The adoption of the Health Information Technology for Economic and Clinical Health Act brought stimulus dollars earmarked for "advancing health IT." But it also expanded the reach of the data security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) to include the business associates of HIPAA-covered entities, created the first federal data breach notification requirement, and it gave the HIPAA security and privacy enforcement provisions some teeth.
All of that together means everyone is taking health care information technology and compliance issues seriously these days than they might have when HIPAA first became law. Moreover, the nation's work force has become substantially more mobile than it was in 1996. Laptops and smartphones are ubiquitous; tablets are nearly so. And that means health information is more mobile, too.
So how do health care professionals and those who work with them keep that information secure while maintaining their mobility? Not long ago I had the opportunity to speak with Dr. Robert Thibadeau, senior vice president and chief scientist at Wave Systems, who explained how self-encrypting drives and encryption management software can help to make HIPAA and HITECH security compliance a little more manageable.
Encryption software as a rule is not typically user friendly or intuitive, and as a result, it is not uncommon for employees to turn it off-unbeknownst to their superiors or their IT teams, Thibadeau said. Self-encrypting drives, on the other hand, "come out of the factory encrypting," and they don't stop. Even more important, that encryption is almost completely transparent to the user.
Adding central management to the encryption capabilities is key because it provides the company with a means of proving the data on a lost laptop was protected. Thibadeau explained:
In the event of a breach, you don't have a lawyer just asking an employee if the data was encrypted [and having to take the employee's word for it]. With central management someone can be held responsible, and you have real audit records that can show the data really was encrypted when it was lost.