October 25, 2017 by Ramona Carr

HIPAA Data at Rest Encryption Requirements


From patient records to MRIs and other medical images, the sheer amount of data generated by healthcare organizations is expanding year after year. However, this information isn’t just a valuable source of medical insights. It’s also a tempting target for data thieves and other cyber criminals seeking to steal, exploit, and monetize information.

HIPAA (the Health Insurance Portability and Accountability Act) includes requirements intended to safeguard the privacy of patients’ sensitive data. If your organization handles PHI (protected health information), you need to ensure you adhere to many security standards. This includes taking measures to control the access and use of that information.

With many rules and regulations in place, it is difficult to understand what HIPAA requires with a given type of data. For example, what are the HIPAA requirements for encrypting your data at rest? This blog post examines exactly what standards HIPAA defines for this problem. It also details how health organizations should work to protect their data at rest.

What Is Data at Rest?

“Data at rest,” as the name suggests, refers to information that lies inactive in your data warehouse. Any data not in motion is considered data at rest.

Consider the following example. If you’re not accessing them right now, files on your laptop’s hard drive are data at rest because they aren’t in use at the moment. Information considered “at rest” can constantly change throughout the day as people access and transfer files and data.

In general, there are three types of data classified by the data’s “motion.” Each one poses its own challenge for IT security:

  • Data at rest: Fortunately, data at rest is usually protected by outer defenses such as firewalls and monitoring software. To protect data at rest, you can encrypt the entire drive or simply individual files on the drive. As long as encryption remains in place and the decryption key remains out of malicious actors’ hands, you can be confident that your files are secure.
  • Data in motion: This term refers to data being transferred between locations. For instance, sending an email via the Internet or other network is data in motion. Data is usually most vulnerable when in motion. This is because many tools can be used to intercept it.
  • Data in use: As you might expect, data in use is data currently accessed by at least one user. This makes it harder to protect than data at rest. To best protect data in use, you should tightly control access to the information and implement some form of user authentication.
How Does Data at Rest Impact Healthcare?

At any given point in time, a significant portion of data in the healthcare industry is at rest. Healthcare data at rest may include inactive data from patients, employees, Internet of Things devices, and inventories stored physically in any digital form. Making accurate diagnoses is often dependent on access to a patient’s medical history. Preserving this data at rest is crucial to provide the highest quality of healthcare possible.

Like many other sectors, the healthcare industry is a highly attractive and vulnerable target for data breaches. In 2016, there were 328 recorded data breaches of healthcare organizations, reaching an all-time high and exposing the records of more than 16 million Americans. Criminals use the information that they obtain from these attacks to commit medical insurance fraud. They might also sell data to the highest bidder.

These data breaches are often executed on legacy IT systems with easily exploitable security holes. To prevent this fate for your own patients, you must take steps to improve your data at rest security.

Are There HIPAA Data at Rest Encryption Requirements?

HIPAA requires healthcare organizations use data encryption technology to protect sensitive patient information. However, the law does not specify which types of encryption to use in order to accomplish this task.

Since HIPAA requires that you take steps to secure patients’ privacy—in particular PHI—organizations that experience a data breach run the risk of significant penalties under HIPAA. The most obvious and straightforward way to protect against unauthorized access of PHI is encryption for data at rest.

Unfortunately, encryption isn’t a common feature for data at rest among cloud providers. According to a recent study by Skyhigh Networks, although 81.8 percent of cloud providers encrypt data that’s in transit, only 9.4 percentof them encrypt data at rest on their servers. This means that you might have to look elsewhere for ways to provide encryption for your healthcare data at rest.

Final Thoughts

>HIPAA data at rest encryption requirements may not be explicit, but it’s an absolute must in order to assure your compliance with HIPAA regulations. Don’t place PHI and other sensitive data in jeopardy any longer. Get a demo of Zettaset’s proven data encryption solution today.