Manage Learn to apply best practices and optimize your operations.

Hardware encryption a must with patient data so vulnerable at rest

Given the high number of health care data breaches that are attributed to lost or stolen mobile devices, encryption at the hardware level is arguably the most fundamental way to secure data.

The ability to keep your data protected is becoming more prominent with every passing day. There are a variety of ways to secure data, either on the perimeter or in within the local area network (LAN), but the most fundamental method in a defense-in-depth model is hardware encryption.

Data needs to be protected from malicious intent or user oversight. At the basic level of security is encryption, or the ability to obscure and render data useless without the proper key. Encryption has been around for quite some time, but its benefits are still not being used to their full potential in the enterprise -- and the health care industry is no exception. Encryption at the hardware layer is expected to grow in the future. We tend to focus our protection efforts at the perimeter when, in fact, data is most vulnerable at rest.

In today's mobile generation, meanwhile, the ability to protect data that's physically outside your perimeter is becoming an issue that encryption is handling well. The ability to render stolen or lost data useless is an important aspect of information security. Encryption at this level is one of the basic building blocks of a secure information security program. Device encryption is one of several hardware encryption techniques that will be discussed below.

For laptops, full-disk hardware encryption is best

Laptops represent one of the areas where hardware encryption should be used. Laptops can store large amounts of data, and they will most likely leave the building, so your data is at risk if it's not encrypted.

There are certain methods to perform encryption on laptops, mainly full and partial disk encryption. Full disk encryption encrypts the entire disk, leaving nothing to chance. When logging into the laptop, users are prompted to enter the decryption password before even booting into the operating system.

If an encrypted database is stolen or breached, and the appropriate tables have been encrypted, the attackers would get nothing useful.

The partial disk encryption method, on the other hand, consists of selecting folders or partitions within the operating system to be encrypted. This method is quicker, but it leaves room for more risk if a laptop is lost or stolen, since you can’t guarantee that all the data is encrypted.

When it comes to protecting data on laptops with encryption, full disk encryption is the preferred method. There are many free solutions that can perform encryption within the operating system, such as the open-source TrueCrypt. Others are paid, including CheckPoint Software Technologies Ltd.'s PointSec. Some, such as Microsoft's BitLocker, come built into the Windows operating system.

If a laptop is lost or stolen, you can replace the hardware, but the data is irreplaceable. A health care data breach can harm an organization's reputation, increase its risk of exposure and subject it to regulatory infractions. In fact, HIPAA doesn't require health care organizations to report stolen or lost laptops if they have been encrypted. With this being said, full-disk encryption should be placed on laptops to protect your data from being lost or stolen in the event that data is removed from your organization.

Effective mobile device management needs third-party tools

Mobile devices are infiltrating the workplace. IT leaders need the ability to secure the data on them. Like laptops, these devices can take large amounts of data on them outside the walls of your organization. Having the ability to control where the corporate data is, and to ensure that it is encrypted, is a concern for health care providers and companies in general.

With the upsurge of smartphones and tablets in the enterprise, many employees are requesting to use their own devices. While devices can improve productivity, IT departments need to verify that they can encrypt the data on these devices before the business puts itself at risk.

In addition to encrypting the data, it's also necessary to be able to manage the mobile device. The mobile device management (MDM) market is growing as companies realize that these devices have become part of the culture of business and, as a result, are filling with corporate data. Just as IT has had to catch up and encrypt data on laptops, it is going through the same issue with mobile devices.

Many third-party vendors offer hardware encryption for mobile devices. These systems allow for either full-disk encryption, based on the device itself, or encrypted containers where corporate data can be stored and prevented from being brought into the device operating system.

No matter what vendor or hardware encryption scheme is in play, organizations need to be mindful that mobile devices are a large part of the business and that they need to protect the data on these devices with encryption. Without encrypting the corporate data on mobile devices, you put your company at risk.

Leave no unencrypted PHI in databases

Our last example of hardware encryption focuses on databases. While database breaches have been on the rise over the last few years, the practice of database encryption has not grown in step. With the database being the epicenter of all data in a network, it is amazing how many databases still lack proper protection.

More hardware encryption tips for health care organizations

Developing an enterprise hardware encryption strategy to protect PHI

Though effective, disk encryption is no compliance panacea

From the Health IT Exchange: Help "ITLaura74" find the best full-disk encryption solution

If an encrypted database is stolen or breached, and the appropriate tables have been encrypted, the attackers would get nothing useful. To make sure this is the case, all sensitive and confidential data should be encrypted while in the database to protect the records they hold. There should be no protected health information (PHI) or personal identifiable information (PII) left in cleartext in a database for an attacker to siphon out. Review your databases and the data they hold to get a good understanding on what needs to be encrypted.

All in all, hardware encryption is a powerful method to secure the confidentiality of your data -- especially data that that has the potential to leave your physical premises. Encryption will render data useless to those unauthorized to view it. This increases the protection of your security program and protects the data and records from being compromised. Hardware encryption should be an early step in an organization's defense-in-depth approach. Start early with encryption at this level and it will be easier to keep the data in your organization away from prying eyes.

Matthew Pascucci has more than 10 years of experience in IT and is currently an information security analyst in the financial sector. He holds multiple certifications and is actively involved with InfraGard to help educate others in information security. Let us know what you think about the story; email or contact @SearchHealthIT on Twitter.

Dig Deeper on Electronic medical records security and data loss prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.