Redspin has provided security risk analysis (SRA) services to dozens of hospitals, helping them meet Core Measure 14 of the Stage 1 Meaningful Use EHR Incentive Program. As one of the leading experts in IT security, we take a comprehensive approach to these engagements. As such, our primary focus is to help our clients truly safeguard PHI from data breach by expanding beyond a strict interpretation of the Stage 1 Rule.
It is from that vantage point that we are providing our comments on the Proposed Rule for Stage 2 of this program. We are encouraged that CMS is shining a spotlight on the issue of encryption as it pertains to “data at rest.” Yet under HIPAA 45 CFR 164.312(a)(2)(iv), this requirement is listed as an “addressable” control but is not specifically mandated. The “addressable” standard allows for some latitude (i.e. determining whether encryption is “reasonable and appropriate” and if not, implementing equivalent protections).
For Stage 2 attestation, we assume providers will be required to clearly document their process for evaluating whether the control is “reasonable and appropriate…and would likely contribute to protecting its health information.”
While highlighting encryption of “data at rest” is a step in the right direction, it then raises two other significant issues. The first is in regard to business associates. What is CMS’ stance on the covered entities’ responsibility and authority over encryption of “data at rest” at business associates? Do covered entities now need to make that a requirement in their BAA’s? Who determines “reasonability and appropriateness?”
Also, what about the use of PHI in various other applications outside of the specific EHR system? Such applications may also store ePHI as structured data in an underlying database. Our concern is that encryption may be claimed as “unreasonable” in the context of the application, while the app itself may have never even been tested for security vulnerabilities.