e. HMO’s Health Insurance companies Commercial vendors i.e. EMR software, Hospital Information Systems, Billing and Transcription, Hosting services, Imaging Equipment
16. Why encrypt? Protect data even in the event of a security breach Safeguard patient information HIPAA compliance, and TO AVOID Financial loss (large fines, lost patients & revenue) Legal ramifications (regulatory or civil prosecution) Damage to professional image (negative publicity & media fallout)