76 Journal of Regulatory Compliance Vol. I
covered entities should be mandated to encrypt and
decrypt all internet traffic flowing into and out of their
networks.165 This may not prevent attacks when the
cyber criminal possesses an administrator’s
authentication information – i.e., the credentials that
allow access to the decryption key – but it adds a level
of security that may cause criminals to move on to softer
3. Under the “integrity” standard, covered entities should
be required to implement electronic mechanisms to
corroborate that e-PHI has not been altered or destroyed
in an unauthorized manner.166
4. Finally, under the “transmission security standard,”
covered entities should be mandated to: (a) implement
system integrity controls to ensure e-PHI is not
improperly modified without detection; and (b)
implement encryption mechanisms to encrypt e-PHI
whenever it is in motion.167 This is a vital step because
system and network compromises often go unnoticed for
days or even months at a time, while cyber criminals are
free to access sensitive data or even use the network as
a launching pad for other attacks. Further, encryption
will make it more difficult for hackers to transmit data,
using their unauthorized access, without detection.
The foregoing modifications will force healthcare entities to allocate IT
management resources to the development and implementation of
compliance policies and procedures specifically tailored to cybersecurity.
Unlike the amorphous “reasonable and necessary” standard under current
law, a mandated industry-wide baseline security framework will instill
consumer confidence and bring the healthcare industry into the online age.
As the healthcare industry adopts EHR technology, mobile health
technology, and a host of other applications, the vulnerability of e-PHI will
continue to increase unless action is taken to protect it. Understandably,
165. 45 C.F.R. § 164.310(a)( 2)(iv) (2013).
166. 45 C.F.R. § 164.310(c)( 2) (2013).
167. 45 C.F.R. § 164.310(e)( 1)( ii) (2013).