Desktop computer encryption under HIPAA: is it really necessary? Most people have argued over the years that the answer is “no,” not only because the use of encryption software under HIPAA rules happen to be addressable (as opposed to required), but because nobody really expects that to happen.
Reasons generally given as a clarification to “nobody expects it” include desktops are hard to steal and they’re impossible to misplace. I’ve even heard this particular piece of logic: if desktop computers were meant to be encrypted, wouldn’t the Health and Human Services department (or its Office for Civil Rights, OCR) have brought action against the many covered entities who’ve had their desktops stolen over the years? After all, the HHS “Wall of Shame” lists plenty of instances where a desktop computer is at the heart of a data breach affecting more than 500 people.
While I haven’t found such an OCR settlement that centers around a desktop computer, I’ve found a hint in one case that desktop encryption under HIPAA cannot be dismissed offhandedly.
Concentra Health Resolution Agreement
Honestly, “proof” of any sort is unnecessary. The rules make it clear: as an addressable issue, encryption on computers and other data storage devices must be looked into. If encryption is an inappropriate solution (for whatever reason), then an alternate form of security that is equivalent to encryption must be used. (Clarified in this manner, it’s almost disingenuous to say that encryption is not a requirement. When encryption is already available, why would you use something that is equivalent to encryption?)
HIPAA rules do not say anything about device size, or their portability, or their street value, or their popularity as commodities in the black market, etc. Is encryption an appropriate solution for securing ePHI? This is the question that needs to be answered. Everything else just flows from there.
But, some people are not getting the message. It would be nice if OCR just came out and said it, but since they’re not doing that yet, it’s up to people to search official documents to divine what the maintainers of HIPAA “want.”
Look at the resolution agreement for the Concentra Health data breach of 2011 as an example; You’ll see under Section V, Corrective Action Obligations (my emphases):
B. Encryption Status Update Requirements
1. Within 120 days of the Effective Date, at one year following the Effective Date, and at the conclusion of the one year period thereafter, Concentra shall provide an update to HHS regarding its encryption status, which shall include:
a. The percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted at that point in time.
b. Evidence that all new devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) have been encrypted.
c. An explanation for the percentage of devices and equipment that are not encrypted.
d. A breakdown of the percentage of encrypted devices and equipment for each specific Concentra facility and worksite.
Apparently, OCR has learned over the years that people don’t read so well when it’s not spelled out for them, and have decided to be more specific by adding the types of devices and equipment that one should be encrypting (again, if appropriate).
Notice how desktops is in there. People who are not even considering encryption software on desktop computers need to take a pause and seriously consider whether encryption on desktops is inappropriate.
What Exactly is “Appropriate?”
Which brings up an excellent question: what is “appropriate” when it comes to encryption? Obviously, an appropriate encryption solution is one that follows NIST’s guidelines (and preferably is certified by the institute itself. Who knows what untested weaknesses exist in a solution that is NIST compliant but not NIST certified? The latter at least carries a seal of approval). However, that doesn’t answer when it is appropriate (and inappropriate) to use encryption.
The use of encryption is inappropriate if there isn’t a solution for the type of hardware you’re using. For example, perhaps the covered entity uses Windows 98 and none of the current encryption solutions in the market support such an old operating system. Using encryption would be inappropriate (or impossible) in this scenario.
There are also other instances where encryption may not be appropriate and technical specs don’t come into play. Perhaps the computer is being used in a hospital’s operating room, and having a password in place is ill-advised. There’s also the fact that one generally cannot find unauthorized personnel in ORs, so perhaps the risk of a computer or other medical device being stolen is extremely low. I’m sure you can come up with other instances where the appropriateness of encryption comes into question.
I guess this is what you really should be considering: if you think that you can live with the consequences of having a HIPAA data breach on a particular device, and defend that position, then don’t encrypt it. For example, if you think that, in essence, saying “we don’t need to encrypt desktop computers because they’re harder to steal than laptop computers” is an adequate explanation to OCR, then go ahead and don’t install encryption software on your desktop computers.
Just make sure you document the reason why you decided encryption was not a good idea.
Related Articles and Sites: