- The umbrella vendor statement “we encrypt all of our data” isn’t enough to satisfy HIPAA regulations, nor is it sufficient for a healthcare organization to trust in those words as it’s building a strong security program.
The Department of Health and Human Services (HHS) refers healthcare organizations to the National Institute of Standards and Technology (NIST) encryption guidelines. For data in at rest, NIST offers Special Publication 800-111, which includes Full Disk Encryption, Virtual Disk Encryption and Volume Encryption and File/Folder Encryption. NIST Special Publication 800-52 Revision 1 governs data in motion encryption best practices. But how do these fit into the context of determining a vendor’s levels of encryption as you discuss how they can help your organization store or manage data securely?
Shahid Shah of healthcareguy.com recently wrote about the specific data encryption questions organizations will want to ask a potential vendor partner instead of just accepting the generic encryption platitudes. As referenced above, it’s good to know that data is encrypted in motion and at rest, but probing deeper will help organizations document the findings for HIPAA compliance while also strengthen their vendor management strategies.
- Encryption status of data at rest in block storage (the file system that the apps, databases, VMs, are stored on)
- Encryption status of data at rest in virtual machine block storage
- Encryption status of data at rest in archived storage (backups)
- Encryption status of data at rest in the Oracle/SQL*Server/DB2/MySQL/Postgre/(your vendor) databases (which sits on top of the file system)
- Encryption status of data in transit from database to app server
- Encryption status of data in transit from app server to proxy server (HTTP server)
- Encryption status of data in transit from proxy server to end user’s client
- Encryption status of data in transit from API servers to end user’s clients (iOS, Android, etc.)
- Encryption status of server to server file transfers
- Encryption key management in all of the above
For seasoned security pros, these aren’t ground-breaking tips. However, it never hurts to remember that compliance and security program building are both ongoing, never-ending projects. The more detailed information an organization can get from vendors, the safer it will feel that (1) it knows where its data is going and (2) that it’s secure. Having confidence in data encryption can help an organization improve other aspects of its security program. For instance, once an organization is comfortable with encryption statuses for all types of data in all parts of its infrastructure, as discussed in a recent JASON report, it can begin to build a strong access control system.
Check out Shah’s blog here.