Cybercriminals have many opportunities to intercept confidential data either at rest or in transit. However, if your data is encrypted, they won’t be able to make any sense of it even if they succeed in getting their hands on it.
Like any other healthcare provider, dental practices must comply with HIPAA and HITECH legislation, which requires all communications to be encrypted. Since email remains the most popular method of exchanging confidential information like patient health records, it’s imperative that you take every possible step to secure emails. Relying on conventional perimeter defense measures like firewalls or consumer-grade protections that come with many email services is not enough.
What you need to encrypt
The National Institute of Standards and Technology has published a 139-page document on the subject of email security, with extensive details on what healthcare providers and their associates must do to secure electronic protected health information (ePHI). These steps include digitally signing emails to confirm the identity of the sender, encrypting the body of the messages, and encrypting all communications between mail servers.
To cover all the bases, it’s a good idea to have all communications encrypted using enterprise-grade cryptography algorithms. Using a third-party email encryption provider helps with this process using automated management.
Why conventional measures aren’t enough
Virtually every email provider uses transport layer security (TLS) encryption to protect emails in transit. It’s the industry standard in secure communications, but it’s not enough to protect emails containing ePHI as the law requires. Most significantly, TLS doesn’t encrypt data at the ready, which means archived emails might still be exposed to hackers. Ultimately, there’s no way to guarantee that the information will remain encrypted until it reaches its destination.
Another potential problem occurs when people reply to your messages, sending copies of the email originally received, which isn’t encrypted to the same standards. In other words, if you’re relying on TLS, you need to be very careful about who you communicate with.
Many businesses also use a virtual private network (VPN) to secure all communications over the internet. Again, a VPN adds a much-needed extra layer of protection, but it doesn’t provide a message-signing mechanism. However, since using a business-grade VPN encrypts everything, it does encrypt email header information, such as senders, subject lines, and recipients. It’s certainly not a complete solution, but using a VPN should be part of your overall cybersecurity plan, particularly if you have employees who are connecting to the internet through unsecured wireless networks.
How does encryption work in dental practices?
To comply with HIPAA legislation, dental practices usually use public-key cryptography, which involves having a pair of keys associated with each email address. One key is used to encrypt the email, while the other is used to decrypt it once it reaches the recipient. The public key is kept on a key server that anyone can access, while the second key is kept private. This means that only the sender and intended recipient, being the only parties who have access to the private key, can access the email.
If the email gets sent to the wrong party by mistake, or somehow intercepted in transit, the information will be scrambled and, at least in practical terms, impossible to crack. To exhaust an entire 256-bit key space in the standard AES-256 encryption algorithm, it would take some 50 supercomputers 3×1051 years, by which time any would-be hacker would have run out of patience!
Pact-One provides dental practices with a multilayered approach to security which includes all the measures you need to ensure HIPAA compliance. Call us today to schedule your network security audit.