Is Database Encryption Practical?Consultants say performance issues can be conquered
Two consultants, however, argue that hospitals and clinics can apply encryption on the back end without hurting the performance of their core electronic health records systems. The two divergent options they advocate call for:
Using "distributed cryptography" that involves installing a third-party encryption system on a server separate from the clinical database. Using newer databases that run "transparent database encryption" or TDE.
Encryption is high on the list of many hospitals' and clinics' lists of risk management priorities thanks to a "safe harbor" in the HITECH Act's breach notification rule. Under the safe harbor, breaches of encrypted data need not be reported to regulators. And that's a powerful incentive to use encryption.
Wait and see
Many CIOs and chief information security officers, however, believe database encryption isn't yet ready for prime time. So they're waiting for the technology to evolve, applying encryption first to mobile devices, desktops and e-mail.
Database encryption "is really going to take new technology from the vendors, and we will wait to see what happens there," says David Wiseman, information security manager at Saint Luke's Health System, Kansas City, Mo.
"We are still looking at potential solutions both native to some of our database vendors as well as third-party products to encrypt some of our sensitive databases," says Michael Frederick, chief information security officer at Baylor Healthcare System in Dallas.
In the meantime, hospitals and clinics with large clinical databases are primarily housing them on servers located in data centers with physical security and limited access.
"The results of a risk analysis should point to whether or not encryption is necessary for databases," says independent consultant Rebecca Herold, owner of Rebecca Herold & Associates.
Many healthcare organizations, she points out, have concluded that the risk to a database in a physically secure data center is minimal relative to other risks, such as inappropriately accessing information on a laptop.
When it comes to encrypting databases, "It's a common misconception that you have to sacrifice performance for security," says Jack Daniel, project lead for security services at Concordant, a North Chelmsford, Mass.-based consulting firm that primarily serves physician groups. "But it's all in the implementation."
Daniel advocates installing encryption on a server separate from the database. "If you encrypt the database management system, the server is multitasking, so it slows down," he argues. "These clinical systems, regardless of the vendor, are large systems that have thousands of queries coming at them at the same time."
The distributed cryptography scenario adds some expense, Daniel acknowledges. But he argues that it offers long-term savings from far simpler encryption management. "Key management solutions on a cryptography server are a lot more user-friendly," he contends.
One shortcoming to the dual-server approach, he acknowledges, is that some EHR systems, especially those for smaller physician groups, cannot accommodate it. As a result, however, some encryption vendors are creating custom software to enable their applications to connect to these clinical databases, Daniel adds.
Another consultant, however, contends a new generation of databases from Microsoft, Oracle and IBM minimize the performance issues associated with encryption.
These platforms running transparent database encryption, or TDE, only create about a 5 percent decline in performance, which is imperceptible to the average user, says Glen Day, principal, cyber-security and privacy at Booz Allen Hamilton Inc., a Los Angeles-based consulting firm.
But Day acknowledges the TDE databases are rare in healthcare. "My personal experience is that this is embraced in the financial services industry, but I haven't seen many applications of this in healthcare yet," he says.
"TDE makes a lot more sense than using a third-party encryption plug-in," Day contends. But TDE will not be a viable option for clinical systems that run on databases other than those from Microsoft, Oracle and IBM, he notes.
Day predicts that many organizations will take a closer look at database encryption within a year or two as they become aware of new, more efficient, approaches.
Daniel also expects interest in database encryption to grow. "When you talk about having a major repository of data and relying on perimeter controls to protect it, it only takes one failure to access all the information," he notes.
But until database encryption is common, he urges hospitals and clinics to pay close attention to access control, including authorization and identification.