Posted by: adelvecchio
data encryption, Encryption, health data security, PHI
Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.
In prior segments of this series, I touched on the fundamentals of encryption using symmetric (shared secret), asymmetric (public-key), and combinations of the two to get a hybrid approach to keeping data confidential. I also explained the concepts of data integrity (knowing a message has not been changed) and non-repudiation (verifying the sender is authentic), as well as ways to secure data in motion. In this final segment on encryption within the healthcare setting, I turn my focus to protecting health IT data at rest.
With as many breaches as there have been in recent years, it’s not uncommon for there to be an immediate cry to “encrypt everything” without knowing exactly what that means. As mentioned in my previous segment, the first step to knowing the right solution is understanding the location and type of data in question; email is different from data living in structured databases, and those types of data are different from standalone files containing sensitive data. Likewise, the steps used to protect a mobile device (smartphone, tablet, laptop, etc.) that roams onto various networks differ from those taken for a workstation that lives on the internal managed local area network behind the perimeter firewall.
In general, given the maturity and availability of full disk encryption options, it should be considered a best practice to deploy full disk encryption for any workstations or mobile devices that have a reasonable expectation of being exposed to sensitive data. This protects those devices against any sensitive files that get saved there, any cache or temporary files from connections that handle sensitive data, as well as covering locally-stored emails that might have personally identifiable information (PII) or protected health information (PHI) in them. In addition, this addresses the safe harbor requirement that pertains to unauthorized disclosure in the event of the theft or loss of a mobile device.
Database servers with PHI/PII in them present a significant challenge to health IT. It’s easy for people to say “encrypt it all,” but it’s not practical to do so because of performance, key management and access control issues. In many cases, encrypting certain data — usually those data elements that tie the data to an individual — within a relational database construct ensures the data is protected and still accessible to those that need it, without resulting in a significant hit to performance. In response to industry feedback and meaningful use requirements, electronic health record manufacturers have added roadmaps toward ensuring data integrity within the databases by using cryptography.
A major hurdle to protecting sensitive health IT data at rest is ensuring it stays where it should and is used as it should be. While data loss prevention tools are not encryption tools, they can be used to trigger encryption and are now generally available to help ensure data at rest is used appropriately and is encrypted when put in motion. Using a combination of pattern matching and metadata cataloging, these tools inspect data as it goes from at rest to in motion and evaluates whether that specific activity should be allowed and whether the data should be encrypted prior to going in motion. This can include simple moves of data to a local machine’s storage system all the way to emails being sent with data that might be sensitive.
Encryption is one of many tools available to information security professionals to protect data both in motion and at rest. More often than not, though, “the right answer” is a combination of many of those tools, not just encryption. Finding the right combination of tools to help ensure the security of health IT data requires a strong vision of the overall information security program and a commitment by the organization to find a skilled and visionary chief information security officer.