Is Your Data Protection Software FIPS 140-2 Compliant? If You are in Healthcare, It Better Be

The current recession’s wrath has spared few, and technology has seen its hard times just like all industry sectors, but one area that appears poised to be one of technology’s biggest benefactors is health care. When the Stimulus bill was passed, President Obama made it a point to bring health care technology front and center by providing $19 Billion dollars for the implementation of an electronic medical record (EMR). $19 Billion dollars certainly gets companies attention and most are either positioning themselves, or renewing their focus on healthcare to glean their share of this substantial investment of dollars.

Stimulus money aimed at EMR is a welcome investment for healthcare for varying reasons but mostly due to the fact implementing this type of technology is costly. But, it is not only costly in upfront cost; it is also difficult to implement. Add in the vagueness of key provisions written into the healthcare regulations of the Stimulus bill referred to as HITECH (Healthcare Information Technology for Economic and Clinical Health) and suddenly it is understandable why healthcare is cautiously wading into the EMR waters.

HITECH has a number of purposely ambiguous deadlines designed for the Health and Human Services (HHS) department so it can add clarification at a later date. Arguably the first area of clarification for healthcare is in the area of data breach notification.

The HITECH act took the idea of data breach notification national after being made popular by state laws such as California’s now infamous SB1386. Although HITECH doesn’t supersede state law if the state law is more restrictive, it does add an additional reputational risk to the law which usually wasn’t part of state law.

HITECH mandates that when a data breach occurs that exposes over 500 patient records, prominent local media must be notified. Further, data breaches in this category must be posted to the HHS web site. Like SB1386 and other similar state laws, HITECH provides for “safe harbor” from the costs of patient notification as well as the reputational risk if data is protected from unauthorized access using encryption.

What HHS mandated is “data in motion”, or data that is moving through a network to include wireless networks. The approved encryption processes to claim safe harbor are those that comply with the requirements of the Federal Information Processing Standards (FIPS) 140-2. This cryptographic standard ensures that federal guidelines for the effectiveness of encryption, strength of the algorithm, and security of the decryption key. HHS does not regard Electronic Protected Health Information (ePHI) as secure if the encryption key or the encrypting process has been breached.

If healthcare is going to invest into a software solution that moves ePHI across a network then FIPS 140-2 certification becomes important. If ePHI is secured in accordance to the HHS guidance of FIPS 140-2 then unauthorized access to the ePHI information does not trigger the HITECH data breach notification requirements. Without this new FIPS certification, it will be difficult for a healthcare institution to invest in solutions that move ePHI across networks for backup and recovery, disaster recovery, data archiving or some other purpose.

DCIG has seen a renewed importance placed in the FIPS 140-2 standard and it only stands to reason a driving factor is the $19 Billion dollars being invested into healthcare technology and the subsequent HHS guidance. Being able to demonstrate technology products adhere to this important security standard will be increasingly important in the future.

The high costs of data breach notification not only affects healthcare but all industries where instances of unauthorized access to data can be financially devastating. The Ponemon Institute estimates the cost of a data breach in 2008 was $202 per record, thus ensuring data is protected while in motion is a critical aspect in any software solution.

The healthcare industry should ascertain whether the software used to move data across networks is FIPS compliant, and if the software solution isn’t compliant, then vendors should be able to provide a roadmap for compliance. If they aren’t FIPS compliant then data breach risks are significantly higher and safe harbor will not apply in cases of unauthorized data exposure. If they are unwilling or unable to show a roadmap for compliance, a very cautious approach should be taken towards their products to minimize the exposure risk to the HITECH notification mandate.

Although encryption is only part of the data security equation, encryption currently offers the best solution for ensuring protection against unauthorized exposure. Seeing companies renew their interest in the FIPS 140-2 standard is most certainly a necessary and welcome step in improving privacy and data security.

Click Here to Signup for the DCIG Newsletter!


DCIG Newsletter Signup

Thank you for your interest in DCIG research and analysis.

Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.