There is, as far as I can tell, no HIQA requirement or direct recommendation to use data encryption software like AlertBoot. However, it appears that the use of encryption has not passed unnoticed. If you delve deeper into HIQA’s publications, you see their glowing embers. Maybe it’ll be a matter of time before they become a full-blown bonfire.
Ireland’s HIQA – Promoting Quality and Safety
The Health Information and Quality Authority (HIQA) is a government-funded agency (“Authority”) that, among other things, is responsible for quality and safety in patient healthcare. HIQA is also responsible for monitoring, advising, and evaluating patient health data issues.
A quick search of the site and its many publications (available as PDFs) show that words related to encryption (encryption, encrypt, crypto, etc.) don’t show up very often. It would appear that HIQA doesn’t place too much of an emphasis on the use of encryption, despite consistently noting that patient data must be protected.
However, if you read the Information Governance Self Assessment Form (a “tool designed to highlight areas where urgent action is required or improvements may be made”), you’ll see that HIQA is recommending that encryption be used on all computers containing patient information.
Starting with Q.13 on the Self Assessment – Level 1 section (“Is access to personal health information restricted to those who need to access it?”), the tool delves into role-based access to data, culminating in Q.18, “Are all portable electronic devices that are capable of handling or displaying personal health information and databases password protected and encrypted?”
The answer, as the introductory remarks to the Self Assessment note, should be “yes.” Despite the fact that you can barely find references to it, encryption software turns out to be a very important component in patient data safety.
HIQA Encryption and Protection
Mind you, it’s not “password protected or encrypted” but “password protected and encrypted.” When it comes to encryption, it cannot be otherwise: if you’re using encryption to protect data, chances are you’re being handed out a password as well. The converse is not true.
Besides the use of encryption, Q.22 asks whether “servers and files, both paper and electronic” are security locked away when not being used. A guidance prompt notes that this is a requirement under the Data Protection Acts of 1988 and 2003.
Personally, I find it surprising that encryption isn’t spotlighted more. Granted, encryption is not a panacea; however, I should note that it’s one of the easiest ways of complying with a multitude of access requirements (questions 13 through 17 on the Self Assessment tool):
Is access to personal health information restricted to those who need to access it?
Is there a mechanism in place to audit and validate staff access to personal health information?
Do all staff members that have access to electronic records have individual login details and passwords?
Is there a requirement that individual passwords are updated and changed regularly?
Is there a requirement that passwords are of a minimum complexity?
Consider AlertBoot disk encryption software for laptops and desktop computers:
There is encryption of the computer and any external storage devices (portable drives, flash memory disks)
The integrated audit reports can track people who’ve logged into a particular computer
Only people who should have access to a computer (e.g., a nurse station staffed by specific nurses only) can access it
All users have their own usernames and passwords
People can be prompted automatically to change their password, say, every 6 months
Requirements for passwords can be set up, including forbidding the use of palindromes or usernames in the password
Again, even with all of the above, it is not guaranteed that an organization will never suffer a data breach. For example, let’s say that employees decide to trade usernames and passwords. One of them goes rogue, logging into systems as someone else. The rogue employee is not going to show up on audit logs. There are limitations to what technology can do.
However, the use of proper encryption products can go a long way in seriously lowering data breach risks.
Related Articles and Sites: