Contact Us

How data
protects patients

Author: Sue Poremba

Each patient generates unique data that when collected and analyzed lets medical professionals provide personalized and integrated care. Electronically stored protected health information (PHI) is critical to patient healthcare, but it is also incredibly valuable to cyber criminals. Hackers can earn thousands of dollars with the information in just one person's file. Protecting that data must be a top priority—and data encryption is the first step toward keeping it safe.

Understanding healthcare encryption standards

Protecting patient data is a delicate balancing act. Providers must provide quality care, and patient data is the key to personalized and integrated care. But providers must also meet strict privacy standards and regulatory requirements to ensure that patient data isn't vulnerable. In the US, the Health Insurance Portability and Accessibility Act (HIPAA) requires PHI to be protected from disclosure without a patient's consent or knowledge. According to HIPAA, safeguards for the protection of PHI are "addressable"—meaning that if a safeguard (or some reasonable alternative that guarantees the same results) can be implemented, it must be implemented.

Though most regulatory requirements don't mandate the use of any particular technology, encryption is nonetheless one of the most useful data protection methods for healthcare organizations. The National Institute of Standards and Technology recommends using the Advanced Encryption Standard, which offers more secure patient healthcare data encryption through a symmetric encryption algorithm that encrypts and decrypts the data. (Unlike, say, HTTPS, which is asymmetric and uses two different keys: one on the public side and one in private.)

Why patient data encryption is critical

Healthcare networks are under constant attack from hackers and have been subject to a significant number of attacks this year alone. Hospitals are frequent targets of ransomware; bad actors know that patient data is a critical need and that any downtime could be the difference between life and death. PHI is valuable on the dark web because of the vast amount of information—such as insurance information and Social Security numbers—contained in a single patient file. If patient data is compromised, the facility that kept it can be hit by hefty penalties and fines.

Data breaches and cyber incidents are going to happen no matter how well your security system works. Encryption allows your facility to be proactive against any incident that could compromise information. It also maintains the integrity of the data: Unencrypted data can be manipulated, which can go undetected. If encrypted data is corrupted, the owner will know and can take action.

Securing patient data

Data needs to be encrypted at every stage, whether it's in use, in motion (i.e., actively moving across the internet or through a private network) or at rest (i.e., stored or archived on a stored on a static medium like a hard drive, laptop or flash drive). In-transit data is often encrypted before it's moved or moved over an encrypted connection like HTTPS or SSL, Digital Guardian says; to protect at-rest data, sensitive files can be encrypted before storage, or the entire drive can be encrypted.

Encryption is the first step to protecting patient data, but encryption also needs a framework around it to form a layered security perimeter. That framework should include:

  • Security awareness training. Because not all data is going to be encrypted, employees should know the steps on how and why data security is a priority.
  • Regular risk assessments. Employees need to be able to identify any lapse in data protection or if data encryption is faulty.
  • Restricted access to data. Only the people who need a particular piece of data should be able to access it. The more people who have access, the greater the risk of compromise. Encryption can't protect data that's accessed legitimately, so the fewer with access, the better.

Data encryption is critical to keeping patients safe and healthy. Medical facilities need to deploy a comprehensive mix of security solutions to ensure that patients' data remains secure. Encryption might not be a be-all, end-all solution, but it helps ensure that data is kept safe and that patient privacy remains uncompromised.

Discover how Verizon's security solutions can help protected health information stay protected.