Where You Must, Might, and May Not Need to Use Encryption
Recent regulatory enforcement action has provided poignant examples of the damage even one unencrypted laptop can do to a company or organization. In April of this year, the US Department of Health and Human Services fined two healthcare organizations just under $2M in cases resulting from the loss or theft of unencrypted devices. According to HHS:
“These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.“
But they also underscore just how seriously regulators are taking violations. It is estimated that 80% (or more) of data breaches could be avoided by following some basic “cyber hygiene” steps. Encryption is one of those basic steps. Encryption is a reasonably simple step that any company or organization should be able to take which is likely why regulators have little patience for violations resulting from avoidable lapses in compliance efforts.
“Encryption is a way to enhance the security of a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble it.” (Source: windows.microsoft.com)
Encryption tools vary widely and it is important to find the right tool for your company’s systems. Evaluating pros and cons of various systems available would be an onerous task and, without knowing more about your systems and your data environment, I could not comfortably recommend one solution over another. (If you need help finding the most appropriate solution for your organization, don’t hesitate to contact us.)
I can, however, unequivocally recommend – and strongly urge that you find a tool that works and that you diligently maintain strong encryption throughout your systems and devices. Having said that, there are places where encryption is an absolute necessity and others where it may be up to you to gauge the risk and decide for your organization. To prioritize where you focus your energies, let’s look at what you may encrypt, where you should use encryption, and where you simply must.
Mobile Devices Must be Encrypted
First things first. Any device – laptop, tablet, medical device that can or does leave your premises and may contain data or be used to access data remotely must be encrypted. The instances we have seen of unencrypted laptops lost or stolen resulting in heavy penalties could easily have been avoided. The data on an encrypted laptop, if found or stolen, is really of no use to the person (or thief) who gets it. This is the difference between lost equipment being a minor headache for your IT team or a complete disaster for your organization. The simple foresight and diligence to install encryption on any device that is mobile and that may contain your company’s data is often all it takes to avoid a hefty fine or even a major data breach.
On-site Systems Might Need to be Encrypted
Once you have covered your mobile or potentially mobile systems, it is a good idea to also install encryption on any device that is stationary but which may be exposed to unauthorized access. For example, any computer or device that is kept at a fixed location, maybe at a nurses’ station or a kiosk in a waiting room. If there is any slight chance that someone could maliciously (steal) or mistakenly gain access to information, these systems should be encrypted. Anything that is not actively monitored around the clock, could be a potential access point and should be protected.
Servers May Not Need to be Encrypted
The only possible exception to my “encrypt it ALL” advice applies to servers or hubs that are stationary, locked down, and access-controlled. There may be no real need to encrypt such systems. However, if your physical security is not airtight, encrypting these devices may still be a good idea. Also hard drives must be properly handled when removed.
Encrypt to Avoid Unnecessary Risk
Unencrypted data is an unnecessary security risk for any company or organization. Those subject to regulatory compliance have the extra risk of enforcement action if a breach is caused by failure to encrypt systems.
The wording of HIPAA regulations leaves many things to an organization’s best judgment. Regulators want healthcare providers and facilities to reach and maintain compliance in the most realistic and effective way for their circumstances. A one-size-fits-all approach would be an unreasonable burden on covered entities and business associates. But, with this allowable discretion, HHS expects organizations to exercise good judgment, remain diligent in compliance efforts, and to cover the basics to avoid the most common risks.
Encryption can be like a first line of defense. If it is not in place, other security efforts may be in vain. To learn more about basic security measures that can help your organization avoid most security threats, and to find out how well you have these basics covered, take our Cyber Hygiene Quiz.