Home > Data Loss, PHI, PII, Privacy Laws > McAfee Data Protection, HIPPA, HITECH and breach notification.

McAfee Data Protection, HIPPA, HITECH and breach notification.

Last week, one of my colleagues asked me to comment on 45 CFR Parts 160 and 164, which for those of us who can’t remember all the code names for the various USA Federal docs, is the one in which the Department of Health and Human Services publishes its interim final rule under HIPPA and HITECH re what data falls under these regulations, what a “breach” means, and the conditions in which data is deemed to have been “protected”.

Under HITECH/HIPPA, basically there is a duty in the USA to care for the privacy of “unsecured protected health information” – this means that anyone electronically processing our heath information has a duty of care to make sure no unauthorised people gain access to it, and a legal duty to inform us if a breach (or possible breach) of trust occurs.

Reading (and understanding!) this document is critical for anyone involved in the electronic handling of health related information, but some key sections I’d like to point out to you include

A covered entity must consider implementing encryption as a method for safeguarding electronic protected health information; however, because there are addressable implementation specifications, a covered entity may be in compliance with the Security Rule even if it reasonably decides not to encrypt protected health information and instead uses a comparable method to safeguard the information

Summary – Encryption is recommended, but not mandatory. You can use other methods if they are deemed equal.

The regs go on to say though,

..covered entity chooses to encrypt..pursuant to this guidence..discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification.. on the other hand, if covered entity has decided to use a  method other than encryption.. not specified in this guideance..covered entity may be in compliance.. following a breach, the covered entity would have to provide breach notification to affected individuals.

Summary, if you don’t use encryption, you may be legal, but you STILL have to tell everyone.

It goes on to talk about access controls:

If access controls are compromised, the underlying information may still be usable, readable, or deciperhable to an unauthorized individual, and thus constitute unsecured protected health information..

So, it’s important to consider your access control and audit methodologies, as encryption on its own is not sufficient. The regs go further to even talk about safe key management:

To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data..

So you should be very wary about encryption processes which store the key with the data, for example any product in wake-on-LAN (WOL) mode, or in a mode where authentication by a user is not required (for example TPM only mode in Bitlocker). It would seem that as in these cases, the key is stored alongside the data, they do not protect you from HITECH disclosure. To keep your immunity you must conform to the statement:

Electronic PHI has been encrypted
as specified in the HIPAA Security Rule
by ‘‘the use of an algorithmic process to
transform data into a form in which
there is a low probability of assigning
meaning without use of a confidential
process or

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or Key” and such confidential process or key that might enable decryption has not been breached.

Of course, the McAfee Data Protection suite is designed to conform to these regulations, never normally storing the key alongside the data, but, as with any complex security product, it can be configured to do exactly that.

If HITEC compliance is a must for you, and you’re a McAfee Endpoint Encryption user, now would be a good time perhaps to contact your McAfee account manager and organise some time to confirm you are indeed using the products in a way which keeps you compliant with these laws.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: