Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

P45-ENCDEC

ENCRYPTION AND DECRYPTION
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
POLICY # 45
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement a mechanism to encrypt and decrypt EPHI.”
Policy Summary:
Where risk analysis shows it is necessary, appropriate encryption must be
used to protect the confidentiality, integrity, and availability of EPHI
contained on Sindecuse Health Center (SHC) information systems. SHC
must protect all cryptographic keys against modification and destruction;
secret and private keys must be protected against unauthorized disclosure.
SHC must have a formal, documented process for managing the
cryptographic keys used to encrypt EPHI on SHC information systems.
Purpose:
This policy reflects SHC’s commitment to appropriately use encryption
to protect the confidentiality, integrity and availability of EPHI contained
on SHC information systems.
Policy:
1. When risk analysis indicates it is necessary, appropriate encryption
must be used to protect the confidentiality, integrity, and availability of
EPHI contained on SHC information systems. The risk analysis must
also be used to determine the type and quality of the encryption algorithm
and the length of cryptographic keys.
2. At a minimum, SHC’s risk analysis must consider the following
factors when determining whether or not specific EPHI must be
encrypted:




The sensitivity of the EPHI
The risks to the EPHI
The expected impact to SHC functionality and work flow if the
EPHI is encrypted
Alternative methods available to protect the confidentiality,
integrity and availability of the EPHI
3. All encryption used to protect the confidentiality, integrity and
availability of EPHI contained on SHC information systems must be
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ENCRYPTION AND DECRYPTION
approved by SHC’s Information Security Office.
4. Encryption should be used to protect the confidentiality, integrity, and
availability of EPHI stored on SHC portable workstations (i.e. laptops,
etc.).
5. Encryption should be used to protect the confidentiality, integrity, and
availability as specified in SHC’s Transmission Security policy.
6. SHC must protect all of its cryptographic keys against modification
and destruction; its secret and private keys must be protected against
unauthorized disclosure.
7. SHC must have a formal, documented process for managing the
cryptographic keys used to encrypt EPHI on SHC information systems.
At a minimum, this process must include:








A procedure for generating keys for different cryptographic
systems
A procedure for distributing keys to intended users and then
activating them
A procedure for enabling authorized users to access stored keys
A procedure for changing and updating keys
A procedure for revoking keys
A procedure for recovering keys that are lost or corrupted
A procedure for archiving keys
Appropriate logging and auditing of cryptographic key
management
8. When possible, SHC cryptographic keys must have defined activation
and deactivation dates.
9. No department will implement encryption of data without the
knowledge and approval of the Information Security Officer.
10. The information security officer will maintain documentation with
regards to when encryption is utilized.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ENCRYPTION AND DECRYPTION
Regulatory Type:
ADDRESSABLE Implementation Specification for Access Control
Standard
Regulatory
Reference:
45 CFR 164.312(a)(2)(iv)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ENCRYPTION AND DECRYPTION
altered or destroyed in an unauthorized manner.
Encryption means the conversion of data into secret, unreadable code.
To read encrypted data, a person must have access to a secret key or
password that enables them to decrypt (decode) the data.
Cryptographic key means a variable value that is applied using an
algorithm to data to produce encrypted text, or to decrypt encrypted text.
The length of the key is a factor in considering how difficult it will be to
decrypt the data.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Access Control
Emergency Access Procedure
Automatic Logoff
Unique User Identification
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
P52-ENCRPT
P52-ENCRPT
P37-DISPSL
P37-DISPSL
P5-ISAREV
P5-ISAREV
53. policies and procedures for security
53. policies and procedures for security
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
B3_Energy_transfers
B3_Energy_transfers
Instructions
Instructions
P51-INTCON
P51-INTCON
VideoCase08:_Security
VideoCase08:_Security
Download