Encryption is a process which is applied to patient data or other important data, and alters it to make it humanly unreadable except by someone who knows how to decrypt it, usually by using an encryption key.
In today’s world-wide computer networking, many forms of encryption exist to protect financial, personal, business and military data. Encryption was originally developed by the military for protecting national assets.
In the medical informatics, personal patient data must be protected against unauthorized viewing or changing. Encryption should be a vital part of every biomedical and bio-financial system. Encryption will help protect unauthorized use of information should physical security measure in place fail, such as loss of a laptop.
Public-key cryptography is a cryptographic approach which involves the use of asymmetric key algorithms instead of or in addition to symmetric key algorithms. Unlike symmetric key algorithms, it does not require a secure initial exchange of one or more secret keys to both sender and receiver. The asymmetric key algorithms are used to create a mathematically related key pair: a secret private key and a published public key. Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key. It also allows protection of the confidentiality and integrity of a message, by public key encryption, encrypting the message using the public key, which can only be decrypted using the private key.
The electronic exchange of patient health information between health care providers has for long helped to speed up the process of health care and in turn provided means to improve quality of care. Two major issues surrounding the exchange and storage of such sensitive data are Security and Privacy. Several steps have been taken to ensure safe and secure transmission of patient data.
On of the major steps taken by HIPAA to ensure security of protected health information (PHI) is to announce the HIPAA Security rule. On February 13, 2003, HHS secretary Tommy Thompson announced the adoption of HIPAA Security Final Rule. The final standards were published in Federal Register in February 20, 2003 with an effective date of April 21, 2003. There are six sections in this rule which include, The general rule(164.306),Administrative safeguards(164.308),Physical Safeguards(164.310), Technical Safeguards(164.312), Business associate contracts(164.314) ,Policies procedures and documentation(164.316) describing measures to be taken by the organization to ensure security of the PHI. The section 164.312 or the Technical Safeguard Section makes it mandatory for health organizations to use data encryption while transmitting PHI especially over the internet. (1)
Data encryption and the field of Cryptography (hidden writing) have been around for decades now. Encryption essentially refers to the process of transforming information (referred to as plaintext) using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge, referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). There are a number of standard algorithms that are available today. The most commonly used ones include Symmetric key Algorithms (e.g. DES, AES), Asymmetric key algorithms (RSA), Block Ciphers and Stream Ciphers. The symmetric key and asymmetric key algorithms are most commonly used for transmission of information over the internet. (2, 3)
The symmetric key algorithm uses a shared key between sender and receiver called the private key whereas asymmetric key algorithm creates private and public keys and publishes only the public key. Each one of these approaches has their own advantages and disadvantages. There are several encryption software that are commercially available. The gold standard today is the AES-256 others used commonly are DES and RSA. (4, 5) Besides classifying Encryption Solutions on the type of algorithm used. Encryption Solutions can also be classified based on the whether they use a file level encryption or full drive encryption. Where file level encryption encrypts files at an individual level, the full drive encryption aims to encrypt data as it is written to the disk drive. One of the major challenges today for health organizations is to choose the best of available encryption solutions (6).
Today there are several challenges to Data Encryption. One of the major challenges to data encryption is the Management of keys. Once the keys have been created, they must be kept safe to ensure that encryption offers desired level of security, however they must not be too far out of reach to prevent the decryption of data(6). Furthermore the recent research shows that the Encrypted Data can be easily stolen. According to a report published in New York Times, researchers at Princeton University have identified a way to retain the data from DRAM after the power has been cut off. The DRAM (chip) holds data such as the keys to data scrambling algorithm in addition to other data. Freezing the chip in Liquid Nitrogen (-1960) resulted in freezing the data in place, with data being retained for several hours without power supply, thus providing access to the keys (7). Not only is this method of recovering encrypted data very easy, but is also inexpensive. This makes all of the stored and transmitted information vulnerable to being stolen. The end results of this would be dreadful. As far as health information is concerned, the organization is trusted with protecting it, if such information is lost; it will not only malign the organization name but will have a bad effect on the health care process as whole. With the fear that their data could be possibly stolen, the patients may prevent from fully disclosing their information even to the health care providers.
This again has put forth a number of important questions, Are the Computer Security systems as robust as we believe them to be? How much should we rely on these systems? Do the benefits of implementing such systems outweigh the risks and costs? I believe that however robust you make the security systems, those who have want to break in through them will find new ways of doing it. The only thing that remains to be done then is to make sure that legal actions against such crimes are severe enough to discourage those trying to commit such crimes.
[Submitted by: Sathaye Gauri on February 28,2008 ]
- Jeff Tyson, How Encryption Works, 
- Encryption and File Encryption http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212062,00.html
- Joan Breuer, Ph.D. March 29, 2010