The Health Insurance Portability and Accountability Act (HIPAA) provides standards to improve efficiency and combat fraud in the medical industry by protecting sensitive patient health information (PHI). Provisions for safeguarding patient data were added through the introduction of the Privacy Rule in 2000 and the Security Rule in 2003.

HIPAA data encryption requirements can be a source of confusion for many covered entities because of the differences between required and addressable implementation specifications in the Security Rule. A required security measure must be implemented for HIPAA compliance, while addressable security measures give covered entities greater flexibility as to how PHI is protected.

Encryption, for example, is an addressable security measure, but this does not mean that covered entities can simply elect to not encrypt their data. Instead, they must use an alternative security measure that provides the same or greater level of protection as encryption.

In this article, we’ll highlight the HIPAA data encryption requirements and explain how a solution like WinZip® Enterprise can help healthcare organizations comply with data security standards.

What Is data at rest?

Data is considered to be at rest when it is not being actively accessed or used. Examples of data at rest include information that is stored in the following ways:

• On a laptop or computer.
  
• On a tablet or smartphone.
  
• In database servers or cloud storage.
  
• On portable storage devices (e.g., solid-state disk drives, USB sticks, and external hard drives).

Cybercriminals target data at rest because it’s easier to acquire. For example, data stored on a portable flash drive can be compromised if an attacker steals the drive. The flash drive could also be infected with malware or viruses that allow hackers to control the connected device or network and steal your data.

Database servers and cloud storage can hold large volumes of at-rest data, making them a valuable target for malicious attackers. This is because data at rest often holds your company’s most important and sensitive information, such as:

• Electronic protected health information (ePHI).
  
• Financial documents.
  
• Intellectual property.
  
• Third-party contracts.

When you encrypt data at rest, you scramble the original, readable data (known as plaintext) into ciphertext. Should an unauthorized person get hold of data in ciphertext, they would not be able to read or use it without the encryption algorithm and decryption key.

HIPAA encryption requirements for data at rest

The HIPAA Security Rule addresses protection for data at rest and data in transit. Anyone who processes or handles protected health information (PHI) must comply with Security Rule provisions. This includes, but is not limited to, the following entities:

• Medical, research, or government facilities.
• Cloud storage providers.
• Software-as-a-Service (SaaS) platforms.
• Managed service provider (MSP) and IT contractors.

The Security Rule protects PHI from theft or unauthorized exposure using technical, physical, and administrative safeguards. These safeguards set the standard by which companies can develop and implement policies and procedures to protect sensitive data.

Encryption falls under the Security Rule’s technical safeguards. The Department of Health and Human Services (HHS) notes that encryption reduces the risk that of an unauthorized user can view viewing and manipulatinge the data.

While encryption is identified as an addressable implementation specification, the wording contained in the Code of Federal Regulations (CFR) indicates that encryption is the preferred technique for PHI security. According to 45 CFR Section 164.312, covered entities and business associates must implement a mechanism to encrypt and decrypt electronic protected health information.

The HHS Office of Civil Rights (OCR), which enforces HIPAA rules, does not recommend a specific type of encryption for data at rest. However, the National Institute of Standards and Technology (NIST) recommends protecting PHI data with Advanced Encryption Standard (AES) encryption.

AES encryption is widely used to protect both data at rest and data in transit. It is a symmetric block cypher, meaning that it uses a single key to encrypt and decrypt data in blocks instead of encrypting one bit at a time.

HIPAA compliance for data at rest

To protect data at rest, you must first understand and identify the various types of sensitive data that your organization stores. The data classification process helps assess the security measures needed to protect varying levels of sensitive information.

You can classify your data by organizing it into relevant categories based on shared characteristics, such as levels of sensitivity and risks associated with each data type.

Data sensitivity is based on various levels of importance or privacy, while data risk informs who should have access to the data and the potential harm of unauthorized exposure.

Sensitivity and risk categories commonly include the following:

• Public data. The lowest classification level is public data, which means that it can be freely disclosed without negative consequences. Public data is considered low risk because it is accessible to the public and can be easily recovered.

