Everyone familiar with HIPAA agrees that protecting sensitive data like protected health information (PHI) is critical, and most realize that encryption is the technique of choice; however, this seems to be the extent of most people’s knowledge.
If you are a manager, or involved in projects involving patient information, and understand the importance of protecting electronic health records (EHR), then it behooves you to know at least the basics of what encryption is as well as where and when should it be applied. I’ll make this painless and to the point:
There are two types of encryption that are commonly used to encrypt PHI data.
2. Asymmetric Cryptography
Symmetric cryptography is typically used to encrypt hard drives or databases that contain PHI. It is a best practice to use a symmetric AES-256 key. Asymmetric ciphers are used when the data is transmitted from one place to another, such as when using HTTPS. Best practices also dictate using asymmetric ciphers, typically RSA with a 2048 bit key.
Use this table to help you recall what encryption type and strength to use:
|Hard disk (files) or Database||Symmetric Cipher||AES-256|
|Transporting data (HTTPS)||Asymmetric Cipher||RSA 2048 bit Key|
You can stop reading here and you will have learned the practical aspects of encryption. For those that want to dive in a little deeper, let’s continue by describing what the difference is between asymmetric and symmetric cryptography. Asymmetric cryptography employs an algorithm or cipher that involves a single key. The single key is like a password. It is not computed. The key should be shared only with authorized users and applications that need to unlock (decrypt) the data. The distribution of this key can often times become a delicate operation. If the key gets into the wrong hands, then the data might be exposed to an unauthorized user.
An asymmetric cipher involves two keys. One key is for locking the data and this key can be given to anyone. It is considered public. The other key is private and should only be used by authorized users or applications. The keys are derived by an algorithm or cipher. This means that with enough computational power the key can be made. That is why the asymmetric key is much longer and more complex than a symmetric key, which is simply made up.
Because the public key can be distributed “safely” to anyone, it is considered a superior method of encryption whenever widespread distribution of keys is involved. Asymmetric encryption is perfect for securing sensitive data that is being transported from a user’s web browser to a web server. For example, when shopping on the internet the protocol of choice is HTTPS. The “S” is for SSL protection using an asymmetric cipher where the public shoppers have the public key in their web browser’s cache (memory) and only the web server has the private key.
The length of the key is also important. A longer key is more secure than a shorter one; therefore, a 1024 bit key is not as secure as a 2048 bit key. And neither is a AES-128 bit key as secure as an AES-256 key.
In conclusion, encryption is necessary to remain compliant with HIPAA regulations. If you are involved in working with electronic protected health information, then knowing what type and strength of encryption to use in different circumstances is important.