Authors: Michael Oltman, Chief Technology Officer, Apervita and Marty Jablonski, Information Security Officer, Apervita
Traditional healthcare security has evolved since the HITECH Act of 2009, but as healthcare companies move to the cloud and off-premise hosting providers, status quo security requirements have proven insufficient. This was further underscored by ONC’s March 9 release of the final rule (The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program). These new regulations mandate that healthcare organizations must meet new requirements for interoperability and data-sharing—without compromising the security of personal health information (PHI). As the demand for more easily accessible healthcare data increases, chief information security officers (CISOs) will need to find new and flexible methods for encryption.
Despite checking every box on encryption at rest and encryption on the wire, data breaches continue to be reported year after year. Why? Encryption at rest is usually implemented as full-disk encryption (FDE), which only protects physical theft. As data moves to the cloud and more platforms need access to the data, physical theft is less of a risk than the compromising of database accounts. In today’s environment, the prevention of data loss and breaches requires additional layers of encryption and control beyond HITRUST and HIPAA requirements.
Enter Apervita’s Deep Encryption™ feature, which offers an unprecedented level of security to the U.S. healthcare system by encrypting data at the field level. PHI is not just protected at the disk level or the database level but down to the components of individual health records which contain information such as insurance claims, medications, test results and diagnoses.
Consider today that any credentialed database user within a healthcare organization has access to PHI. This includes support users, database administrators, developers. Additionally, if allowed, partner applications and their users with credentials could also have improper access to PHI. If the data is protected only by disk encryption, then when the database APIs retrieve the data it is automatically decrypted. Deep Encryption adds multiple layers to encrypt the data within the database, defeating these and other access-based vectors for unnecessary or inappropriate access. Not even database administrators with direct access to the database console can view the PHI. If they attempt to do so, all they will see is gibberish.
Another challenge driving the need for new deep encryption technologies is that most healthcare organization's existing encryption solutions will secure the entire database with one single access key. This creates a single vector for accessing the PHI: one key for the entire database. Apervita’s Deep Encryption, however, addresses this by providing encryption for each data segment down to the components of individual health records. In the unlikely event that a key is obtained only a single dataset, a tiny part of the database, could potentially be compromised. This level of granularity becomes that much more important as health plans and providers begin to comply with ONC regulations and make health records available on demand to individual consumers.
As customers conduct their security deep dives with Apervita, a consistent request has been to maintain control of their healthcare data. As more applications and consumers demand access to more and more data, control is a required feature of data security. In addition to advanced security for customer data and patient PHI, Deep Encryption also provides the ultimate control with Bring-Your-Own-Key (BYOK) technology. Using BYOK, an Apervita customer can create and manage their own Master Key which is then used to encrypt their data independently from any other customer. BYOK can also be applied to each dataset to increase security and control. With the Master Key exclusively under the customer's control and all data access governed by the Apervita platform, the customer can revoke all access to the PHI by simply disabling their Master Key. With the key disabled, the encrypted data is rendered useless.
As the healthcare industry continues its massive transition from paper-based to digital workflows, opportunities for data breaches will continue to increase. The use of data to create a higher quality, more efficient and consumer-friendly healthcare system will expose organizations and patients to greater risk. The status quo is unacceptable and insufficient as threats to PHI loom. Now is the time to address those threats and to remove those risks. Adoption of the most advanced encryption technology will provide the security that innovative healthcare organizations want and their patients and members deserve.