From patient records to MRIs and other medical images, the sheer amount of data generated by healthcare organizations is expanding year after year. However, this information isn’t just a valuable source of medical insights. It’s also a tempting target for data thieves and other cyber criminals seeking to steal, exploit, and monetize information.
HIPAA (the Health Insurance Portability and Accountability Act) includes requirements intended to safeguard the privacy of patients’ sensitive data. If your organization handles PHI (protected health information), you need to ensure you adhere to many security standards. This includes taking measures to control the access and use of that information.
With many rules and regulations in place, it is difficult to understand what HIPAA requires with a given type of data. For example, what are the HIPAA requirements for encrypting your data at rest? This blog post examines exactly what standards HIPAA defines for this problem. It also details how health organizations should work to protect their data at rest.
“Data at rest,” as the name suggests, refers to information that lies inactive in your data warehouse. Any data not in motion is considered data at rest.
Consider the following example. If you’re not accessing them right now, files on your laptop’s hard drive are data at rest because they aren’t in use at the moment. Information considered “at rest” can constantly change throughout the day as people access and transfer files and data.
In general, there are three types of data classified by the data’s “motion.” Each one poses its own challenge for IT security:
At any given point in time, a significant portion of data in the healthcare industry is at rest. Healthcare data at rest may include inactive data from patients, employees, Internet of Things devices, and inventories stored physically in any digital form. Making accurate diagnoses is often dependent on access to a patient’s medical history. Preserving this data at rest is crucial to provide the highest quality of healthcare possible.
Like many other sectors, the healthcare industry is a highly attractive and vulnerable target for data breaches. In 2016, there were 328 recorded data breaches of healthcare organizations, reaching an all-time high and exposing the records of more than 16 million Americans. Criminals use the information that they obtain from these attacks to commit medical insurance fraud. They might also sell data to the highest bidder.
These data breaches are often executed on legacy IT systems with easily exploitable security holes. To prevent this fate for your own patients, you must take steps to improve your data at rest security.
HIPAA requires healthcare organizations use data encryption technology to protect sensitive patient information. However, the law does not specify which types of encryption to use in order to accomplish this task.
Since HIPAA requires that you take steps to secure patients’ privacy—in particular PHI—organizations that experience a data breach run the risk of significant penalties under HIPAA. The most obvious and straightforward way to protect against unauthorized access of PHI is encryption for data at rest.
Unfortunately, encryption isn’t a common feature for data at rest among cloud providers. According to a recent study by Skyhigh Networks, although 81.8 percent of cloud providers encrypt data that’s in transit, only 9.4 percentof them encrypt data at rest on their servers. This means that you might have to look elsewhere for ways to provide encryption for your healthcare data at rest.
>HIPAA data at rest encryption requirements may not be explicit, but it’s an absolute must in order to assure your compliance with HIPAA regulations. Don’t place PHI and other sensitive data in jeopardy any longer. Get a demo of Zettaset’s proven data encryption solution today.