13.7 IMPLEMENTING TRANSMISSION SECURITY MECHANISMS (164.312(E)(1))
13.7 IMPLEMENTING TRANSMISSION SECURITY MECHANISMS ( § 164.312(E)(1) )
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
This safeguard describes alternatives for certifying data integrity as it moves from CEs through public mediums. Encryption controls are evaluated to describe efforts for assuring data is not viewed or tampered with in its transit.
Key exchange is an underlying foundation for encryption. Two types of classifications for key exchange are Symmetric and Asymmetric. Symmetric key exchange requires the two participants to decide upfront what the key will be to encrypt and decrypt data. This method is much faster than the other, however, it requires the participants to agree upon the key prior to the communications engagement. Asymmetric key exchange is based upon a participant having two keys, private and public. The private key is only known by the individual and the public key is known to all. Only the combination of the two keys allows for encryption and decryption. This method is much more secure than symmetric keys, because it does not require upfront communications to determine what the key should be. The disadvantage is that it is more complex and effectively slower than symmetrical key exchange.
| Encryption Standard | Symmetrical | Asymmetrical |
|---|---|---|
| AES | X | |
| Blowfish | X | |
| DES | X | |
| IDEA | X | |
| Rc5 | X | |
| RSA | X | |
| SSL | X | X |
13.7.1 Integrity Controls (E)(1)(i)
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Public Key Infrastructure (PKI) is the combination of software, encryption and services allowing CEs to protect the security of communications and transactions over the internet. PKI integrates digital certificates, public key cryptography, and certificate authorities in an enterprise wide architecture.
Example:
-
Implement PKI for clinic and hospital access to healthcare historical records for insurance purposes located at a Healthcare insurance company
-
Require PKI for members to access insurance records over the Internet.
Other types of integrity control mechanisms are Cyclic Redundancy Checks (aka, Checksums (see previous section)), Hashing functions (HMACs) that include MD5 and SHA hashing algorithms. Other notable integrity solutions are block ciphers such as Electronic Codebook Mode (ECB), Cipher Block Chaining Mode (CBC), Output Feedback Mode (OFB) and feistel mode. Of the previous listed controls, the most commonly deployed mechanisms are CRC, MD5 and SHA.
Example:
-
When exchanging sensitive files such as a spreadsheet of patient information, an MD5 could be generated and verified against after the file is sent over the internet
13.7.2 Encryption Controls (E)(1)(ii)
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
There are many types of encryption technologies available for CE's to assure that data is protected and secured during its transmission. Some of the more popular encryption schemes are Advanced Encryption Standard (AES 256bit), 3DES (168bit), and blowflsh (32-448 bits). The National Institute of Standards and Technology (NIST) has recently endorsed the AES encryption protocol as its preferred method of encryption.
IPSEC is one of the most prevalent instruments for transmission encryption. There are 2 modes of transmission for IPSEC, transport mode-where IP headers are left in original state, and tunnel mode where the entire packet is encrypted, including the headers. IPSEC implements Authentication Header (AH-tunnel mode) and Encapsulation Security Payload (ESP-transport mode). AH is rarely used due to its nature of IP header encryption (tunnel mode) which is not compatible with today's widespread implementation of Network Address Translation (NAT). Internet Key Exchange (IKE) is another permutation of IPSEC Security Associating (SA) used to automate negotiation of IPSEC protocols. This ensures the validity of the endpoints for the data exchange.
Due the widespread implementation of IPSEC, there are many options for deployment:
| Implementation | Software/Hardware | Relative Costs | Benefits |
|---|---|---|---|
| Host Based | Software | Low | Costs are low, deployment somewhat easy, may result in hosts system burden , management is moderate |
| Routers | Hardware | Moderate | Costs are moderate, deployment is moderate, host system burden offloaded to hardware device, more difficult to manage |
| Firewalls | Hardware | Moderate-High | Costs are relatively more than that of host based and router implementations , hosts system burden is relieved, management is more intuitive |
| VPN appliance | Hardware | High | Costs are high because typically this is in addition to a firewall, hosts and firewall burden is relieved, management is more intuitive |
Examples of when encryption schemes would be applied:
-
Doctor working out of his/her home and needs access to patient records using an internet Virtual Private Network (VPN) based upon IPSEC and AES encryption
-
Clinics located throughout different regions connected via Internet VPNs using IPSEC and 3DES encryption, providing access to corporate resources.
Another level of encryption is Secured Socket Layers (SSL 128 bit). This encryption scheme specifically encrypts application communication whereas other encryption methodologies will encrypt the entire communications conduit.
Examples of how SSL could be applied:
-
Online patient appointment web site
-
Online Medicare enrollment form web site
EAN: N/A
Pages: 181