Securing Protected Health Information

By Aleks Szymanski

In the highly regulated and litigious world in which we live, sending, receiving, or managing sensitive documents and data through email or related services can be negligent. Every day, unfortunately, many healthcare businesses are transporting Protected Health Information (PHI) and Social Security details by email – or services that use email – because they misunderstand or dismiss the risks.

Email Risk: Although email is used every day by almost every organization, it is inherently insecure, and the risks of using this type of data transmission for PHI are not fully appreciated. When an organization uses an Internet fax service that utilizes fax-to-email or email-to-fax to transport the document, that email content is read and stored multiple times en route by ISPs, servers, firewalls, and virus checkers. Perhaps more worrisome are unscrupulous ‘bots’ that harvest email data. Additionally, IT staff members may be able to access these emails, using traffic monitors or packet sniffers that look for particular content or key words, at any of the points at which an email might be stored or through which it transits.

It is not just the email text that is at risk either; typically, thirty percent of emails contain attachments that are also at risk at every delivery stage. Some fax-to-email providers claim to use protocols that encrypt the attachment, but in truth all this does is put a ‘wrapper’ around that document, which if decrypted means the unauthorized party has the entire document intact.

However, most fax-to-email providers use unencrypted emails that can be easily intercepted by unauthorized parties, sometimes with malicious intent. The consequences are serious and can result in significant fines, loss of customers, and, possibly, business failure.

Penalties: The current penalties for HIPAA (Health Insurance Portability and Accountability Act) violations are $25,000 to $1.5 million, depending on the scale and nature of the violation. Furthermore, an individual who knowingly discloses individually identifiable health information may face a criminal penalty of $50,000 and a one-year imprisonment. Many providers do believe they comply with the latest HIPAA encryption regulations, but, in reality, they may only be compliant in a very limited set of circumstances. This requires high levels of IT support.

A further point to note on these regulations is that if an unencrypted email that contains PHI is sent across the Internet, a violation of HIPAA may have occurred even if the email was not intercepted. The fact that it was available for review by an ISP or a third party is enough to expose penalties under HIPAA.

In addition, fax-to-email systems make it difficult, if not impossible, to track missing faxes. There are major limitations in tracking document delivery, and often there is no genuine audit trail at all.

Organizations that wish to successfully compete in the healthcare sector must deploy appropriate technologies to protect documents and data, at rest and during transmission. Failure to do so not only risks day-to-day patient confidentiality, but it can also jeopardize the organization through potential fines, reduction in customer confidence, and loss of business. However, it is possible to put a number of physical, organizational, and technical measures in place to protect PHI and ensure HIPAA compliance.

Aleks Szymanski is CEO of SecureCare Technologies, Inc., providers of Sfax – a double encrypted HIPAA compliant fax service for the healthcare sector that includes 256-bit SSL Certification and 2048-bit private keys.

[From the April/May 2012 issue of AnswerStat magazine]