Access Control — Encryption and Decryption
Description
Implement a mechanism to encrypt and decrypt ePHI.
⚠️ Risk Impact
Unencrypted ePHI exposed through data breaches violates federal law.
🔧 Remediation
Enable encryption at rest on all databases and storage. EchelonGraph verifies encryption settings.
💀 Real-World Attack Scenario
A healthcare cloud database containing 2.3M patient records including diagnoses, medications, and SSNs was stored without encryption. When the database credentials were leaked through a compromised employee laptop, the attacker downloaded the entire database in plaintext. OCR imposed a $5.1M settlement.
💰 Cost of Non-Compliance
Anthem 2015: $16M settlement for unencrypted ePHI. Premera Blue Cross: $6.85M settlement. Average HIPAA breach with unencrypted data: $7.13M. OCR considers encryption a 'safe harbor' — encrypted data breaches don't require notification.
📋 Audit Questions
- 1.Which databases and storage systems contain ePHI?
- 2.Is encryption at rest enabled on ALL ePHI data stores?
- 3.What encryption algorithms are used?
- 4.How are encryption keys managed?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Encrypting production databases but not dev/test copies containing real ePHI
- ⛔Using cloud-provider default encryption without understanding key management
- ⛔Not encrypting database backups and exports
📈 Business Value
ePHI encryption provides HIPAA 'safe harbor' — encrypted data breaches don't require patient notification, saving millions in notification costs and reputational damage.
⏱️ Effort Estimate
4-8 hours to audit and enable encryption across all ePHI stores
EchelonGraph continuously verifies encryption on all databases and storage
🔗 Cross-Framework References
Automate HIPAA 164.312(a)(2)(iv) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →