Knowledge breaches and ransomware assaults have grow to be a persistent and expensive problem within the healthcare sector. Because the Change Healthcare ransomware assault exhibits us, these threats proceed to escalate in frequency and class. Organizations certain by HIPAA should reevaluate their strategy to cybersecurity, particularly in the case of encryption.
In December 2024, the U.S. Division of Well being and Human Providers (HHS) proposed a major replace to the HIPAA Safety Rule, a part of which suggests a mandate requiring the encryption of digital protected well being info (ePHI) each at relaxation and in transit. Whereas it’s nonetheless unsure whether or not HHS management will transfer ahead with finalizing the rule, healthcare organizations can be sensible to behave as if it’s already in place. Why? As a result of the necessity for sturdy encryption isn’t a matter of regulatory compliance alone; it’s a crucial step in safeguarding affected person information.
From Finest Observe to Baseline Requirement
Traditionally, encryption has been thought of a finest follow beneath HIPAA—a robust suggestion slightly than an enforced requirement. This created a grey space that some organizations took benefit of, justifying various safeguards rather than encryption. This ambiguity has resulted in leaving many methods uncovered, with predictable outcomes.
The proposed adjustments intention to take away that ambiguity by making encryption the usual, not an possibility. At present’s menace panorama requires that encryption ought to be a part of a layered defense-in-depth technique that may be a default technique for shielding delicate well being information.
Why Act Now?
Whereas the proposed adjustments to HIPAA are usually not but codified, the rationale behind them is sound. Cyberattacks focusing on healthcare organizations proceed to rise, with attackers contemplating ePHI excessive worth targets – each due to the character of the information and healthcare organizations’ historic patterns of paying ransoms. Sufferers are more and more involved concerning the security of their information, and regulators are responding with heightened scrutiny.
Proactively adopting sturdy encryption measures demonstrates a dedication to affected person privateness and operational integrity. It additionally places your group in a stronger place throughout audits and assessments, even when the ultimate rule is delayed or modified.
There are a number of further compelling causes to undertake the proposed encryption commonplace with out ready for it to grow to be legislation:
- It offers you a leaping off level to conduct a radical audit of your information safety technique. This audit helps you outline not provided that your information is encrypted at relaxation or in transit, however it’s also a chance to obviously outline the place your information resides, who has entry to it and in case you have information that may be correctly disposed of.
- It positions your group forward of the regulatory curve. Moreover being a accountable selection, if HHS approves the proposed encryption mandate, your group may have already accomplished the necessities.
- Encrypting your information minimizes the dangers related to breaches, not solely stopping affected person hurt and reputational harm, however serving to your group to keep away from steep monetary penalties.
Simplifying Cyber Resilience
Encryption is important, however it’s not adequate by itself. A complete information safety technique additionally contains redundancy and resilience.
By taking the step to universally encrypt ePHI, your group is one step nearer to following the broadly accepted finest follow referred to as the 3-2-1 Rule. This strategy entails sustaining three copies of your information, saved on two various kinds of media, with one copy stored offsite and encrypted.
The three-2-1 Rule supplies a security web in case of ransomware or different disruptive occasions, which have grow to be all too acquainted throughout the healthcare trade. By combining 3-2-1 with an everyday cadence of confirmed clear backups, you create a course of to get well crucial info shortly and securely within the occasion your major methods are compromised. In healthcare, the place downtime can impression affected person care, accessing dependable backups isn’t non-obligatory—it’s important.
Adopting a Zero-Belief Safety Mannequin
Encryption helps shield information, however controlling entry to that information is equally essential. A zero-trust strategy ensures that no person or machine is routinely trusted, no matter location or credentials. Each request for entry is verified by means of a mixture of id checks, machine well being assessments, and contextual danger analysis.
Given the cell and distributed nature of at the moment’s healthcare workforce, this strategy is especially related. From clinicians accessing data on tablets to directors working remotely, each endpoint represents a possible vulnerability. Encrypting information and imposing a zero-trust framework helps mitigate the chance of unauthorized entry, even when a tool is compromised.
Don’t Overlook Coaching and Consciousness
Even one of the best encryption and entry controls may be undone by human error. That’s why ongoing schooling and coaching ought to be a part of any safety technique. Workers ought to perceive how encryption works, when and why it’s used, and the right way to deal with ePHI securely. Coaching ought to be sensible, participating, and tailor-made to the roles of various crew members.
Staff are difficult — they’re your first line of protection, in addition to your weakest hyperlink. Common, related coaching can considerably cut back the chance of unintentional breaches, profitable phishing assaults, and even insider threats.
Last Ideas: Lead with Encryption
The menace setting in healthcare already justifies the necessity for encryption of ePHI. The proposed HIPAA rule change, nonetheless, offers your group a tangible, topical purpose to rethink your place on encryption. Organizations that act now to undertake encryption as a default, not an exception, can be higher positioned to guard affected person information, reply to regulatory adjustments, and construct belief with the communities they serve.
Finally, this isn’t nearly compliance. It’s about doing the precise factor. Encrypt your information. Again it up and ensure these backups are clear. Practice your folks on the right way to cope with information. Whether or not mandated by legislation or not, these are the requirements we must always maintain ourselves to in an trade the place privateness and security go hand in hand.
About Kurt Markley
Kurt Markley is the Managing Director, Americas at Apricorn. He’s a 25 12 months expertise veteran with specialised focus in storage and cybersecurity.
