Sutter Health, who suffered a massive breach this past October, was finally added to the Department of Health and Human Services “wall of shame” website. With its addition the number of records exposed swelled to over 19 million since OCR began keeping count in 2009. Of course, with 55% of those losses involving unencrypted devices of one sort or another the initial reaction is to call for more encryption, but that is not necessarily the right response or the smartest approach to solving this problem. That is not to say that encryption does not play an important role in protecting information, but like any security control, it should be a part of an integrated approach to securing the network and its data. That integrated approach should start by first addressing the data and its uses, and then determining the best method of securing it. Sounds simple, but more times than not this step is forgotten or overlooked. Hence the overwhelming number of organizations that express surprise at what was discovered on the devices compromised or lost after a breach.
Organizations should develop a well thought out Safe Harbor strategy first. That strategy should start by identifying where protected health information is physically located throughout the enterprise and by asking and answering two simple questions: 1) should it be there, and 2) who needs to access it? The rationale is simple. The Breach Notification Rule provides for two methods to meet Safe Harbor: 1) destruction, or 2) encryption using an approved technology. There is a third, unspoken, method that actually deceases the risk of exposure even better. Eliminating or restricting unnecessary access. In most cases far too much data resides in more locations than is necessary. Identifying where data is and where it needs to be in order to support operations should be the first consideration in any Safe Harbor strategy. The second step should be to clearly define operational necessity for how systems and individuals access data. For instance, does the data need to physically be present on a laptop or other mobile device or simply accessible when needed? Can we virtualize workstations or lock them down to eliminate the ability to store data locally? Once we understand where data exists, where it needs to be, and how users need to interact with it we can look at ways to enable appropriate access and protection.
Once done addressing architecture, network controls, technical controls and, finally, encryption aspects of the strategy are a straightforward proposition. This approach helps reduce the chances of gaps and the over application of encryption. Over reliance on any one control is never a good idea and encryption is no exception. Encryption, when employed correctly, is an effective protective measure. But, when not used properly or when unrealistic expectations are applied, it can also lead to a false sense of security. Encryption, like many other measures, relies on other factors such as the integrity of the network or system it is deployed on, users who know how to employ it correctly, and maintain it regularly. Used correctly, as part of an integrated set of controls, encryption can not only support compliance and avoid notifications, but most importantly, secure the data.