The recent enforcement actions against Concentra Health Services and QCA Health Plan, Inc. are two more messages to HIPAA covered entities (and business associates!) to encrypt their PHI. For most organizations, encrypting mobile devices is usually the first priority because of the high probability that a mobile device will be lost or stolen. How does an organization go about encrypting mobile devices? What are the considerations for an effective plan?
The planning and implementation of encryption will vary based on the number of devices that require encryption. A physician practice with two laptops represents a vastly different environment than an integrated delivery network with 20,000 mobile devices across 3 continents. Several years ago, HHS Office of Civil Rights issued guidance
regarding implementing encryption, which can be viewed here. This guidance states “Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.”
While NIST SP 800-111 is 40 pages long, the top points are as follows:
- Leverage existing technology. When selecting an encryption technology, organizations should consider solutions that leverage existing infrastructure. For example, for laptop computers, most organizations use Windows 7 or Windows 8.x with Active Directory for authentication. So, while other products exist, it makes sense to look at Microsoft’s solution – BitLocker – which is built into Windows.
- Centrally Manage. Except for very small-scale deployments (let’s say, under 10 devices), organizations should use centralized management solutions. There are ongoing costs for effective encryption including periodically changing encryption keys, supporting users who have problems, and recovery from failures. Solutions targeted to the enterprise (e.g. Bitlocker, or Symantec’s PGP will include centralized management features. Small physician offices and other very small organizations may wish to consider an inexpensive option such as the popular open-source solution TrueCrypt, which lacks centralized management functionality. [Update 8/1/2014: TrueCrypt support has been discontinued by its authors; Eagle no longer recommends it.]
- Ongoing Key Management is essential. Encryption keys are the long “passwords” used to encrypt and decrypt the data. If the key is lost, the data will be lost. If the key is stolen, the data can be readily accessed. (For example, if a key is kept on a USB Flash drive that is kept in the same briefcase as the laptop, the encryption will be useless!) If it takes the tech support team a day to respond to a user problem, the organization could lose 8 hours of work from the end user.
- Consider moving to 2-Factor Authentication. Solutions that centrally manage encryption (e.g. Bitlocker) can store keys on a central server, and automatically transmit the key after the user signs in. If the sign-in process (“authentication”) consists of a password only, then breaking the encryption requires only finding the password — and we know that passwords routinely compromised. Organizations who have not yet done so should consider moving to a 2-Factor Authentication solution which requires both a password and something else – for example a security token, smart card, cell phone text message or biometric.
- Don’t forget the importance of multiple layers of security. Encryption is important, but it is not a silver bullet. Any 1 safeguard can be compromised by an adversary. Other important measures for protecting mobile data include good policy, end-user training, properly patched operating systems and application software, secure configurations, and good physical security.
All of this points to the need to spend time planning your approach to encryption, conducting an appropriate risk analysis, and taking care with implementation. If your organization does not have the time or expertise, consider professional help in order to have a successful implementation. Eagle Consulting Partners, Inc., or another security consulting firm, can provide the help and expertise necessary for good results.
