The Security Scrutinizer with Howard Anderson

Database Encryption: No Rush?

Database Encryption: No Rush?

When it comes to applying encryption, should databases be last on the to-do list?

Given that many of the major healthcare information breaches reported to federal authorities so far have involved the loss or theft of laptops and other portable devices, encrypting these devices clearly should be a top priority.

And the HITECH Act's breach notification rule contains a very powerful encryption incentive. Its safe harbor exempts organizations from reporting major breaches if the data was encrypted.

But how widely should hospitals, clinics and others apply encryption?

Will your organization eventually expand its use of encryption to include back-end databases for clinical information systems and electronic health records? Or will that use of encryption never make it to your list of IT investment priorities?

I recently chatted with two executives from Cerner Corp., one of the largest vendors of clinical systems. "We are getting a substantial increase in inquiries about encrypting databases," says Gary Long, director of information security for Cerner's managed services data center.

"You need to step back and look at the encryption question in the context of your overall security strategy," adds John Travis, Cerner's senior director of regulatory and compliance strategies. If you've got strong physical security in your data center, he says, the risk of a database breach is relatively low, especially when compared with risks on the front-end, he argues.

Cerner remotely hosts certain applications for a subset of its clients. For that data, it applies encryption to its storage area network, a relatively new option, Long says.

Likewise, Cerner is advising its clients who host clinical systems locally to consider the SAN option "to avoid the performance hits that encryption of the database on the server might bring," Long says.

But first, the folks at Cerner advise their clients to conduct a risk assessment and invest their scarce dollars in applying encryption to higher-risk areas. And that means encrypting those laptops first.

In a recent story, two consultants offered up two database encryption options that they contend enable hospitals and clinics to address their concerns about encryption's adverse impact on clinical system performance.

One called for using "distributed cryptography" that involves installing a third-party encryption system on a server separate from the clinical database. The other called for using newer databases that run "transparent database encryption" or TDE.

It will be interesting to watch when, if ever, either of those options, or the SAN encryption option, will catch on in healthcare.

In the meantime, don't forget to encrypt those laptops, thumb drives and other mobile devices.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.