• Private data. Also known as internal-only data, this type of data should be safeguarded against public access to preserve its integrity. Private data presents a moderate risk when it is handled and stored, requiring proper access controls to prevent loss or compromise.

• Confidential data. The confidential classification level means that access is typically restricted to specific teams or individuals. It is considered high risk because unauthorized exposure can have a negative impact on your organization.

• Restricted data. The highest classification for data sensitivity is restricted, which has strict legal and security requirements. Restricted data is also high risk because it cannot be easily recovered if lost or compromised.

You cannot monitor and control data if you do not know where it resides. Data classification helps you identify which categories are subject to HIPAA data encryption requirements.

Knowing where PHI and other health-related information is stored ensures that the correct controls are implemented to secure the data. Encrypting data at rest allows you to store it in an unreadable format. In the event an unauthorized individual accesses the data, they would not be able to decipher it without the decryption key.

Why HIPAA compliance requires data encryption

Data encryption is an effective method for rendering PHI unusable to unauthorized individuals. If malicious actors steal unencrypted data, they can immediately read, access, and use it.

HIPAA’s Breach Notification Rule requires notification to affected individuals following a breach of unsecured PHI. The key word here is unsecured—information that is properly encrypted is not subjected to the Breach Notification Rule.

For example, the Athens Orthopedic Clinic agreed to a $1.5 million settlement to resolve multiple HIPAA violations. The investigation found that Athens Orthopedic failed to implement security measures, including data encryption, to protect PHI.

In another breach-related incident, the University of Rochester Medical Center (URMC) was assessed a $3 million resolution to settle potential HIPAA violations. The settlement stemmed from two PHI breaches involving an unencrypted flash drive and an unencrypted laptop.

While it is not possible to prevent all cyberattacks, failure to comply with HIPAA rules puts data at an increased risk of theft or loss. Only encryption provides a safe harbor from breach notification requirements.

To ensure that PHI is encrypted properly, HIPAA identifies valid encryption processes for data at rest and data in transit. Whenever data is stored on a digital medium or end user device, HIPAA data at rest encryption requirements are consistent with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices.”

The following processes are identified best practices for encrypting PHI data at rest:

• Application-level encryption (ALE). With ALE, encryption is implemented within an application, which allows you to customize the encryption process based on user roles and permissions.

• Full disk encryption (FDE). FDE converts data on a disk drive into an unreadable format. Without the proper authentication key, the disk data is inaccessible even if the hard drive is removed and placed in another device.

• File level encryption. Encrypting at the file level protects individual files and directors rather than the whole disk. Each item is encrypted with a unique key, adding an extra layer of security to full disk encryption.

The consequences of noncompliance

Noncompliance with HIPAA may be deliberate or unintentional, which impacts the severity of the penalties received. For example, a violation that you were either unaware of or could not have realistically avoided will have a lower penalty than a violation stemming from willful neglect.

While encryption is not specifically mandated, failure to encrypt PHI sets up your organization for a HIPAA violation. Noncompliance can result in fines as well as civil and criminal penalties.

For example, Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system, received a $1 million penalty following a data breach. The health system was fined for violation of the technical safeguards detailed in the Security Rule.

Lifespan ACE failed to encrypt mobile devices even after a risk assessment indicated that encryption was warranted. The data breach occurred after an unencrypted laptop was stolen from an employee’s vehicle. With no security mechanisms in place, the thief had access to PHI of over 20,000 patients.

Whether malicious or accidental, a breach of unsecured PHI data can impact not only your bottom line but your reputation as well. Reports indicate that 46% of organizations have suffered damage to their reputation in the aftermath of a data breach. In addition, 87% of consumers say they would take their business elsewhere if a company experienced a breach.

WinZip Enterprise ensures compliance with data encryption requirements

Safeguarding data privacy and security should be a top priority for organizations subject to HIPAA rules. WinZip Enterprise protects sensitive data at rest and in transit using FIPS 140-2 validated encryption.

