Most businesses that deal with sensitive information recognize that it should be secured both at rest in the network, and when it it is sent to a third party. However, there are also some key Federal and State Laws that require some types of information to be encrypted. Among them are the HIPAA-HITECH Act, Sarbanes-Oxley, Gramm-Leach Bliley, PCI, MA 201 CMR 17 (Massachusetts), NRS 597.970 (Nevada). Most states have data breach notification laws that provide safe harbor for data that is protected by encryption. For a complete list of state laws, you can go here. This is also an active legislative topic, with 15 states updating or adding new data security laws this year.
If you collect, store, or transmit personal information like credit cards numbers, social security numbers, driver’s license numbers, medical data, financial data, or other sensitive information, your business will have some level of responsibility to safeguard it.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, has made several important changes to the HIPAA Security Rule.
The HIPAA Security Rule is a requirement for HIPAA-covered entities and their business associates to provide notification in the event of a breach of “unsecured protected health information [PHI].” This means, for example, that if a hacker were able to gain access to a physician practice’s computer system that contained patient information, the physician practice would have to inform all patients and the Department of Health and Human Services (HHS) of the breach. In some cases, the physician practice would also need to notify the media.
The one and only exception to this new requirement is encryption technology: If the electronic PHI (or ePHI) is stored and transmitted in encrypted form, then you do not need to notify patients, even if there is a security breach. The National Institute of Standards and Technology (NIST) has issued Special Publication 800–66–Revision 1, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” which is intended to describe the technologies and methodologies that physicians and other HIPAA-covered entities and their business associates can use to render ePHI unusable, unreadable or indecipherable to unauthorized individuals. While HIPAA-covered entities and their business associates are not required to follow this guidance, if your practice does follow the specified technologies and methodologies, you will avoid having to comply with the extensive notification requirements otherwise required by the HITECH Act in the event of a security breach.
You should encrypt any systems and individual files containing ePHI. Data you should encrypt includes your practice management system; electronic medical records; documents containing ePHI, such as claims payment appeals; scanned images, such as copies of remittance advices; e-mails containing ePHI; and ePHI that you transmit, such as the claims sent to a clearinghouse. E-mails containing ePHI must be encrypted. E-mail is not like mailing a sealed letter or package. It is more like sending a postcard. People are not supposed to read it while it is in transit, but it passes through many hands, and one can never be sure that someone is not reading it illegally. Fortunately, there are many tools available for encrypting e-mail.
Gramm-Leach Bliley (GLBA)
The Gramm-Leach-Bliley Act of 1999 (sometimes called the Financial Modernization Act, and usually known as GLBA) is intended to ensure protection of consumers’ private financial data, which the Act refers to as Nonpublic Personal Information (NPI). GLBA applies to a wide range of financial institutions and other organizations that maintain NPI related to their customers.
The areas of greatest concern to most companies, and to corporate messaging managers, are the Financial Privacy Rule, which covers the collection, use, and disclosure of NPI, and the Safeguards Rule, which describes the processes companies must take to protect NPI. The Financial Privacy Rule is relevant to messaging because it covers the implementation of opt-out policies and privacy notices. For the most part, these are technology independent.
The Safeguards Rule is more directly related to email messaging. Companies must maintain security programs that reflect their size and complexity, as well as with the sensitivity of the personal information. This Rule covers the use of technologies to prevent interception, automated enforcement of corporate policies related to message content,and general email security provisions.
While GLBA doesn’t make reference to specific technologies, it is technology neutral. The Safeguards Rule means that companies should implement policy enforcement tools that can encrypt or block email traffic based on message sender, recipient, and content as appropriate. In addition, companies must implement systems that provide logging and reporting – allowing them to demonstrate compliance. Protection from spam, phishing, and viruses may also help demonstrate compliance, since these forms of traffic may increase the risk of unauthorized use, and pose a threat to the integrity and security of the NPI.
The Sarbanes-Oxley Act, better known as SOX, affects only public companies, but has far broader applications than GLB and includes criminal penalties for individual executives who fail to comply with its provisions. Section 302, which assigns responsibility for financial reports, and Section 404, which describes required internal controls, are the two sections most relevant to the messaging system. Between them, these provisions include several requirements directly relevant to email policies and practices, includ- ing requirements for:
As with GLB, SOX isn’t specific about the precise policies or technical means companies use to implement these requirements. However, there is no question that SOX compliance will force changes to the messaging architectures used by public companies. In particular, the requirements for identity management (i.e., positive identification of message senders and recipients), message security and integrity, and message indexing and archiving, are not typical capabilities of today”s corporate mail systems.