Encryption is just one aspect of the bigger picture regarding data security. It is particularly important for health care facilities and medical practices. Many national and local regulations require health care providers to encrypt private health information (PHI). Although, even if you aren’t legally required to encrypt your data, it’s still the best practice to do so.
With regards to medical imaging data, encryption isn’t typically something you do on your own. Often the security of your medical imaging data is handled by the vendor that either stores or enables the sharing of this data. The industry refers to this as “data in transit” or “data at rest."
In the best case scenario, both are encrypted, with different techniques to handle the varying threats to the privacy of medical imaging data.
Rules for Encryption of Medical Imaging Data
In the United States, HIPAA requires everyone who handles medical information - including medical imaging data - to keep it private. To comply with HIPAA, data must be encrypted while it is being stored (even on your own systems) as well as when it is being transferred to another system or person.
Of course, every country has its own regulations governing the encryption of medical data; some setting the bar quite high.
For example, Australia has strict regulations that prevent healthcare practitioners and organizations from storing PHI outside of the country. This, in the case of Australian users, places heavy restrictions on the use of the cloud for medical image storing.
When You Don't Encrypt Your Medical Data
If you are located in the United States, or a country that requires you to keep medical imaging data private, the risks of choosing not to encrypt those sensitive files could be enormous. In the United States, for example, intentional or grossly negligent violations of HIPAA regulations could lead to exorbitant fines, loss of your medical license, and even time in prison.
Setting fines and penalties aside, even if you aren’t in a location where you are legally required to encrypt data, the news of a data breach - costly in its own right - could do irreversible damage to your reputation. In this case, it's better to be safe than sorry. Encrypting medical imaging data is always the best practice, even in instances where it may not be specifically required.
The Importance of Encrypting Stored Data
Many people make the mistake of not looking at the whole picture when it comes to the encryption of medical imaging data. You might think it is enough to encrypt your data only when it is being transferred since this is the time when it leaves your physical control and is subject to the "hackers" lurking on the Internet.
Clearly, it is important to ensure adequate protection when your data is sent using public communication lines. In fact, in the medical imaging industry, virtual private networks (VPNs) are often used to create a protected communication path. However, in your own facility, you control access to the office or locked closet where your medical imaging data resides. So why worry about encryption there?
As it turns out, leaving medical image data unencrypted on your own systems can still leave you vulnerable. Many of the most notorious data leaks - like Snowden at the NSA - happened with an inside job. The point is that someone can physically extract private data. We are not suggesting that your medical data is as enticing as national secrets, but why subject yourself to that risk?
There are many ways to encrypt “data at rest” - data stored in your own facility - including file level and directory level encryption. Some medical imaging vendors have taken to separating the storage of the PHI from the image itself, making an internal hack almost completely ineffective.
Imagine that almost every organization has had at least one disgruntled employee who could walk out of the facility with sensitive information and make it publicly available. If this occurs, you could be held responsible for breaching data privacy regulations. To avoid this situation, you need to ensure medical imaging data is encrypted when it is in storage and in transit.
So, the best answer to the question, “When should I encrypt medical imaging data?” is that you should always use encryption. Encrypting medical imaging data is not only the best way to keep your patients’ private information safe, but also a sure way to stay on the right side of the law.
That's why it's important to choose a secure picture archiving and communications system (PACS), as well as methods of file transfer and sharing, which leverage end-to-end encryption. It is the best way to not only ensure compliance and protect your patients from data theft, but also safeguard your reputation and the future success of your practice.