Compliance Law Journal

76 Journal of Regulatory Compliance Vol. I
covered entities should be mandated to encrypt and
decrypt all internet traffic flowing into and out of their
networks.165 This may not prevent attacks when the
cyber criminal possesses an administrator’s
authentication information – i.e., the credentials that
allow access to the decryption key – but it adds a level
of security that may cause criminals to move on to softer
targets.

3. Under the “integrity” standard, covered entities should be required to implement electronic mechanisms to corroborate that e-PHI has not been altered or destroyed in an unauthorized manner.166

4. Finally, under the “transmission security standard,” covered entities should be mandated to: (a) implement system integrity controls to ensure e-PHI is not improperly modified without detection; and (b) implement encryption mechanisms to encrypt e-PHI whenever it is in motion.167 This is a vital step because system and network compromises often go unnoticed for days or even months at a time, while cyber criminals are free to access sensitive data or even use the network as a launching pad for other attacks. Further, encryption will make it more difficult for hackers to transmit data, using their unauthorized access, without detection.

The foregoing modifications will force healthcare entities to allocate IT management resources to the development and implementation of compliance policies and procedures specifically tailored to cybersecurity. Unlike the amorphous “reasonable and necessary” standard under current law, a mandated industry-wide baseline security framework will instill consumer confidence and bring the healthcare industry into the online age.

IV. CONCLUSION
As the healthcare industry adopts EHR technology, mobile health
technology, and a host of other applications, the vulnerability of e-PHI will
continue to increase unless action is taken to protect it. Understandably,