ABCs and 123s of encryption

Dr. Smith left his laptop containing 400 client files on a table in his local café for only a few minutes while he purchased a beverage. When he returned to his table, the laptop had been stolen.

What happens next? If the information stored on his laptop was not properly encrypted, he will have to give “breach notifications” to all 400 patients and the U.S. Department of Health and Human Services (HHS). However, if the laptop was encrypted, he does not have to worry about breach notification and can focus on finding his backed-up files and getting a new laptop.

In today’s high-tech environment, there may be many threats to the confidentiality of personal information stored on computers, smart phones, flash drives, and tablets. Many of these threats, such as accidentally sending a file to the wrong person, are unintentional. However, there are also intentional threats, such as actual theft of electronic devices or fraud, including identity theft.

The use of technology in health care is becoming commonplace with the advent of electronic health records and the increasing utilization of laptops, smart phones, and tablets. Advances in technology allow providers, including psychologists, to better serve the needs of clients in different settings. Technology also enables psychologists to collaborate more effectively with primary care providers and other health professionals.

For those psychologists who are using technology or thinking about incorporating technology into their practice, it is important to have a basic understanding of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as well as encryption.

Encryption is the conversion of data into a systematically scrambled format that is very difficult for unauthorized persons to decode. For example, an unauthorized person may see symbols or numbers rather than letters.

It is possible to encrypt plain text as well as digital media such as scanned documents, photos, and videos. Encryption also can protect you from threats such as computer viruses and other malware that can “steal” your client’s protected health information (PHI) as well as your own personal data, although there are limitations to this protection. Encryption protects data until it is decrypted, or unscrambled, using the correct password.

For health care professionals, encryption is beneficial for protecting against unintended or unauthorized access to confidential patient information. Encryption makes it difficult for an unauthorized user to make sense of the encrypted material, thereby enhancing patient privacy.

Encryption uses a key, or mathematical algorithm, to scramble the data. The Advance Encryption Standard (AES) is the type of key that the federal government has adopted. There are three different key lengths: 128, 192, or 256-bit. These key lengths are considered strong and suitable for encryption.

When looking at encryption products for your system, most vendors will list the level or strength of the algorithm used in AES terms. The largest-bit encryption is the most secure and is sometimes not significantly more expensive than smaller-bit encryption.

To access the information that has been encrypted, users must authenticate who they are to ensure that they have appropriate access. Different types of authentication methods include passwords and personal identification numbers (PIN). It is important to establish a strong password, change it regularly and make sure not to lose it.

Strong passwords combine capital and lowercase letters, numbers, and symbols (such as *%&). A password should not be a single word found in the dictionary, but rather a word or phrase that you can modify with symbols and numbers. For example, “Th€ r@in !n Sp@1N,” would be an appropriate passphrase (provided only as an example—please do not use this for your passphrase).

A password or phrase that you can readily recall may be suitable. However, utilizing a phrase that you do not easily remember may provide more security and be more difficult for hackers to “crack.” Also, it is important that you do not use this same password/passphrase for anything else, such as an email password.

If the password is lost, it may not be possible to recover the encrypted data. Keep this information in a different place than on the device being encrypted and not in any easily accessed location, like taped to the monitor screen, as this may compromise security.

Encryption can be implemented in many ways. It is possible to encrypt an individual file that contains sensitive information or to encrypt all data stored on a computer. The appropriate level of encryption depends on the type of information you want to store, the amount of information to be stored, and the different machines or devices on which the information will be stored.

For example, if you are encrypting ePHI or financial information, consider using the strongest encryption option (AES 256-bit). If you are encrypting personal information such as photos, a lesser strength option may be appropriate.

Following is an explanation of three types of storage encryption. Keep in mind that, even if encryption is used, it is important to maintain backups of all information.

Full disk encryption

Full disk encryption, or whole disk encryption, is a process by which all the data on the hard drive of a computer is encrypted. Full disk encryption is generally only used on laptop or desktop computers, not tablets or smart phones. Access to data on the computer is allowed only after successful authentication using a password or PIN. When users go to turn on this computer, they will be prompted to authenticate themselves. With successful authentication, the computer will start or “boot up.” An unauthorized person who attempts to turn on the computer without the key will not be able to access any information.

It is important to note that this type of encryption may not protect your computer against malware. Malware, short for malicious software, is software that can be used to gain unauthorized access to private computer systems or gather sensitive information. A common example is a computer virus. (It is possible to accidentally download a virus while you are searching the internet and click on a link, or when you open an email attachment. Do not click suspicious looking links in emails or open any attachments that come from someone you do not know.)

Full disk encryption may not be able to protect against malware attacks because it can only protect the data in encrypted form while the computer is not running. Once it is booted up the entire disc becomes decrypted and the malware can gain access to the information. This type of encryption may be best suited for protecting all the data on your device from loss or theft when the computer is not running. If you use full disk encryption, it is particularly important to set your computer to go into locked mode if it is not used for a few minutes to protect encrypted information from theft.

