Healthcare patient data protection has become a major focus point for compliance infractions, and the best strategy for protecting patients' privacy and information is to help healthcare providers implement a defense-in-depth solution, one that often includes some form of encryption.
This tip will briefly look at full disk encryption as a tool for supporting HIPAA privacy and compliance requirements. We'll also highlight how VARs can position their HIPAA-related data encryption security services to leverage opportunities within their customer bases.
Full disk encryption considerations
Full disk encryption presents both benefits and challenges that need to be addressed. One concern with full disk encryption is if the encryption key -- a password, a USB flash drive with the algorithm key, an RSA token-generating device, a fingerprint, or a combination of the above -- is lost or compromised, all the data on the drive, including the OS itself, is unreadable.
When implementing full disk encryption, it is important to maintain a good program for key management, including policies and procedures for access control, key creation, key revocation and key destruction.
Healthcare IS managers will need to work together with security solution VARs to understand what patient data needs to be encrypted and at what point in the process it needs to be encrypted, then identify which method and approach -- such as encryption in motion and encryption at rest -- best fits the needs of the organization. The following are just a few of the considerations that VARs will need to address for their service offering:
- Is the client looking for a total solution (desktop, portable, server, storage etc.)?
- Will there be any points requiring monitoring (active/passive) for policy infringement?
- How will external parties (vendors, suppliers, remote offices) be impacted?
- Does the offering meet corporate compliance mandates?
- What data needs to be encrypted?
- How will patients access personal information that has been encrypted?
- Who will be responsible for managing the encrypted data and encryption keys?
VARs that provide full disk encryption solutions will need to position an end-to-end security approach, and demonstrate knowledge and expertise with a variety of full disk encryption technologies. Service opportunities may lie in managing the enterprise encryption deployment program, ranging from laptops and smart devices to archived data storage.
Antivirus and encryption challenges
While there is some concern about the integration aspects of full disk encryption and the use of antivirus tools, the benefits outweigh those fears. Antivirus tools represent but one of the components that make up an end-to-end security solution for organizations.
One of the encryption integration challenges is that the AV tools need to be able to decrypt the encrypted file, scan the contents and re-encrypt the file without causing file integrity issues. Not all AV products have built-in capability to decrypt and re-encrypt the file it scans. If an existing antivirus tool does not provide for seamless integration, the potential solution is to replace the current antivirus, and this could be costly depending on the size of the organization. There are a number of products and vendors on the market which provide an integrated approach towards endpoint security.
Case in point: Full disk encryption does nothing to improve data leak prevention (DLP) if a user has an encrypted hard drive, and then boots, supplies his or her PIN and then proceeds to copy sensitive files into email or onto USB storage in unencrypted form. Products such as NextLabs Enterprise DLP from NextLabs Inc. and CA DLP from CA Inc. (who acquired Orchestria Corp.) provide device-level policy management and content inspection capabilities that work well with enterprise AV solutions. .
How solution providers can help with HIPAA, data encryption
For healthcare security managers and security solution providers, what it all boils down to is ensuring that the patients' privacy and information is secure. While there are full disk encryption benefits, many have concerns about implementing this type of data protection. Primary reasons for not encrypting sensitive or confidential information are often related to system performance, complexity and cost.
Security solution VARs must work closely with their healthcare customers to better understand their challenges, and be able to respond quickly by addressing the following:
- Asset identification: Work with clients to determine the importance of data and divide
it into categories which include very critical (active records that contain sensitive information
about the diagnosis and treatment of serious diseases), inactive (historical records) and duplicate
data (redundant information located in multiple locations). Data should be classified from the
highest to lowest priority; duplicate data should be the lowest. Also, identify what data will
require specific types of backup and replication support to mitigate data loss during disaster
recovery operations. Inactive data, data that is no longer used, needed or required, should be
retained if there are documented compliance reasons. All duplicate data should be deleted or
While there is no downside to deploying FDE in support of the data identification activities, consideration should be exercised with regards to the costs for deploying FDE on redundant and obsolete data information, as well as to being able to retrieve and read archived (long term) data.
- Data Access: Particular attention should also be made towards how end users will be able
to retrieve and access encrypted information as deemed applicable by laws that mandate patients
have the right to access their personal medical records. The end users should be able to access
their information whenever necessary and at will. This information consists of active medical
records such as SSN, policy numbers, medications, test results, ongoing treatments, and other
confidential health information; and archived medical history records such as past treatments, past
medications and previous health conditions. This information should also be available between
healthcare providers during disaster events to prevent or lessen a serious threat and to meet
compliance requests and other healthcare regulations.
- Audits: VARs should either expand their services offerings to include information
auditing services or partner with organizations that do. With HIPAA regulations gaining more ground
and with the increasing number of infractions resulting in fines, solution providers should
implement data and information auditing services to monitor appropriate data retention policies and
Audits should also include a periodic review of the full disk encryption key management program (key issuance, key tracking, key revocation, procedures for replacing lost keys, and key destruction) for effectiveness and compliance. Some "red flags" would include personnel with unauthorized access to records and patient data, unusual interest in a particular system, excessive access to patient data and information, frequently "misplaced" patient records, lost patient records, unusual requests for access to patient records, and lack of audit trail for activity against a patient record. Whenever a key management program undergoes any form of update, any and all information that has been encrypted should be recovered, reviewed for applicability and re-encrypted with new keys to ensure the integrity of end-user patient data and privacy.
With recent fines for HIPAA violations making headline news, and not to mention, celebrity hospital records being sold on the Internet, healthcare providers are taking a more proactive approach to protecting patient information. What they are looking for from their solution providers are:
- Understanding and awareness of the changing regulatory mandate landscape
- Ability to provide an end–to–end solution, not just piece-meal bits
- Trusted advisor guidance and support assistance for identifying the right technology solution and peer-to-peer involvement with implementation
- Data protection solutions that will support technology upgrades and refreshes to align with the business strategies
- A long term partnership to champion their initiatives for implementing electronic medical
records, or EMR, technology with the most appropriate data protection integration for encryption
As the healthcare industry moves to more advanced means for capturing and managing patient information, so too must the VARs (resellers and consultants) embrace the need for understanding the limitations of those technologies and be able to stay one step ahead of their clients to continually look for opportunities to anticipate their future needs.
Send comments on this technical tip firstname.lastname@example.org.
This was first published in March 2010