Free for PREMIUM members
[Webinar] Streamline your web hosting managementRegister Today
What about Encryption, is it required?
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.
What are some other best practices?
There are a few things that clients should do as it will help with their audit:
Document data management, security, training and notification plans
Client should use a Password policy for their access
Encrypt PHI data whether it’s in a database or in files on the server
Do not use public FTP. Use other methods to move files
Only use VPN access for remote access
Login retry protection in their application
Document a disaster recovery plan
The Security Rule requires us to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, we must:
Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of e-PHI;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by our workforce.
WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite. Learn more about what this means for you and how you can improve your security with WatchGuard today!