Virtual disk encryption

Virtual disk encryption is the process of encrypting a file, called a container, on your computer, which can hold many files and folders. This type of encryption allows for some flexibility in how your computer is set up and encrypted. It is possible to set up two containers on your computer system—with all client and business files within one container, and personal information in another. Access to a container is only allowed after proper authentication.

This type of encryption can be used on all types of electronics: computers/laptops, smart phones, tablets, flash drives, and external hard drives. The files in virtual disk encryption are portable, meaning they can be copied from one medium to another with the encryption intact.

Virtual disk encryption offers better protection against threats posed by malware. Because this type of system requires a second authentication, separate from logging on to your computer, those files will be safe from any potential malware threats until the encrypted files are opened.

Whereas full disk encryption can encrypt your whole computer, virtual disk encryption only encrypts portions of the data that you choose. Virtual disk encryption allows for greater protection of PHI in the advent that malware is accidentally downloaded into your computer. With virtual disk encryption, you are allowed time to discover and alleviate any malware issues before opening the “containers;” whereas with full disk encryption you are opening your computer up to a security threat when you log in because there is no second wall of protection.

File/folder encryption

File/folder encryption is the process of encrypting individual files or folders within your computer. Each individual file or folder would be accessible after successful authentication by an authorized user. As with virtual disk encryption, this type of encryption is portable and can be used on all types of storage for computers, smart phones, tablets, etc. This type of encryption is also better protected against malware threats as explained above.

While virtual disk encryption and file/folder encryption sound similar, there is one major difference. The container used in virtual disk encryption is a single, opaque file. No one can see what files are inside that container until it is decrypted.

File/folder encryption is transparent, so anyone with access to the file system may be able to view the names for encrypted files and folders (but not the information within those files). Accordingly, practitioners generally should avoid putting patient names on encrypted files/folders. For example, you could assign a number or other code to each patient and not even identify them as patients so that an unauthorized user would only see that the device contained files 1 and 2 instead of patient files for James Jones and Mary Smith.

In summary, virtual disk encryption may offer the best option for many practitioners. While file/folder encryption may be suitable for some users, the need to save multiple single files or folders generally makes it a less efficient choice than virtual disk encryption. Sometimes a combination of storage encryption options is appropriate.

Any independent practitioner, small group practice, or organization will need to consider the following matters:

Identify your practice needs.

• Which devices need encryption? For example, your personal devices or just business computers? Your laptop, tablet, or cell phone? A good rule of thumb is to encrypt those devices that you utilize in your practice and that may have ePHI on them.
• Who should be an authorized user? Who should be able to access the encrypted ePHI? Also consider whether employees and/or clinicians in your practice need access to different levels of information. For example, does your receptionist need access to the full client record or only the schedule file?
• Which type of encryption is best suited for your practice or organization? Multiple types of technology may be used concurrently to protect against different threats. For example, you may want to use full disk encryption to protect against data loss due to a computer crash or theft and virtual or file encryption to provide additional protection for client information that is more sensitive.

Do your research. Look into different encryption software vendors and ask questions. A simple online search—for example, using Google or Bing—will identify several products that may be suitable for your practice. It is in your best interest to research those companies by reviewing their websites and contacting customer service to ask questions. It is in a company’s best interest to make sure you understand the product and how well it is suited to your practice.

Consider cost. There are a lot of encryption product options ranging in price from free to several hundred dollars or more. You may wish to compare a free option to a product available for purchase. You will want to choose the encryption that is best suited to your practice—not necessarily the most expensive option.

All psychologists who trigger HIPAA must comply with HIPAA’s Security Rule requirements. This includes complying with the HIPAA breach notification rule that applies if unencrypted PHI is lost or stolen. A psychologist triggers HIPAA through the electronic transmission of PHI (which includes names, birthdates, and other information specified in HIPAA) to an insurance company. The Security Rule outlines the steps that psychologists who have triggered HIPAA must take to manage the risk of unintended disclosures through security breaches (as well as accidental loss of PHI such as through computer crash, fire, or flood).

The Security Rule applies only to electronically transmitted or stored ePHI. The Security Rule requires you to:

• conduct a formal, structured risk analysis for your practice
• determine what security measures are appropriate for your practice
• implement security measures along with security policies and procedures

Examples of security measures are:

• setting strong passwords for devices and wi-fi
• data backup
• utilizing anti-virus software
• using encryption or secure transmission systems for transmitting data

Of these, encryption tends to be the most complicated. Technically, the Security Rule does not require encryption; it only requires that you consider encryption based on your risk assessment. Even so, with encryption becoming less expensive, easier to use, and more widely adopted, it is increasingly viewed as a practical option for practitioners who want to protect ePHI.

Simply put, it makes sense to protect ePHI through encryption. If a breach occurs and ePHI is properly encrypted, you are spared the stress and difficulty of having to notify all the required parties, including affected patients and HHS.

For more information on breach notification, review the 2013 HIPAA Privacy Rule primer (PDF, 1.52 MB) from APA Services.