Choosing Encryption Software

September 2014

The Breach Notification Rule and Encryption

Unofficial reports of breaches of privacy of private healthcare, financial, and business information have reached almost a billion records in the past 10 years (Privacy Rights Clearinghouse, 2014). One response to these breaches in the healthcare arena has been the addition of the Breach Notification Rule (BNR; DHHS, 2013; HITECH Act, 2009) as a component of HIPAA (2003, 2013). The BNR is structured in such a way as to strongly encourage healthcare professionals to use encryption. Though these regulations do not require such use, it exempts protected healthcare information that is encrypted, at a sufficient level, from its requirements for notification of breaches. Put another way, if professionals adequately encrypt their protected health information on digital devices, and those devices get lost, stolen, or hacked, professionals are not required under the BNR to notify clients or report to the Department of Health and Human Services. The reason is that encryption, when used correctly, can offer a fairly high level of protection for protected health information.

This is one of the main reasons that The Trust Risk Management Team has been recommending the use of encryption over the past few years. Truecrypt is one of the programs we have suggested for encrypting hard drives and other computer devices (such as external drives, and flash, thumb, and key drives). Recently, however, Truecrypt's website (2014) announced that its security may have been compromised, and the program is no longer being supported. As a result, we are no longer recommending its use. Although there is some disagreement about how quickly users should transition away from Truecrypt, we do recommend that you begin that process as soon as it is feasible to do so. Also, as you will see below, we have some suggestions for professionals who previously used Truecrypt, or who are seeking to begin using encryption software for the first time.

Defining encryption

Before we make those recommendations, though, a brief explanation of encryption is useful. Encryption is the 'scrambling' or camouflaging of information—such as progress notes or addresses—by changing it into a form that cannot be understood by others. In other words, encryption translates meaningful information into a hidden form or code. Only people who have a key—usually string of alphanumeric symbols that permit the coded information to be translated back into meaningful form—can read the document (Taube 2013, p. 88). It has been used for thousands of years to protect trade, military, and other secrets (Schneier, 1996). Only recently has it become more publicly available, and in a form that is significantly easier to use. It offers a much higher level of protection than passwords. Though passwords can limit access to information by unsophisticated users, hackers can easily get around those passwords and access the intact underlying information. Encryption, however, makes the underlying information impossible to comprehend even if the password is bypassed. Though it is not a perfect solution1, it is an increasingly widely accepted method for the protection of digital information.

The standard for encryption of protected health information has been set by HIPAA's BNR (128 bit encryption is the minimum). Thus, when professionals are seeking to employ encryption, they should look for assurances that this standard has been met.

Steps in selecting encryption software

The first step is to consider which devices you are using for professional purposes. Do you have protected health information on your computer at the office? On your smartphone? A computer or tablet at your home office? Please note that even portable devices that only have client names or contact information are subject to the HIPAA Privacy and Security rules and breach notification rules in the same way as is more detailed information on computers or tablets. Once you determine which devices need protection, you are then in a position to explore the range of programs that are available for professionals and consumers. Simple Internet searches will turn up dozens-if not hundreds-of those programs. A more efficient way to determine which programs are appropriate is to consult online sites that review encryption software for a variety of different devices. Most of these review sites include opinions about two aspects of the encryption software: (a) the level of privacy protection the programs provide, and (b) the ease of implementation and use of a given program. The following list has sites that provide information about encryption for different kinds of devices, followed by review sites. We have categorized these sites according to the type of device or digital activity in which you might engage.

  1. Basic guides to computer and smartphone/mobile device encryption
    1. Generally:
    2. Computers
    3. Android smartphones
    4. Smartphones/mobile devices
    5. E-mail
  2. Sites that review encryption software
    1. Computers
    2. Smartphones/mobile devices
    3. E-mail

Summary

We are in a time of tremendous change in the development and handling of protected health information. The fast-paced evolution of digital technology and emerging problems in the security of software require professionals to keep abreast of changes related to risks to privacy.


References

DHHS Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA. 45 C.F.R. pts. 160 and 164 (2013).

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, § 13001, 123 Stat. 226 (2009).

Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (2003, 2013).

Privacy Rights Clearinghouse (n.d.) Chronology of data breaches: Security breaches 2005 – present. Retrieved from https://www.privacyrights.org/data-breach

Schneier, B. (1996). Applied Cryptography, 2 Ed. NY: Wiley.

Taube, D. O. (2013). Portable digital devices: Meeting challenges to psychotherapeutic privacy. Ethics and Behavior. 23, 81-97.

Truecrypt. (2014, May 20). WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. Retrieved from http://truecrypt.sourceforge.net/


1As is now known, for example, The National Security Agency in the United States may well have access to information that has been encrypted with most publicly available encryption programs (The Guardian, 2013). Psychologists and other mental health professionals, however, are not required to use encryption that is capable of blocking access by such agencies.