Why, What and How to Encrypt: Security Expert Insights

Not sure if your organization’s sensitive data is properly encrypted? It’s time to be sure. Chris Heuman, Practice Leader for RISC Management and Consulting, broke down the reasons why (and how) in the latest webinar hosted by Online Tech.

Not sure if your organization’s sensitive data is properly encrypted? It’s time to be sure. Chris Heuman, Practice Leader for RISC Management and Consulting, broke down the reasons why (and how) in the latest webinar hosted by Online Tech.

Heuman cites that unencrypted data is being breached regularly, and those breaches come at a staggering cost. On average, security breaches affect 42,659 individuals and cost organizations $8,275,865 (yes, that’s nearly $8.3 million) to respond.

That price tag includes the cost of fines, penalties, legal counsel and distribution of settlements to harmed individuals, but does not include the financial equivalent of the damage made to an organization’s reputation, the resources needed to respond to unannounced audits in the future or myriad other related costs.

“When you think of these numbers and compare it to the cost of implementing an encryption program, you’ll find the expense of the program isn’t quite as high as you thought it was,” he said.

In his 48-minute presentation, titled Encryption: Perspective on Privacy, Security & Compliance, Heuman discussed why to bother encrypting, what data to encrypt, how to encrypt it, how to document that encryption and how to test it. A brief summary of his presentation follows.

Why Bother to Encrypt

If the figures above weren’t motivation enough, there are a myriad of reasons to encrypt data, including the government regulations (HIPAA, PCI and SOX compliance), frameworks and industry requirements that any organization that stores sensitive information has to deal with.

“Privacy and security is a life cycle, not a one-time event,” Heuman said. “Encryption is a control mechanism that is implemented after proper analysis has been completed and policies stating the intent have been put into place.

“Don’t jump the gun and start implementing encryption without attending to all the analysis and preparatory steps. It’s important to walk through this in a logical manner and to make well thought-out decisions rather than to jump head first into technical implementation.”

What to Encrypt
The first key step to proper encryption of data is to perfectly understand all of the places that data is stored.

“If you don’t know where your data is located or how sensitive it is, you can’t protect it,” Heuman said. “This is not just for encryption, but any information security control. If you don’t have a good understanding you either have to protect everything, which can be very expensive, or risk being paralyzed at the analysis phase and not accomplish anything at all.”

Heuman presented an encryption project management plan that all organizations should follow:

• Inventory all the data repositories where encryption should be implemented
• Analyze which technique is appropriate
• Determine supported and appropriate implementation
• Develop and follow a project plan

How to Encrypt
Citing recommendations from the National Institute of Standards and Technology (NIST) and the four levels of certification from the Federal Information Processing Standards, Heuman stated encryption success and the compliance organizations are hoping to achieve – the safe harbor they’re looking for – rely on two factors: the algorithm that’s chosen, and the key.

“You really have to understand the algorithm that you’re required to implement and you really need to select an appropriate key length and complexity,” Heuman said. “After those decisions are made, you have to ensure that what was planned was what actually got implemented.”

Organizations must be sure the algorithm is approved by the industry or regulation they are required to adhere to, and then ensure that a key that is sufficient, reasonable and can be secured and maintained is chosen and placed onto the devices.

How to Document

Heuman discussed the importance of knowing what and how to properly document as part of any encryption project management plan and how to be ready for an audit by extracting documentation from analysis determinations and project plans.

He urged management to “trust but verify” the encryption standards of their organization and to maintain all responses from vendors/manufacturers that claim encryption is not supported.

“Executive oversight and interest is key,” Heuman said. “If executives are plugged in, people will understand it’s a priority for the organization.”

How to Test
The time to find out encryption was not effective or did not provide safe harbor is not after a breach has occurred. Heuman suggests organizations conduct data breach drills and disaster recovery drills. Also perform random tests on portable USB drives from members of the workforce.

“There are many different ways to do it,” Heuman said. “Most of them are cost-effective and time effective, and it can really save you a lot of headaches later on.

What kind of headaches? Let’s go back to those numbers:

• The Alaska Medicaid program was fined $1.7 million after a breach resulting from an unencrypted USB device that contained just 501 patient records was stolen.
• Massachusetts Eye and Ear Associates was fined $1.5 million after a breach resulting from the theft of an unencrypted laptop containing about 3,600 of its patients and research subjects.
• Alere Home Monitoring discovered an unencrypted laptop containing patient records was stolen from an employee’s vehicle.
• Tricare Management had unencrypted backup tapes stolen, affecting 4.9 million individuals, the largest security breach to date.

We thank Chris Heuman for his time and expertise. And we thank him for saying the following during his presentation:

“Online Tech is one of the very few providers in this space that takes privacy, security and compliance seriously and has really implemented and tested their controls.”

(data encryption / shutterstock)