About the lack of ePHI encryption in transmission and at rest?

Join Our Mailing List 

 e-Patient Health Information is Vulnerable!

Shahid N. Shah MS[By Shahid N. Shah MS]

ePHI is vulnerable to be compromised in all the states it is in. Whether it is at rest (in databases and files), or in motion (being transmitted through networks), or in use (being updated, or read), or is disposed (discarded paper files or electronic storage media).

An extra layer of security

Using encryption puts an extra layer of security to ePHI because even if someone gains access or reads ePHI, if it is encrypted then the chances of ePHI getting compromised diminishes. It makes the data unreadable and unusable by unauthorized persons. When ePHI is transmitted through networks, it is possible that it will be accessed by unauthorized persons, thus compromising ePHI. These type of unauthorized access hacking may not be immediately known, but can cause many damages.

Major Mitigation

ePHI should be encrypted and there must also be reasonable and appropriate mechanisms in place to prevent access to ePHI so that it is not accessed by persons or software programs that have not been granted access rights.

There are many different encryption methods and technologies to encrypt data in motion (SSL, VPN) or at rest.

So, choose the methods and technologies that best meet the physician’s office requirements.


  Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™


Success criteria

A risk analysis/assessment reports will provide a clear indication of whether these type of risks exists or has been mitigated with appropriate controls.


Auditing logs that track access to ePHI can be verified periodically to check if there has been unauthorized access by persons or software programs that have not been granted access rights.


About: Meet Shahid N. Shah MS [Our Newest IT Thought-Leader]


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com



      Product DetailsProduct DetailsProduct Details

[Mike Stahl PhD MBA] *** [Foreword Dr.Mata MD CIS] *** [Dr. Getzen PhD]



3 Responses

  1. Very good information, Shahid N. Shah. Would you happen to know the prevalence of encryption in healthcare?



  2. Unencrypted Emails of PHI OK if Patient Assumes the Risk: OCR

    Because “emails are generally considered readily producible by all covered entities,” The Office of Civil Rights (OCR) says in its newest guidance, the agency expects that “all covered entities have the capability to transmit PHI by mail or email (except in the limited case where email cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted email).”

    Deven McGraw, OCR deputy director for health information privacy says the use of unencrypted email, if requested by the patient, isn’t a “slippery slope” toward a free-for-all of abandoning safeguards or extended communications between patients and providers. The use embodies “exercising the HIPAA right of access.”

    Source: Report on Patient Privacy Via AIS Health [February 2016]


  3. Healthcare Organizations Are Top Targets for Hackers

    1. 68 percent of healthcare organizations analyzed have compromised email credentials
    2. Nearly 80 percent of the positive data set includes actionable password information
    3. An estimated 7,500 individual incidents occurred across the study where healthcare companies had email credentials compromised due to phishing or key logging attacks
    4. 23% of the passwords stolen were available for sale or trade on the Dark Web as unencrypted, clearly visible text

    Source: Evolve IP


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: