posted Oct 5, 2014, by Ron Gault

From a series of 'Ask the Expert' columns for a HIPAA Compliance website: What are my Options for Protecting Data in Motion?

Data in a medical information system exists in one of two states: 1) ‘at rest’ or 2) ‘in motion’.  At rest means that the data is contained in one physical location, e.g., in a local patient database.  Data in motion, is being sent from one location to another, e.g., patient data being sent to an insurance company for claims processing or to a hospital for updating a in a central repository.  Besides being a HIPAA addressable requirement, the ever increasing news revelations (e.g., Wikileaks, etc.) about information compromises underscore the fact that unsecured data, especially when in motion, is highly susceptible to interception and therefore protection must be considered.  Since the majority of us are using an Internet Service Provider (ISP) via our telephone or cable service, this data is readily available to anyone with minimal skills and a desire to compromise it.

Various methods exist to protect data in motion from a simple password that prevents casual observers viewing the data, to sophisticated encryption schemes that only dedicated analytical attacks can compromise. Encryption is the act of ‘scrambling’ information so that while an interloper may tap onto your communications line, they cannot compromise that information.  Encryption uses mathematical algorithms to encrypt the information at the sending end and decrypt it at the receiving end.  These operations are performed under the control of unique numeric keys so that only holders of the correct keys can successfully pass data back and forth. When you select ‘purchase’ on a website, you’ll see the address of that provider automatically change to include ‘https’ (hypertext transfer protocol secure) which the website owner is using to establish an encrypted connection between the two of you.

Establishing encryption services can be time consuming and expensive, so a simple risk assessment (discussed in a previous article (add a hyperlink?)) is a good first step to help determine the complexity of security required. Ask yourself who are the entities that you are communicating with, what is the quantity of data you routinely send, and what levels of protection is appropriate for this data when in motion?  After you have determined the actual quantity and sensitivity of data at risk, you can scope how much effort you need to expend to protect it. Various encryption techniques are available that are suitable for the small clinic.  Let’s review what they are.

Common Data in Motion Protection Options

Access Protection

Most internet services offer the option of the sender requiring a password be entered by the sender that the recipient must enter to allow viewing.  This is simple to use but does not truly encrypt the information in the message.  It does prevent the casual interloper from compromising the information and can be considered acceptable protection for sending small amounts of data.

Private Networks

When the sender is communicating with a single recipient both parties may coordinate a solution to make the process secure by selecting an encryption scheme and establishing a secret key that they share.  Because only they know the key, it can be reused for months at a time before changing it.

Virtual Private Networks

If you are using several computers to send information and/or you’re communicating with a large organization, they most likely will have the capability to establish a virtual private network (VPN) between you two and provide all management of the process. It generally requires you to make a one-time load of a unique software application on your computers. And use a password that needs to be entered every time you communicate.

Web-based Secure Connections

Many companies are now using secure web-based applications that allow you to use an application in your web browser to securely communicate with them.  It’s based on VPN principles but all the necessary management of the connection is done through a web browser using a protocol called secure socket layer (SSL).  You utilize this method when you conduct business on the internet and you see ‘https’ in the address line.  It requires you to open the browser, but not have to enter a password.

Public Key Encryption

Is a complex but very secure process that is universally accepted for high security data exchanges.  It requires registering with an trusted third-party agency that provides you encryption keys so that you can communicate with anyone else that has so registered.  The establishment and use of this process is generally beyond the needs of the small clinic unless you are passing large amounts of data (e.g., participating in a large clinic trial, etc.)

Summary

Protection of data in motion is important and must be addressed by everyone in the medical field.  Start with a simple risk assessment to determine the amount of effort you need to expend and coordinate with all the organizations you are likely to be communicating with. Perhaps there is one protection technique that is compatible with all of them, and would be the most economical approach for your clinic to adopt.