With WinZip Enterprise, data is encrypted at the file level to restrict access to unauthorized users. With centralized IT control, you can easily deploy and enforce policies related to data security.

To further protect your sensitive data, WinZip Enterprise respects internal security controls set by your IT admins using Windows Information Protection (WIP). As a WIP-enlightened application, WinZip Enterprise protects data against accidental exposure on both company-owned and personal devices.

Discover how WinZip Enterprise helps companies like yours comply with HIPAA encryption requirements for data at rest.

In today’s increasingly distributed workplaces, the need for data protection is at an all-time high. As of February 2022, 42% of remote-capable employees have a hybrid schedule that combines working from home and being in the office. An additional 39% work exclusively off-site.

This shift to remote and hybrid work environments increases the risk of vulnerable data exposure. The use of multiple devices and unsecured networks to access and share data creates new avenues for cyberattacks via unauthorized access.

There are a number of processes available to protect and secure your data. Two of the most common techniques are data masking and data encryption. In this article, we will explore what data masking is, how it differs from encryption, and how they work together for improved cybersecurity.

What is Data Masking?

Making something appear different than its actual form is known as obfuscation. Data obfuscation or data masking protects sensitive elements in a database or across multiple databases, such as:

• Personally identifiable information (PII)
• Payment card and other financial information
• Intellectual property
• Protected heath information (PHI)
• Commercially sensitive information

To ensure data privacy, data masking replaces real data with modified values, such as characters or numbers. For example, replacing customer names with a standard value (e.g., ‘John Doe,’ ‘Jane Doe’) preserves the original data format while protecting the real names from unauthorized identification.

By masking sensitive information, you are able to retain and share the data across systems and databases while minimizing security risks. There are two main forms of data masking: static and dynamic.

Static data masking protects sensitive data when it is moved from the production environment for the purpose of research, troubleshooting, analytics, and reporting. The masked data is duplicated into a separate database, or external environment, where it can be shared with both internal and external stakeholders. This is a one-way, irreversible process that enables testing, training, and development without compromising the original data.

Dynamic data masking, by comparison, masks data in real-time production environments. It does not require a secondary database to hold the masked data. Instead, dynamic masking occurs in real-time in response to user requests. Authorized users are able to view the original, unaltered data, and unauthorized users see masked data values.

How is Data Masking Different Than Data Encryption?

Data encryption and data masking are distinct methods of data protection. They are designed to solve different problems related to data security.

Encryption uses sophisticated algorithms to encode the original data into an unreadable ciphertext. It is widely used to protect sensitive data against external threats, such as hackers and other cybercriminals. Data encryption is most useful when you do not require real-time data usability, making it well-suited to protect data at rest or in transit.

Data masking is especially useful for data in use, which is data that is being directly accessed by one or more users. For example, teams often need to access data for work in non-production environments, such as quality assurance, development, and testing. Masking renders realistic values that maintain the data integrity needed for such processes without exposing sensitive information. This safeguards data from internal threats, including both malicious and unintentional errors.

Unlike encryption, data masking is irreversible. Once sensitive data is masked, there is no way to transform it back to its original state. As long as you have the correct decryption key, encryption is reversible and the ciphertext can be restored back to its original state. However, data encryption also introduces risk in the event that the encryption key is lost, deleted, or compromised by unauthorized users.

How Data Masking and Data Encryption Work Together

Encryption and masking are effective methods of guarding against unauthorized access and improper use of sensitive data. Encryption is commonly employed to protect data at rest and in transit. If the network or system is compromised or data transfer is intercepted, encryption renders the data useless to the unauthorized user.

Data masking is more appropriate for data in use. This is because masking hides data from unauthorized users without impacting its usability. As data circulates or is accessed in non-production environments, it is desensitized and protected against internal and external threats.

Highly regulated industries often use a combination of masking and encryption to comply with various data privacy laws. Health Insurance Portability and Accountability Act (HIPAA).

Any organization that handles or processes protected health information (PHI) is subject to HIPAA rules. Data at rest or in transit is addressed in the HIPAA Security Rule, which identifies safeguards for data protection.

