- Healthcare organizations of all sizes are understandably concerned with patient data security, especially as technology continues to evolve and hackers grow more sophisticated.
Healthcare data encryption is one key way that covered entities can ensure that their most sensitive data is protected, but not all types of encryption are created equally.
Albert Biketi, VP and GM of HPE Security - Data Security at Hewlett Packard Enterprise, spoke with HealthITSecurity.com about the benefits of data-centric technology, and why healthcare organizations must take a more proactive approach when it comes to data encryption.
What is a data-centric security approach?
The concept of data-centric security is about bringing protection as close as possible to the data itself, according to Biketi. A common mistake that individuals have made for a long time is assuming that all encryption is the same, and all protections that they apply to data are equally effective as long as they’ve checked the box for encryption.
Biketi added that there are different layers of encryption.
“If you encrypt just the volume level, meaning you’re protecting the container where the information sits – which is really the most common way encryption is applied – then anything that can get into that container and get that information could by default unencrypt the information before it takes it out of the container,” he said.
By default, authorized applications or authorized users will have access to unencrypted information. This is particularly common in organizations that have decided to just check the box on encryption and not do anything further.
“Solving this problem is very similar to dealing with a situation where you’re at the airport and you have a suitcase,” Biketi explained. “You packed it, and yes, you locked it, but when you’re at the airport you had to unlock it and open it in front of everyone. This is what traditional encryption that doesn’t protect the data itself sometimes leads to.”
Moreover, many enterprises, including those in healthcare, will protect information when it’s stored. The moment that an application has to use that data, it gets decrypted. Basically, there are a whole bunch of locked suitcases that get opened all the time when individuals need to actually use the contents of the suitcase, Biketi maintained.
This is why HPE utilizes format preserving encryption, which essentially allows applications to use representations of information, similar to tokens. This will allow organizations to use information that looks like the encrypted data, but it is not the real data.
For instance, a Social Security number or a medical record number can be substituted with something that has the same format, but won’t actually be the real thing.
“The vast majority of users won’t handle information for incidental purposes,” according to Biketi. “For example, someone running analytics, or somebody trying to survey information can still get the value that they need from information. They can still run an analysis, but they just won’t be running it on real data.”
Using data-centric technologies to stay HIPAA compliant
One of the areas in HIPAA regulations that individuals are highly concerned about in terms of patient data security is the potential for a re-identification attack, according to Biketi.
This is where an unauthorized user is able to gather information, and based on certain pieces of data – such as a date of admission or type of condition treated – is then able to reconstruct a patient profile.
The federal government is also dealing with this issue, as it handles veterans’ information, including medical data.
“You see this need, this tension between the need to us good analytics on data, and the need to protect patient information from privacy violations,” Biketi maintained.
Data-centric technologies can significantly anonymize information, while still allowing organizations to run those analytics.
“Essentially what we’re able to do is give organizations, and CISOs, the power to say ‘Yes’ to a lot of these new initiatives that try to take advantage of a vast data center,” explained Biketi. “If you’re going to prevent re-identification attacks, you need strong encryption. You need [National Institute of Standards and Technology] approved encryption that can protect information in a way that is highly scalable.”
One of the downsides of some cybersecurity frameworks, such as the NIST framework, is that they can be generic about the very specific measures that organizations need to take, he added. However, a data-centric approach to security not only keeps enterprises compliant, but they’re compliant in a way that is actually secure.
“Sometimes compliance and security get interchanged, to the detriment of security,” Biketi warned.
The true value of healthcare data
Another key thing for healthcare organizations to understand is that the data that they maintain is extremely valuable, and highly sought after by cyber criminals. As covered entities implement new technologies, it can be easy to overlook a seemingly small area of security that eventually leads to a large data security issue.
“A lot of healthcare companies have traditionally relied on fax, and have relied on antiquated means of communication,” he said. “Patient record sharing has become very inefficient over many decades. With technology comes a tremendous ease of use and tremendous ease of making mistakes.”
Biketi added that very large data sets can be exfiltrated in a very short amount of time with this new technology, which is why organizations must be cautious. Covered entities need to be careful because the value of the information and the speed at which they can compromise large sets of it has become very significant over time.
“When we look at some of the large insurers that have been compromised in the last few years, they all had encryption,” he said. “But, in some cases, they had encryption but it was protecting information only when the data was stored at rest, and not when the information was in use or when the information was in motion. Bringing protections that cover not only data at rest, but data in use and data in motion, is only possible if you have a data-centric approach. This is the reason we’re so adamant and insistent that this is the direction that enterprises need to take.”
The capabilities that come with the ability to preserve formats when utilizing encryption are significant, and this is the next generation of technologies around data protection, Biketi urged.
Paying attention to the current cryptography and encryption standards is also essential, especially as technological options continue to evolve.
“Organizations really need to think about not just the regulations that they know about, but regulations that they could become inadvertently exposed to, just by virtue of handling data that belongs to large numbers of people.”