| Healthcare providers are under-the-gun to | | | | Software encryption is performed by a |
| implement technology that will meet guidelines | | | | computer's CPU using a program installed on a |
| that were published under the HITECH Act (Health | | | | particular operating system, whereas hardware |
| Information Technology for Economic Clinical | | | | encryption is performed in an internal USB |
| Health Act) in August, 2009. February of 2010 | | | | controller dedicated to the task of encryption. |
| begins the enforcement of the guidelines for data | | | | Because the controller is designed for this |
| health breach notifications. | | | | particular purpose, it can often perform its task |
| One such regulation involves USB security and | | | | faster than a software implementation of the |
| data stored on removable devices. If data is not | | | | same task running on a computer CPU that is |
| stored on an encrypted USB flash drive and a loss | | | | under the control of an operating system. |
| of the drive involves over 500 patient records | | | | Assuming the data stored on the secure USB |
| within a state, the press must be notified (along | | | | flash drive needs to be accessed by a different |
| with patients). The healthcare provider will also be | | | | computer, software-based encryption falls short. |
| subject to penalties ranging from $100 to $1.5 | | | | Software-based encryption stores the encryption |
| million per breach. | | | | key on the USB device, whereas hardware-based |
| These penalties and bad publicity are going to | | | | encryption stores the encryption key in a |
| force changes to operations within the healthcare | | | | controller (hardware) on the USB drive separate |
| community. Important details of the regulation | | | | from the data. This also allows the data to be |
| also refer to the type of USB encryption. The | | | | accessed via any computer. |
| algorithm must comply with NIST (National | | | | A further disadvantage to software encryption is |
| Institute of Standards and Technology) guidelines, | | | | the fact that it is specific to particular operating |
| such as AES encryption. Also of importance is the | | | | systems. As such, if software encryption is |
| fact that the encryption key cannot be stored | | | | performed on a Windows platform and needs to |
| with the data. This means that there are issues | | | | be decrypted on a Mac platform, the encrypt |
| with implementation of a software-based | | | | decrypt software must be available on both |
| encryption method. | | | | platforms. |