08-23-13 | Blog Post
Everybody’s screaming for protection of their personal information – thank you Edward Snowden. But the latest outcry, presumably prompting Google’s announcement last week that they are now defaulting to 128-bit AES encryption1 for the services they provide, is only the most recent echo in an escalating conversation about the stake of protecting digital information. In 2011, it was the uproar about Sony’s loss of personal user information.2
Since then, the Department of Health and Human Services has issued multiple fines in excess of $1M not safeguarding patient health information (including not addressing encryption)3. Daily reports of compromised data breach of personal information have become routine4, with a recent study by the Ponemon Institute and Experian revealed that 21% of businesses reported the theft of confidential information that required notification to victims5. Now that 91% of American adults packing a cell phone (56% of those “smart”) with our life’s email, pictures, and passwords all in one convenient, portable bundle, we should get used to this trend continuing.
So, what to do? Encrypt everything, right? Wrong. Why? It’s very, very rare to accomplish encryption of “everything” without serious impact to performance, ability to backup and preserve data, and/or managing a rat’s nest of encryption keys that end-users (think all patients in the U.S.) could lose every time they lose or break their cell phones or forget their password. Now there’s a helpdesk nightmare for you. Encryption is GREAT protection. It just comes with a lot of complexity – especially when all data is in “the cloud”. As Eric Ouellet and Brian Lowans from Gartner wrote about6, there’s “assembly required”:
Organizations considering the use of cloud-based services to host or process their sensitive data continue to face significant hurdles in seamlessly integrating encryption offerings to secure their data.
For healthcare data, encryption is considered an addressable requirement as a technical safeguard for electronic protected health information (ePHI), but addressable is not equivalent to optional. As far as HHS ONC’s Director Leon Rodriguez is concerned, you either have to do it, or have a good reason for not doing it and some other form of equivalent protection. In their first round of audits, they discovered that many entities did not address the requirement at all, but it’s not yet clear if that was from lack of awareness, or some other objection or conflict. In response, they published encryption guidance in a Risk Assessment Toolkit that reiterates:
We should keep in mind that this requirement is simply restating and reinforcing the encryption requirement found in the HIPAA Security Rule under the standard for access control (45 CFR 164.312(a)(2)(iv)). What this means is that a longstanding, but possibly unclear, requirement to encrypt data at rest is now receiving a great deal of well-deserved attention.7
What is certain is that encryption is not a silver bullet. Why? After all, some very effective encryption algorithms are free – so what’s so prohibitive? First of all, encryption is only one small part of what should be a comprehensive and layered system of protecting data. Secondly, practical application of encryption such as managing encryption keys can be a complete nightmare. Imagine every healthcare patient has an encryption key – conveniently integrated with their cell phone to validate who they are and access their patient information. So far, so good. But, what happens when the phone is lost, stolen, damaged, upgraded, given to a child, etc. Who’s going to manage all of that?
Writing the latest and greatest cloud app? You probably need to hire someone to address encryption in the application code itself and maintain it. You might buy a third-party software application like BitLocker or TrueCrypt or an Enterprise version of SQL to implement if you have the resources to afford purchase and integration. Another option is a hardware encryption appliance or storage device such as Porticor to handle encryption – easy management if you have the budget to afford it.
If you can find a way past the resource cost of encryption, that still leaves you with weighing the potential cost of other consequences such as crippling performance, or conflicts with other tools like backup software that can’t unlock encrypted data. We’ve been watching our customers struggle with all of these methods while they try to find a solution that will protect sensitive data without compromising the very functionality they are serving to their end users. It’s an expensive and confusing Gordian Knot.8
While policy makers, businesses, vendors, and consultants may all agree that encryption is essential to protect sensitive data, many organizations have yet to accomplish an encrypted-at-rest solution. When HHS ONC Director Leon Rodriguez reviewed the results of the KMPG trial HIPAA audits, his favorite finding was about encryption9. He posited that if they performed a risk analysis, then they would incorporate encryption; otherwise, they must not have thought about it. I suggest there’s a third option – that security and IT officers would LOVE to encrypt all the data at rest, but this requirement probably doesn’t outweigh the business priority of having a functional EMR or similar application. When encryption puts the function of the application at risk by compromising performance or conflicting with things like backups, then even diligent businesses are likely to choose an unencrypted implementation over no implementation.
Industries that manage sensitive digital information and online applications need affordable vendor solutions that bring encryption together more seamlessly and less painfully with infrastructure or platform services. Good digital protection will always involve layered defense (aka defense in depth10). Despite this, encryption as a part of a patchwork quilt of application deployment adds complexity to implementation for organizations that are already stretched thin for precious IT resources yet obligated to deliver applications in a timely and functional way. When a company is lucky enough to maintain in-house programming talent who can integrate encryption at the software level, or can afford the intense capital costs of storage like EMC’s VMAX SAN to encrypt without the hit to server or application performance, encryption provides effective protection. Without these types of resources, it’s hard to use encryption as an effective tool to protect data without significant compromise in other areas.
Online Tech now provides a high-performance, encrypted enterprise cloud that includes encryption-at-rest for all multi-tenant, private, and enterprise cloud clients. It’s our hope that we can simplify one piece of the security puzzle and leverage the infrastructure across all of our clients to facilitate encryption without sacrificing performance or intensive capital outlay. We would love your feedback.
Learn more about the addressable but highly recommended requirement – encryption – in our upcoming webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI, on September 17 @2PM ET.
1) Hack This, NSA: Google Now Triple-Encrypts All Data in Google Cloud Storage
2) Sony Encrypted Credit Card Data, But Not User Account Info
3) Alaska DHSS Settles HIPAA Security Case for $1,700,000
4) Privacy Rights Clearinghouse
5) Avoiding Business Disruptions Caused by Data Breaches
6) Cloud Encryption: Some Assembly Required
7) HIMSS Risk Assessment Toolkit (PDF)
8) Gordian Knot, Wikipedia
9) HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR
10) Defense in Depth (PDF)