End User Encryption and HIPAA
Note: This is the second article in a two-part series on HIPAA and data security and encryption. The June edition of the Health Law Advisory included an article by Michael Chase discussing recent HIPAA settlements due, at least in part, to a failure to properly encrypt PHI.
One of the primary technical safeguards to protect PHI is encryption. The HITECH Act addressed two types of encryption: encryption for data in motion and encryption for data at rest. This article will focus on the latter and will summarize several of the recommendations found in the NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices.
The first two fines summarized in the June Health Law Advisory article involved a compromise of PHI stored on end user devices – specifically, laptops. An effective enterprise-wide encryption program would have prevented the breaches and allowed the organizations to avoid the investigation and ultimately, the Corrective Action Plans and fines.
NIST SP 800-111 makes the following recommendations when deciding how to approach end user device encryption at the enterprise level:
- Seriously consider solutions that use existing system features (such as BitLocker drive encryption which is included in certain versions of Microsoft Windows 7 and 8).
- Establish centralized management for your deployment of encryption.
- Make sure that your encryption keys are stored in a secure location and properly managed to support the encryption solution.
- Make sure you have a strong user authentication solution. For example, consider leveraging existing enterprise authentication solutions (such as Active Directory) instead of adding another authentication process for users of encrypted devices. In addition, seriously consider deploying a two-factor (2FA) authentication process.
- Be sure to update your policies to reflect the users’ responsibilities and obligations with respect to encryption.
In general, there are three types of encryption solutions: full disk encryption, volume and virtual disk encryption, and file/folder encryption.
- Full Disk Encryption: all data stored on the disk is encrypted. When the computer is not booted, the disk is fully protected. During the boot process, authentication is required. Once the operating system is loaded on the computer, the operating system becomes responsible for protecting the data through authentication and other processes.
- Virtual Disk and Volume Encryption: when virtual disk or volume encryption is employed, the contents of the container (the disk or volume) are protected until the user is authenticated to use the container. Once the user authenticates to the controlling application or container, then data becomes unprotected. Only data in the container is protected using this method.
- File/Folder Encryption: file/folder encryption protects the contents of the encrypted files or folders until the user is authenticated to use the file or folder. File/folder encryption does not protect any data outside of the protected files or folders.
Deploying an encryption solution in a medium to large entity is a complicated process. Serious consideration should be given to engaging the help of consultants experienced in deploying enterprise-wide encryption solutions. Also, as with most security safeguards, proper training and policies are necessary to effectively deploy the encryption solution.
In summary, review your most recent security risk assessment. If it indicates that encryption is required to mitigate potential risks and vulnerabilities, then the time to implement such a solution is now.
1 Note that requiring a username and password is NOT two-factor authentication. Two-factor authentication requires using two of the following three authentication factors: something you know, something you possess or something you are (biometrics). At common two-factor authentication deployment today involves requiring a user to log in using a username and password (something you know) and then entering a code received via a SMS message sent to their phone (something you have).