I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different. Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are some of the questions I’ve received in recent weeks, along with my responses. Hopefully this will make clear to you why you should continue to use encryption, and help you to know how to make it as secure and effective as possible.
1. Will the NSA’s admitted snooping make companies avoid the use of encryption?
Actually, it has to a certain degree already! I’m seeing many discussions about encryption, and the utility of even using it, going on within dozens of LinkedIn groups, Facebook groups, Twitter, and other online discussion areas. I’m also seeing a lot of talk in information security, privacy and compliance mail lists. Folks understandably are now leery of using encryption if they think it will not actually keep all spying eyes out. What they need to understand is that the encryption that has effectively been compromised is the encryption from vendors that we now know gave the NSA their decryption secrets and capabilities. What really concerns me is that they were using man-in-the-middle attacks against Google, Yahoo, Hotmail, and possibly others, to circumvent SSL encryption and intercept unencrypted information. This is a risk for data provided through online sites and transmitted to other systems.
However, encryption is still a very good way to protect your communications, particularly if you are using a solution that is not vulnerable to man-in-the-middle attacks. And as NIST and RSA recommends, don’t use the Dual_EC_DRBG encryption algorithms; switch to something stronger that NSA has not compromised.
I still encourage folks, including everyone in healthcare and their business associates as well, to use encryption to protect patient information. You need to use encryption for both data at rest (in storage) as well as data in transit (sent through networks and other digital communications paths). The best solutions will be those from encryption solution vendors who have not been the extended target of research by the government. Many of these will be the smaller, more specialized encryption vendors, or those from outside the U.S. Methods such as PGP and GPG still seem, from everything I’ve read, to be secure and not surveilled.
2. How can healthcare organizations ensure how they are using encryption remains secure if the NSA is reading everything?
All encryption is not compromised
Well, the NSA is *not* reading *everything*. They may have discovered a way to read from certain sources, such as mentioned earlier, but they are not reading encrypted messages that are being sent through less popular solutions. And certainly all types of healthcare covered entities, and all their business associates, definitely need to continue on with their encryption plans. But I suggest they also check to see if their encryption vendors are one of those whose encryption has been compromised and/or are providing decryption keys or backdoors to the NSA. Others agree. The National Institute of Standards and Technology (NIST), which has a long history of researching and recommending strong encryption methods, recently advised in the wake of the NSA revelations:
“NIST works to publish the strongest cryptographic standards possible, and uses a transparent, public process to rigorously vet its standards and guidelines. If vulnerabilities are found, NIST works with the cryptographic community to address them as quickly as possible. NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG…no longer be used.”
RSA, a well-respected security solutions vendor, soon issued their own advisory after the NIST advisory:
“RSA determined it appropriate to issue an advisory to all our RSA BSAFE and RSA Data Protection Manager customers recommending they choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit.”
Encryption is still a compliance requirement
Also, don’t forget, encryption, in areas where risk determines it is necessary, is still a legal requirement under HIPAA, and a vast array of other state laws, federal laws, regulations, and PCI DSS for those who process credit card payments.
Encryption still protects data from most prying eyes
And leaving sensitive data unencrypted widens the risk of unauthorized exposure to the entire world, basically, not just the potential that the government may decide that a particular insured’s or patient’s records need to be cracked. Encryption is still going to keep the much larger population of general snoopers and criminals out of data you don’t want them to have.
3. What are some key concerns organizations now have to worry about knowing what they now know?
What will probably be the biggest issue to have to address now, that wasn’t there prior to the NSA surveillance revelations, is knowing what to tell patients, customers and insureds when they ask their providers, insurers, bankers, and others, questions about encryption, and if the government is looking at their specific patient/financial/etc. information. I’ve had some healthcare providers tell me they’ve gotten several of such questions already.
Bottom line for organizations of all sizes…
Encryption still *is* an effective tool that all types of organizations, of all sizes in all industries, can use to help protect sensitive information such as PHI and all other types of personal information. It is too bad the NSA actions have damaged the perception of the usefulness of encryption; just as organizations were finally realizing the need for encryption and getting it implemented throughout their organizations. Choose an encryption solution that the NSA can’t get into. To determine where to use it: 1) identify where sensitive data is collected, stored and processed; 2) identify the risks through the entire lifecycle of the sensitive data; then 3) implement encryption, in transit and in storage, and in all the locations where there are sufficient levels of risk to justify encryption to your business leaders and decision makers.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, NIST, non-compliance, NSA, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, RSA, security, social network, surveillance, systems security, training