The Role of Peer-to-Peer Encryption in the HIPAA Omnibus Era
It’s every compliance officer’s worst nightmare. You’re sitting at your desk on a weekday afternoon, perhaps catching up on the latest posts on the qliqSOFT blog, when all of a sudden your CIO calls you up and frantically explains how one of your vendors suffered a major data breach. Over thirty thousand patient records are lost, and there is no way to know what has been done with the data so far. Regrettably, all of it stemmed from an unfortunate but unavoidable human error: the vendor’s firewall was turned off by accident and was left so for over six weeks. If this sounds familiar, that’s because it is.
Healthcare Data Breach Incident Response
Following your incident response plan, you analyze the security incident and correctly determine that a data breach has indeed occurred. You begin preparations to notify each and every patient whose data was compromised. You even try to preempt future class action lawsuits by offering free credit monitoring services to the patients. All told, this event will be a costly one: at an average of $200/patient in notification and credit monitoring services, the total cost of the breach will balloon above $6 million. Luckily, your data breach insurance policy and BAA indemnification provisions will offset a lot of the cost to other parties. However, not even the most stringent contractual protections will prevent this story from slapping on the front page of the Wall Street Journal and the OCR “Wall of Shame.”
The above incident underscores one of the most concerning aspects of information security in the healthcare world – providers relying on their vendors to provide adequate security measures for systems containing PHI. And despite the due diligence and contractual safeguards providers can take to keep their patients’ data safe, the fact of the matter is that human error continues to be the biggest problem area to account for. Quite frankly, the more vendors you work with and thus the more parties you outsource your PHI to, the higher your odds of suffering a data breach through a human error on their behalf.
Peer-to-Peer Product Infrastructure
Thankfully, there are alternatives. One of the easiest methods of decreasing vendor risk is using the correct vendor product infrastructure. Many vendors provide valuable services to customers, but these vendors include the needless step of taking custody of PHI-containing files, often storing the data in the cloud. One workaround is to provide provider organizations with a peer-to-peer product infrastructure, enabling customers to allow their providers to exchange PHI with one another from device to device without having the data flow through the vendor’s central server.
Clear Benefits of Peer-to-Peer Encryption
The benefits of peer-to-peer connectivity are clear. Providers “cut out the middleman,” dramatically decreasing the chances that their patients’ information will be intercepted by a malicious party. Moreover, because the vendor doesn’t actually take custody of PHI in this scenario, no BAA is necessary. However, most important of all, compliance officers will have one less vendor and their opaque security controls to worry about. That’s potentially one less weekday urgent phone call on your mind.