One of the greatest impediments to disk encryption and data protection that I see, however, is the assumption that "We don't store anything sensitive on this or that system, so it doesn't need to be encrypted." Says whom? That's a dangerous assertion, with a major influence on information risk and compliance. As I've discovered in my work, one can predict with near 100% certainty that laptops and even many mobile storage drives do indeed contain sensitive personal information.
The U.S. Department of Health and Human Services (HHS) is outlining legal requirements via the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, pushing incentives through the new Electronic Health Record Incentive Program-Stage 2 and providing additional guidance through the National Institute of Standards and Technology. Yet many organizations are still ignoring the issue.
More on data management
The fact is, data is most vulnerable when it's at rest. If you follow the proven principle of focusing on your highest-payoff tasks, merely deploying full-disk encryption creates a ton of returns. By doing so, your business will be compliant with HIPAA and HITECH, in addition to other related laws. It will also most likely be afforded safe harbor protections if a system is lost or stolen. Most importantly, you'll minimize business risks.
Maybe you have managers or colleagues who don't believe that unencrypted ePHI exposure is a likely scenario. Have them check out HHS's breach tool detailing data breaches relating to health care affecting 500 or more individuals, which illustrates plenty of examples of mobile dangers. The businesses listed are likely ones like yours. You may even do business with them.
But proceed with caution. For example, before you jump on the "BitLocker is 'free' so we'll use it to encrypt" bandwagon, there are some things you need to know about it. Depending on how you deploy and manage BitLocker, your encryption keys could be at risk when they're stored with the mobile device, and there's a commercial tool that can crack BitLocker (and TrueCrypt) encryption.
In the event of loss or theft and subsequent exposure of ePHI, the burden of proving that adequate controls were in place is on you.
I'm not aware of any legal cases handling key management and hacking tools in the context of disk encryption or ePHI. But I've worked on enough legal cases as an expert consultant to know that these types of things would no doubt be brought up in a breach-related lawsuit.
I suspect the recent fine handed down to BlueCross BlueShield Inc. of Tennessee, which was related to the theft of unencrypted drives, will get people's attention in the short term. The company agreed to pay $1.5 million to the HHS for the alleged breach, and it marks the first enforcement action stemming from HITECH. The settlement covers the 2009 theft of 57 hard drives from a data storage closet at a former BlueCross call center in Chattanooga, Tenn.
My long-term prediction? We're going to continue seeing exposures like this for years -- maybe decades. The covered entities responsible for keeping ePHI encrypted will continue making the same mistakes. In their defense, business information systems will continue to grow in complexity, so there's no way to reasonably expect perfection. It's those organizations that ignore the risk realities that will get bitten.
In the event of loss or theft and subsequent exposure of ePHI, the burden of proving that adequate controls were in place is on you. What are you going to do about it? Encrypt -- just do it right and manage it well -- and be done with this issue once and for all.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.
This was first published in March 2012