Encryption Permeates Health Data Security Plans

Healthcare providers are held to some of the strictest data security standards of all, with both regulators and patients expecting flawless protection. As industry activities expand to include a wider variety of endpoints and collaborators, data encryption software continues to be an investment which returns its principal many times over.

In a recent interview with Health IT Security, Drayer Physical Therapy Institute chief security officer Vic Wadhawan discussed the careful balancing act required to protect patient records across his 105-clinic network. Encryption enters the equation from the very start, with all Drayer employees tied into an email client secured with HTTPS. This initial layer of security is particularly important considering how difficult it is to assess the defensive capabilities of each and every service provider the organization comes into contact with.

"If their controls are weak, we don't want to be punished for it," Wadhawan told the news source. "The organization came to me and said they wanted the information encrypted, from our side at least."

The protections extend all the way back to the data center as well, according to Health IT Security, with all spinning disks covered by data encryption software. As a result, administrators can feel confident that their baseline protections keep them in line with Health Information Portability and Accountability Act (HIPAA) compliance mandates and offer a strong base from which to innovate.

Addressing the human factor. While data encryption software certainly has an important role to play in the security equation, the efficacy of technology is determined by how it is applied across operations. As data management responsibilities diffuse across all levels of the organization, end user training and continuous education will be key. But according to Wadhawan, IT teams should anticipate and prepare for at least a certain amount of employee pushback.

"Any project I do, I know I'm going to get some resistance and have to accept it and tackle it," the Drayer CSO explained. "If it was their personal banking and was going to affect them directly, they'll adopt it in a second and ask why we don't have anything better."

At the other end of the spectrum, healthcare providers will have to work in close alignment with the security counterparts representing their business partners. According to Ars Technica, this is particularly important when drawing up plans for encryption key management. While a variety of contractors and third-party service providers will require the means to decrypt certain sets of ciphertext, original data owners will want to know those keys are being kept private and that they are only being used to unlock data authorized for viewing.