Focus - November/December 2021

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

BENEFITS Bigfoot and the Big Encryption Myth by ROBERT MCDERMOTT I

n the late 1950s, a northern California newspaper published an article about oversized footprints discovered by loggers. Those big feet were the only proof needed for people to spread the story quickly and for it to gain wildly unexpected popularity. More than fifty years later, Bigfoot’s mystery still looms large.

Believe it or not, encryption has taken on its own mythical reputa- tion. It’s widely believed encryption is the only tool needed for email to meet HIPAA compliance laws. That story has spread just as easily as the one about the 7-foot-tall legend.

Fortunately, it’s much easier to disprove the myth about encryption than it is to debunk our hairy humanoid mystery. For one thing, we know what encryption is and does: Encryption is the cryptographic transformation of data. In plain language, encryption takes the Protected Health Information (PHI) you are trying to send electroni- cally and scrambles it up so no one can steal it while it’s enroute from your computer to another doctor. It then gets de-scrambled and arrives in its original state in the recipient’s inbox. All of that effort keeps anyone, except the intended recipient of your email, from gain- ing access to the information.

Unfortunately, many email providers are trying to convince doctors encryption is all you need to comply with the HIPAA Security Rule and its safeguards. Encryption is, without question, a critical part of compliance—emphasis on the word ‘part’. There are multiple parts to the Security Rule and all must be met.

Let’s do a quick refresher on PHI. The official definition from the Office of Civil Rights (OCR) is individually identifiable health infor- mation, including demographic data, relating to: • the individual’s past, present or future physical or mental health or condition;

• the provision of health care to the individual; or, • the past, present or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to iden- tify the individual; and,

• Individually identifiable health information, including many common identifiers (e.g., name, address, birth date, Social Security Number)”

The OCR is the investigative arm of the Department of Health and Human Services. They’ve built an entire online HIPAA ‘Wall of Shame’, listing practices that have compromised PHI by not putting

all the required safeguards into place. You too might end up on the wall if you don’t meet all six of the following regulations:

1) Authenticate Recipients. Your secure email exchange should auto- matically verify the doctor to whom you are sending ePHI is a regis- tered provider. The federal government’s preferred DIRECT protocol is the most secure method for provider verification.

2) Control Access. Only authorized users should access the content of emails. Your secure email system should have mechanisms in place for automatic user log-off and encryption.

3) Transmit Securely. This is the encryption part we’ve been talking about. The higher your level of encryption, the more secure your ePHI. For example, if your secure email exchange has a 2048-bit en- cryption level, it will take quadrillions of years to break that encryp- tion using today’s technology. As mentioned, encrypted email alone does not equal HIPAA compliance, nor does it entirely protect you from hackers, spammers or phishing attacks. You’ll also want to look for a service that keeps the PHI in your emails off the public inter- net and on a private domain. More about these secure data centers explained in number 4.

4) Unaltered Records/Integrity. All your patient information must be kept in such a way it can’t be altered or lost. The smartest backup sys- tems store your ePHI at multiple secure data centers—not your office, home or briefcase. Cloud-based backups keep your ePHI on secure servers located around the country. In the rare event one location is compromised, the other back-up locations have you covered. If your service is hosted on a private domain, meets all six of these federal HIPAA safeguards and exceeds the minimum encryption standards, you are in a much better position to limit cyber-attacks (and HIPAA fines).

28 focus | NOV/DEC 2021 | ISSUE 6

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48