URAC Standard 15 – Regarding Encryption: Is Your Data Protected?

| | Technology & Integration, UR Software

Todds URAC Encryption Article

In 2015, URAC’s announcement that they were tightening standards for Electronic Protected Health Information (ePHI) created quite a buzz in the utilization review industry. Per the URAC standards (and the HIPAA security Rule), all ePHI data created, received, stored or transmitted by an organization must be protected. This has raised industry-wide awareness of encryption.

Encryption may be the least popular aspect of data storage and information processing. Software developers hate it. System administrators bemoan the space it takes up. Data analysts complain about it hampering their ability to work. But in our world of growing security threats, encryption is an absolute necessity.

The threat landscape for private data is escalating. It’s been estimated that 160 million data records have been breached in just the eight worst attacks during 2015. Data custodians (those who store and manage ePHI and other personal data records) are under intense pressure to ensure that data remains secure, even if their systems are breached. For software and web applications, this means transmitting data through secure channels. It means having robust authentication systems in place to ensure that access to data is only granted to those that have the authority to access it.

On the physical side, we have to consider our employees’ workstations – are they storing any data on their computers? What happens if an employee takes his laptop home and it gets stolen from his car when he stops at the store? What if an employee decides to steal some computers and skip town? Unless those systems are encrypted (and shut completely down during transit), we’ve got an instant data breach. This exact scenario occurred many times in the past year.

How about your data servers? Even if they’re locked in a cage in a data center, a person with access could strip drives from your storage array and sell them to a data thief. Data thieves are people who actively advertise (usually in the shadier parts of the internet) cash rewards for specific types of data. This is where encryption-at-rest will save you.

The new URAC requirements state that you need to assess your risk footprint, document it and fully understand the potential impact of having a breach. Requirements say that any risk that we determine not to be reasonable or appropriate must be mitigated by implementing appropriate measures. So ask yourself – are you protected?

If you’re not completely certain your data is properly encrypted, seek help from any number of reputable security companies. Your IT professional should be able to assist you in making sure you have controls in place. Encryption is just one tedious step in ensuring privacy and information security, but it is the most important thing you can do to protect your data, your customers and your company.

Todd Davis

Todd Davis, Vice President of IT – ReviewStat Services for UniMed Direct, is responsible for the continued development the industry-leading ReviewStat system. Leading a team of like-minded professionals, Todd works to review and improve ReviewStat’s full-featured and robust system to make it even more efficient and easy to use.