HIPAA Ushers in New Era in Health Data Security

Published March 1, 2002

According to health industry analysts, compliance with new privacy and security rules passed as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will cost the nation’s health-related businesses some $43 billion. Of that amount, nearly $25 billion will go to new computer hardware and software, along with training to implement the security provisions of the rule.

New Model Needed

The old model of health care security is the “island” model. The data are stored in a network that can be accessed only by certain users, in certain special rooms, using certain special computers.

For the most sensitive information, that model probably will never be replaced. But for many health care applications it is already becoming obsolete, because caregivers and patients alike want access to medical records virtually upon demand, which requires a much more flexible system.

The “island” model does not work, for example, for doctors and patients exchanging email. Nor does it work for a doctor in the intensive care ward who wants to access a patient’s treatment history on a wireless device while standing next to that patient’s bed. Nor would it work to secure large files of data in transit to a third party on a different network, such as an insurance company.

For all these reasons and more, the heightened security available through data encryption will become increasingly important in future health care transactions.

Encryption and Security

Encryption uses very hard math to encode the text of a document into code. In order to transform the document back into readable “plaintext,” one must know the key to the code. The type of encryption most likely to be used for email and in digital signatures uses what is called a Public Key Infrastructure.

In a Public Key system, there are two keys: a “public” one and a “private” one. The two keys are related to each other by a complex mathematical formula. The public key is publicly posted, often on the Internet, for everyone to see.

The private key is known only to the user. If the user wants to send an encrypted message, he encrypts it with the private key. The recipient can decrypt it with the public key. To reply, the recipient can use the public key to encrypt her response, and the end user decrypts the text using his private key.

The longer the string of digits used in the key, the more difficult it is to break the encryption (assuming the encryption has no other flaws, so that the only method to break it is by trying every possible key—a “brute force” attack).

The keys planned for use to create digital signatures will be either 512 or 1,024 bits long. But a computer expert announced last fall he had designed a computer called “Twinkle” that could crack one type of 512-bit key in around three days. Military applications now use 1,024-bit keys.

HIPAA Security Rules

HIPAA’s new security rules require that hospitals control access to patient files and install systems to authenticate the identity of caregivers accessing the files. The rules also require new security measures, so that stored data or data in transit are protected by security systems that ensure:

  • message integrity—that the message is not altered in transmission;
  • non-repudiation—to prevent the signer of a message from later disavowing it; and
  • authentication—to verify that the user and recipient are who they claim to be.

The new model involves encrypting the content of a network behind a firewall to create virtual private networks (VPNs). Highly secure networks may use 13 or more layers of encryption. These private networks are connected to the Internet and can be accessed from anywhere … but only if you are an authorized user with the right password or fingerprint or typing pattern.

Encryption Policy Questions

The use of encryption has most often raised policy questions at the federal, rather than state government, level. For years, encryption was regulated by national security agencies as a type of “munition.”

Most of the debate about encryption policy concerned whether to lift the limits on exporting strong encryption software to other countries. There never were any limits on the strength of encryption that could be used within the United States.

Nevertheless, limits on export hindered the development of domestic encryption for health care purposes. Software developers were not eager to invest in developing one product for the U.S. market and another for export. Within the past two years, however, the rules on exporting encryption have been relaxed, especially for health care applications.

HIPAA does not preempt the adoption by states of even stricter privacy rules. For example, the HIPAA security rules are technology neutral. They do not stipulate the use of particular software or hardware, or prefer one type of encryption over another. Some states might choose to abandon that policy and prescribe a particular technology.

Another looming issue is how institutions will remain HIPAA-compliant over time.

Suppose a hospital installs a firewall and access control system that uses 512-bit or 1,024-bit encryption. The hospital does its best to be up to, or even slightly ahead of, the industry standard. But the day after its system is installed, a brilliant mathematician in New Zealand or Israel comes up with a way to crack the code and announces his results to the world. Would the hospital be HIPAA-compliant on Monday but not on Tuesday? How will judges or regulators view compliance when the standard set by the technology is such a moving target?

Law Enforcement Access

One of the most significant policy debates concerning encryption and health care information will turn out to be setting limits on law enforcement access to encrypted records. There are very few such limits today. However, law enforcement authorities may well request even greater access than they now enjoy.

Today, law enforcement authorities can ask a hospital or other care provider to turn over medical records to help with an investigation, particularly when billing fraud is suspected. Hospitals are and will be required to respond to a subpoena or a warrant … including one that asks a hospital to turn over its private key, or the plaintext of encrypted messages.

The question is whether users of encryption will be required to make their private keys accessible to law enforcement officers as a matter of course, at the time the keys are generated, without any subpoena, warrant, or other explicit request. For about a decade, this has been the expectation and enforced policy of most law enforcement authorities.

It seems likely that we have seen the last of federal proposals to store somewhere a copy of everyone’s decryption keys. Still, it would not be surprising to see such proposals resurface among local law enforcement authorities.

Giving law enforcement the power to decode everyone’s email on demand—without application to a judge or accountability to any other branch of government—is a very questionable idea from a constitutional or a democratic standpoint. That sort of blanket access to information might well affect the level of trust patients feel in the health care system.

There is a consensus among security experts that subjecting encrypted data to a “back door” for use by law enforcement authorities would make the entire system less secure. And for many types of encryption, it’s simply unworkable for law enforcement authorities to store a copy of everyone’s key. Some of the strongest security systems generate a new key for every message. Law enforcement officials could end up with billions of keys for just one user.

Weakest Link

In terms of HIPAA compliance or compliance with other security requirements, encryption will probably be necessary … but it won’t be sufficient.

Encryption is best used to stop hackers or other unauthorized persons from accessing health records. But it cannot stop an employee with authorized access from abusing his privilege to access information, or from violating that confidence out of sheer carelessness.

The weakest link is usually a human being. No individual will be able to memorize a 1,024-bit key. Those keys will have to be password-protected … but the vast majority of passwords people choose for themselves can be cracked within 7 minutes! The best passwords combine the use of upper- and lower-case letters and numbers—not words directly lifted from the dictionary. Even a carefully designed password is not secure if it’s left on a sticky-note attached to a computer monitor.

The best remedy, of course, is to have in place a compliance program that emphasizes accountability and establishes appropriately strong penalties for employees who breach obligations of confidentiality.

Solveig Singleton is a lawyer and senior policy analyst on technology and innovation for the Competitive Enterprise Institute (CEI). His email address is [email protected].

For more information …

This article is an abbreviated version of remarks delivered by Solveig Singleton on April 10, 2001 to the State Health Affairs Group (SHAG) of the American Hospital Association. The full text of those remarks is available on the Internet at http://cei.org/gencom/027,02004.cfm.