The proposed amendments to the Department of Health and Human Services’ HIPAA Security Rule mark an important step forward in protecting sensitive healthcare data. The proposal to mandate encryption of data at in use (continuous encryption) in addition to at rest and in transit represents significant progress.
Continuous Encryption: A Modern Solution for an Old Problem
Modern healthcare operations increasingly rely on complex data processing for everything from clinical decision support to billing. During these operations, decrypted data is vulnerable to various threats. Recent breaches have demonstrated that attackers often target these processing vulnerabilities. Making encryption mandatory for electronic protected health information (ePHI) both when stored and transmitted, with limited exceptions, has a critical gap that must be addressed, the protection of data during processing. (Those exceptions would need to be documented and explained.)
Currently, even with robust encryption at rest and in transit, data becomes accessible when decrypted into clear text for processing. Once decrypted data is turned into clear text, it is easy for bad actors to steal this sensitive information. To truly safeguard patient data, encryption must include data encryption while data is being actively processed or used. Otherwise known as “encryption in use” or “continuous encryption”.
Finally Achieve True “End to End” Encryption
A comprehensive approach to healthcare data security must consider protecting data across all three states – at rest, in transit, and in use. Emerging technologies like Donoma Seshat, a next-generation homomorphic encryption engine for enterprise platforms, solves this technology gap.
As healthcare organizations work to implement the proposed security requirements, they should look beyond minimum compliance and adopt solutions that truly protect data from end to end. Only by closing the encryption gap during processing can we ensure that patient data remains secure in today’s evolving threat landscape.
Help HIPAA Meet its Goal of True Patient Privacy
The proposed HIPAA Security amendments represent an important foundation, but the healthcare industry must push forward toward complete data protection with a solution that embraces continuous encryption. Patient privacy and trust depend on it.
Additional Resources
Data Encryption: Understanding the Often Unseen Vulnerability You Must Avoid
Unlocking Mission Success Through Encrypted Data Processing
Information Governance Best Practices to Strengthen Cyber Security
Donoma Software Named Winner of Coveted Top InfoSec Innovator Awards for 2023
