Choosing the Right Type of Encryption for HIPAA Data

A version of this article was first published on HIPAA Vault’s

Protecting your Patient’s Privacy…

It’s a necessity, especially for sensitive data like protected health information (PHI). HIPAA regulations require it. Today, most providers realize that encryption is the technique of choice; however, this seems to be the extent of most people’s knowledge. If you are a manager, or involved in projects involving patient information in electronic health records (EHR), then it behooves you to know at least the basics of encryption, as well as where and when should it be applied. There are two types of encryption that are commonly used to encrypt PHI data: Symmetric cryptography is typically used to encrypt hard drives or databases that contain PHI, and employs an algorithm or cipher that involves a single key. The key is like a password. It is not computed. The key should be shared only with authorized users and applications that need to unlock (decrypt) the data. This is especially important, for if the key gets into the wrong hands, the data might be exposed to an unauthorized user. It is a best practice to use a symmetric AES-256 key. Asymmetric ciphers are used when the data is transmitted from one place to another, such as when using HTTPS. An asymmetric cipher involves two keys. One key is for locking the data, and this key can be given to anyone. It is considered public. The other key is private, used for decrypting the data, It should only be used by authorized users or applications. Asymmetric encryption is perfect for securing sensitive data that is being transported from a user’s web browser to a web server, since the keys are derived by an algorithm or cipher. The asymmetric key is much longer and more complex than a symmetric key, which is simply made up. And because the public key can be distributed “safely” to anyone, it is considered a superior method of encryption whenever widespread distribution of keys is involved. Best practices dictate using asymmetric ciphers, typically RSA with a 2048 bit key. Use this table to help you recall what encryption type and strength to use:

Data Location	Type	Strength
Hard disk (files) or Database	Symmetric Cipher	AES-256
Transporting data (HTTPS)	Asymmetric Cipher	RSA 2048 bit Key

For example, when shopping on the internet, the protocol of choice is HTTPS. The “S” is for SSL protection, using an asymmetric cipher where the public shoppers have the public key in their web browser’s cache (memory), and only the web server has the private key. As noted, the length of the key is important. A longer key is more secure than a shorter one; therefore, a 1024 bit key is not as secure as a 2048 bit key. And neither is an AES-128 bit key as secure as an AES-256 key. In conclusion, encryption is an important means of protecting sensitive data – necessary to remain compliant with HIPAA regulations. If you are involved in working with electronic protected health information, then knowing what type and strength of encryption to use in different circumstances is vital to maintaining the appropriate protections.