Database Encryption: No Rush?
Given that many of the major healthcare information breaches reported to federal authorities so far have involved the loss or theft of laptops and other portable devices, encrypting these devices clearly should be a top priority.
And the HITECH Act's breach notification rule contains a very powerful encryption incentive. Its safe harbor exempts organizations from reporting major breaches if the data was encrypted.
You need to step back and look at the encryption question in the context of your overall security strategy.
But how widely should hospitals, clinics and others apply encryption?
Will your organization eventually expand its use of encryption to include back-end databases for clinical information systems and electronic health records? Or will that use of encryption never make it to your list of IT investment priorities?
I recently chatted with two executives from Cerner Corp., one of the largest vendors of clinical systems. "We are getting a substantial increase in inquiries about encrypting databases," says Gary Long, director of information security for Cerner's managed services data center.
"You need to step back and look at the encryption question in the context of your overall security strategy," adds John Travis, Cerner's senior director of regulatory and compliance strategies. If you've got strong physical security in your data center, he says, the risk of a database breach is relatively low, especially when compared with risks on the front-end, he argues.
Cerner remotely hosts certain applications for a subset of its clients. For that data, it applies encryption to its storage area network, a relatively new option, Long says.
Likewise, Cerner is advising its clients who host clinical systems locally to consider the SAN option "to avoid the performance hits that encryption of the database on the server might bring," Long says.
But first, the folks at Cerner advise their clients to conduct a risk assessment and invest their scarce dollars in applying encryption to higher-risk areas. And that means encrypting those laptops first.
In a recent story, two consultants offered up two database encryption options that they contend enable hospitals and clinics to address their concerns about encryption's adverse impact on clinical system performance.
One called for using "distributed cryptography" that involves installing a third-party encryption system on a server separate from the clinical database. The other called for using newer databases that run "transparent database encryption" or TDE.
It will be interesting to watch when, if ever, either of those options, or the SAN encryption option, will catch on in healthcare.
In the meantime, don't forget to encrypt those laptops, thumb drives and other mobile devices.