Hard drive encryption: Contracting requirements and protecting PHI

Cybercrime is one of the fastest growing risks to businesses of all sizes, and if you have private data that needs protecting, then you’re certainly vulnerable. According to the FBI’s Internet Crime Compliant Center, cybercrime cost its victims at least $1.4 billion in 2017. The federal agency registered more than 300,000 victim reports last year. McAfee estimates that 780,000 individual records were lost per day in 2017.

Many of today’s health insurance contracts require agents to have an encrypted hard drive.  If your clients data is compromised and your hard drive wasn’t encrypted you could have a big HiPAA and compliance headache on your hands.

A little bit of prevention can go a very long way to protect your practice.  Continuing reading for LeClair Group’s report on data protection and hard drive encryption.


What is hard drive encryption and Why do I care?

As technology improves our devices keep getting smaller and smaller, allowing us to take our data with us wherever we go more easily. Thus, making us more susceptible to theft and cybercrimes. Your data is valuable to you, your clients and ultimately to the Insurance Providers you are appointed through. Chances are you don’t want a stranger snooping through it. By encrypting your hard drive you’re guaranteeing your data’s safety. In computing, encryption is the method by which plain text or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.

For example, if you lost or someone stole your laptop that had its hard drive encrypted, the person who has your laptop would need the decryption key to gain access to the laptop’s files. If they didn’t have this decryption key, the laptop basically becomes an expensive paper weight (and your client files remain safe). This remains true even if the hard drive is removed from the laptop and placed in another machine. The data remains inaccessible.

Background

By law, the HIPAA Privacy Rule only applies to “Covered Entities” (health plans, health plan clearinghouses, and certain health care providers). However, most of these “Covered Entities” do not carry out all their health care activities and functions by themselves. Instead, they use the services of a variety of other persons or businesses (also referred to as “Business Associates”). On September 23rd, 2013 the HIPAA Omnibus Rule went into effect promising a much higher degree of HIPAA Security Rule enforcement for “Business Associates”. The US Department of Health and Human Services (HHS) along with state attorney generals are now required to conduct periodic audits of both “Covered Entities” and “Business Associates” to enforce HIPAA compliance. Note that prior to the Omnibus Rule, there had to be a reported breach of Protected Health Information (PHI) to trigger an audit. Today, just not having properly implemented HIPAA compliance requirements is enough to trigger an audit.

Are Agents considered “Business Associates” under HIPAA?

According to HHS[1], a “Business Associate” is a person or entity that performs functions involving the use or disclosure of PHI on behalf of, or providing services to, a “Covered Entity”. To be considered PHI, health information must include elements that can be used to identify the individual to which the information belongs. Given those definitions, agencies, brokerages and independent agents are certainly considered “Business Associates” of an Insurance Provider. Thus, Insurance Providers are starting to recognize this and are starting to include provisions in their agent appointment contracts that include HIPAA compliance. One of those provisions is: hard drive encryption.

OK, I’m Sold. How do I encrypt my hard drive?

Most business class computers manufactured in the past two to five years contain the necessary hardware to securely encrypt your desktop or laptop computer. This hardware, called a Trusted Platform Module (“TPM” on PC and “T2” on Mac) is a specialized chip on a computer that stores encryption keys necessary to encrypt your device.

Consumer class computers originally running Windows Home may not have the necessary TPM hardware to encrypt your computer. In addition to the hardware not supporting encryption, Windows Home does not support encryption natively. If you are uncertain whether your device has this TPM technology, consult a certified computer professional.
For Windows 10 Pro and Enterprise systems, you can use the free BitLocker utility (included with Windows) to encrypt your device. For Windows 10 Home, you may be able to purchase 3rd party encryption software, but we recommend running Windows 10 Pro or Enterprise. For Macintosh systems, you can use the included FileVault utility to encrypt your device. T2 chips were introduced in iMac Pro and most Mac models in 2018.

Now, if all this sounds a bit daunting, don’t worry. We recommend that you take your computer to a certified computer professional. Places like Best Buy’s Geek Squad[2] or a nearby computer repair service shop can usually do the work. They can be easily located using Google maps[3] and searching on “computer repair near me”. Expected costs can vary but should be around $50 to $200 depending your situation and needs.

Ok, but what about my Email?

Interesting paradox, right? You make this valiant effort to protect your files by encrypting your hard drive, but when you need to send one of those files to your client via email suddenly that file is no longer protected. It’s a paradox. However, have no fear! There is such a thing as: email encryption. It’s worthy of its own article. Stay tuned next month for information on email encryption. First things first though. Get that hard drive encrypted!

Final thoughts

Carriers and their agents have a responsibility to protect customer data. In other words, it’s the right thing to do. It’s also the law: There are federal and state regulations that require carriers and their agents to implement reasonable and appropriate security measures to ensure Protected Health Information (PHI) and Personally Identifiable Information (PII) is protected from unauthorized access and use.

LeClair Group offers the following additional areas for your consideration to help ensure PHI and PII are fully protected.

  • Ensure all users have a unique user ID and password and that IDs and passwords are not shared amongst users. Doing so establishes audit trails and accountability for individual user actions. Group or shared accounts represent significant security and compliance risks from intentional, accidental or indirect misuse of shared privileges.
  • Consider enabling two-factor authentication for your users to gain access into your network. For example, in addition to a user ID and password combination, anyone trying to enter the network is asked to verify their identity with something that they – and only they – know, such as a Token Code.
  • Consider performing a risk assessment, at least annually, to identify and quantify administrative, physical and technical risks posed to your company. New threats are constantly emerging and require ongoing vigilance.
  • Consider adding additional security controls to your office. Secure your physical environment in the areas that contain servers, desktops or laptops with PHI or PII to ensure that only authorized personnel are allowed access. Example controls include: locked doors, security cameras and similar measures to ensure that only authorized personnel are allowed access to servers and critical hardware.
  • Consider encrypting any removable media. For instance, USB/flash drives, external hard drives or similar. Due to the ease of data loss and/or malicious code that can be transferred via removable media.
  • Consider having all your computers scanned for vulnerabilities and consistently install patches/updates to your operating systems. This protects against and uncovers any potential hacking of computer systems.
  • Consider installing anti-virus/anti-malware software. This prevents, detects and removes malicious code, such as Trojans, spyware, worms, and more. Weaknesses in an organization’s workstations, operating systems and web browsers can be exploited by malicious code if left undetected and unaddressed.

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

[2] https://www.bestbuy.com/site/services/geek-squad/pcmcat138100050018.c?id=pcmcat138100050018

[3] http://www.lmgtfy.com/?q=computer+repair+near+me