According to the Department of Health and Human Services (HHS), encryption reduces the risk of unauthorized exposure or theft of PHI. Title 45 of the Code of Federal Regulations (CFR), Section 164.312, states that covered entities and business associates must “implement a mechanism to encrypt and decrypt electronic protected health information.”

HIPAA rules also seek to preserve the privacy of individually identifiable health information (IIHI). This is information that can be linked to a specific person, so the use and disclosure of IIHI has restrictions to protect the individual’s privacy.

Data masking enables HIPAA covered entities to use and share health data without violating privacy rules. According to 45 CFR Section 164.514, there are 18 identifiers that must be masked within a data set before it can be shared. Under HIPAA, these identifiers include but are not limited to the following:

• Names
• Social Security numbers
• Telephone numbers
• Medical record numbers
• Biometric identifiers (e.g., fingerprints, voice)
• Full-face photos
• Certificate or license numbers
• Device identifiers and serial numbers

Once PHI is masked, it can be freely shared for uses such as medical studies and assessments.

Payment Card Industry Data Security Standard (PCI DSS)

The storage, processing, and transmitting of cardholder data is regulated by PCI DSS security standards. While these standards are not set forth by governmental legislative bodies, compliance violations can result in financial penalties based on the discretion of the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS Requirement 3 provides guidance on protecting cardholder data. Cardholder data consists of the following:

• The cardholder’s name, card expiration date, and card service code.

• The Primary Account Number (PAN), which is the card number displayed on the front of the card.

• Sensitive Authentication Data (SAD), including the magnetic track data, PIN or PIN block, and card verification value (CVV).

If the data is encrypted, you are allowed to store a cardholder’s name, the PAN, and the card’s expiration date and service code. However, you are not permitted to store SAD information, even if that data is encrypted.

Encryption protects PCI DSS data when it is stored or in transit, while masking preserves confidentiality when sharing or displaying data. This is especially important when it comes to PAN data, which is often targeted because malicious actors can use it to impersonate or steal the cardholder’s identity. Masking requirements for PAN display applies to all display mediums, including computer screens, receipts, reports, and faxes.

General Data Protection Regulation (GDPR)

Organizations subject to the GDPR must meet two comprehensive compliance categories: data protection and data privacy. Data protection safeguards against unauthorized access, while data privacy addresses how data is used and for what purposes.

According to GDPR, a crucial aspect of data privacy is the use of data encryption. To protect consumer data and reduce the risks associated with storage and transfer, the GDPR’s Recital 83 specifically recommends “using techniques such as encryption.”

Data masking can be used to satisfy the GDPR’s mandate that organizations implement data minimization. By removing any real identifiers, organizations can use customer data for analytics, testing, and other support processes while preserving the anonymity of personal information.

The GDPR refers to the data masking process as pseudonymization, which is referenced throughout its Articles and Recitals:

• Article 6(4) identifies pseudonymization and encryption as appropriate safeguards for processing data for a purpose other than for which it was collected.

• Article 25 cites pseudonymization as an appropriate technical and organizational measure to meet GDPR requirements.

• Article 32 requires secure processing techniques, including the pseudonymization and encryption of personal data.

• Article 89 lists data minimization and pseudonymization as appropriate protections for processing data for archiving purposes.

Protect Sensitive Data with Masking and Encryption

Whenever you collect, store, or transfer sensitive data, you must take appropriate steps to keep it secure. Using a combination of data masking and encryption ensures that you have end-to-end protection to secure data at rest, in transit, and in use.

To protect crucial data with simplified file encryption, organizations look to solutions such as WinZip® Enterprise. With powerful AES encryption that complies with Federal Information Processing Standards (FIPS), your sensitive information is protected at rest and in transit.

Pairing WinZip Enterprise with leading data masking tools makes for comprehensive data security. WinZip Enterprise is fully customizable, giving IT administrators granular control over encryption standards, password policies, backup schedules, and more.

Discover how WinZip Enterprise’s data encryption can work within your organization’s overall cybersecurity framework.