If your business is in a regulated industry (HIPAA, PCI, Sarbanes-Oxley, etc.), data encryption is a term you’ve likely heard before. What is data encryption? It is a technology that converts readable data into random gibberish that must be decoded with a password or key to become readable again. When done right, it’s a nearly unbreakable way to protect you and your client’s data.
Whether it’s data in-transit (data that’s going over a network) or what’s called data at rest (data that’s sitting on your computer, hard drives, tape backups, smart phone, thumbdrive, etc…), encryption of that data is critical. This is something you need to be thinking about in your business, whether you are in a regulated industry or not, as the consequences can be dire if you’re not careful.
Thankfully, encryption of data in-transit is getting more and more standard, thanks to secure VPNs and SSL communications and has been around for many years. However, easy-to-use encryption for data-at-rest has been less commonplace. While the software has been around for quite a while, compatibility, installation, and manageability issues had made implementing full disk encryption more of a chore.
Why is full disk data encryption so important? Using HIPAA as a guide, the HITECH Act of 2009 modified the HIPAA data breach rule to state that if a device is lost or stolen, you don’t have to report the loss as a data breach if the data is encrypted in compliance with data encryption standards from the National Institute of Standards and Technology.
You’ve all played Monopoly. In a sense, what that means is that proper encryption could be your “Get Out Of Jail Card.”
(Please note: Weston Technology Solutions makes no promises about your ability to get out of jail or that this magical card even exists. We’re not lawyers. If do something stupid or criminal, you’re on your own and this “card” isn’t going to be able to help, nor will Weston. But encryption will save you a ton of potential grief.)
If you have a bunch of laptops that get stolen or lost from your medical environment, there are likely two ways this could go:
• You pay an expensive fine (ranging from tens of thousands to millions of dollars) and have to report the breach, which can lead to an expensive public relations and labor-intensive nightmare.
• You check your reporting that the hard drives in those machines were fully encrypted, and you sleep a little bit better knowing that your patient and client data is safe.
Which option sounds more appealing to you? We thought so.
While there are free options out there for full disk encryption that work, we’ve generally found them lacking from a central reporting, management, performance, support and usability standpoint. As anybody who’s ever dealt with HIPAA can attest, reporting and documenting is a very important element of compliance. One of the biggest keys with all regulated industries is not only saying that you’ve done something, but actually proving that you did. Having automated reporting as part of your disk encryption solution is something that is anything but optional.
There are many things your technology should be doing to help you stay in compliance with HIPAA recommendations and requirements – including managed patching, monitored anti-virus, encrypted emails, backups, and more – but whole-disk encryption should be the first priority on this list.
Our Data Protection service includes disk encryption as the primary component of it. It has the ability to run a monthly report on your encryption that you can file away for future audits and record-keeping, in additional to centralized management and minimal performance impact. Contact us today for pricing and additional details.
Brock McFarlane, is founding owner,CEO, and HIPAA Security Officer for Weston Technology Solutions. Weston Technology Solutions has been serving the Pacific Northwest since 1994, providing managed IT services to small and medium-sized businesses with offices in Bend and Anchorage. www.weston-tech.com, bmcfarlane@weston-tech.com, or 541.383.2340.
