Encryption – First line of defense Plamen Martinov Director of Systems and Security Agenda • Encryption basics • Importance of encryption • Encryption solutions – Laptops/Desktops – USB/CD – Email/Cloud What is Encryption? • Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key. This: Encryption changes data into an unreadable format Becomes something like this: Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq …so ONLY the person with the decryption key or password can read the information Encryption vs. Passwords • Having a password does not necessarily mean something is encrypted. – Passwords by themselves do not scramble the information. • If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted Why is Encryption Important? • Laptops and USB devices can be easily lost or stolen • Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer Encryption protects confidential information and helps keep it private! Why is Encryption Important? (Cont’d) • HIPAA – Health Insurance Portability and Accountability Act to ensure confidentiality of patient health information • Regulatory efforts impose stiffer fees and fines in the event that a breach occurs and steps are not taken to appropriately protect sensitive data • Breach Notification Laws require notification if information was not encrypted Encryption technologies can assist with ensuring the confidentiality of patient health information and also serve as a strong measure of protection against today’s commonly anticipated threats, such as unauthorized access, modification, and disclosure. HIPAA Fines • April, 2014 - OCR levies $2 million in HIPAA fines for stolen laptops: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of Concentra Health Services facilities. – $250,000 against QCA Health Plan, Inc. of Arkansas after an unencrypted laptop containing personal health information for 148 people was stolen from an employee's car. What to Encrypt? High Risk Confidential Information: A person’s name or other identifier, in conjunction with: • Personally-identifiable Medical Information • Dates (birth date, admission date, discharge date, etc.) • Social Security number • Driver’s license • State ID or Passport number • Biometric information • Medical Record # (MRN) • Health Insurance # Other Confidential Information: • Human Subjects information • HR Records • Credit Card Information • Whatever you considers confidential BSD Encryption Solutions Type Encryption Solutions Filevault 2 Apple CBIS Credant** BitLocker* Windows CBIS Credant** Cost/Impact Purpose $0; native security feature, easy Encrypt the contents setup; vendor-supported; AES of your entire drive; 128 encryption for data Solution will work for protection; can store recover personally owned and key with Apple; wellBSD-owned laptops. documented install guide. $60; CBIS installed and managed; CBIS technical staff required to restore system. Solution will only work with BSD-owned laptops. Encrypt the contents $0; native security feature; AES of your entire drive. 128-bit and 256-bit; some Solution will work for hardware dependencies. personally owned and BSD-owned laptops. $60; CBIS installed and managed; CBIS technical staff required to restore system. Solution will only work with BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. ** CBIS Credant is a commercial software solution installed and supported by CBIS. There may be licensing and support fees associated with this product. Contact CBIS for more information. BSD Encryption Solutions (Cont’d) Type Encryption Solutions Filevault 2 Files/Volumes AxCrypt Aegis Secure USB Key External Storage Aegis Padlock Fortress Cost/Impact $0; native for Apple devices; AES 128 encryption for data protection; capable of creating secure disk images and file volumes $0; has native versions for both Window and Apple; Uses strong compliant encryption. $65; unlocks with onboard PIN pad, 256-bit AES hardware-based encryption; PIN activated 7-15 digits Alphanumeric keypad $250; Secure PIN Access; Real-time 256-bit Military Grade AES-XTS Hardware Encryption; Software free design - No admin rights required; Water and Dust Resistant Purpose Creates secure disk images and files for data sharing via email, cd or cloud Creates secure disk images and files for data sharing via email, cd or cloud Securing transport of data, documents, and presentations Securing transport of data (500GB +), documents, and presentations. Security – “Isn’t this just an I.T. Problem?” Good Security Standards follow the “90 / 10” Rule: • • 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%. 11 Resources & References • Center for Research Informatics – Cri.uchicago.edu • BSD HIPAA Program Office – Hipaa.bsd.uchicago.edu • Apple Encryption – FileVault 2 – http://support.apple.com/kb/ht4790 • Windows Encryption - Bitlocker – http://windows.microsoft.com/en-us/windows-vista/bitlocker-driveencryption-overview • Files/Volumes Encryption – Axcrypt – http://www.axantum.com/axcrypt/ • External Storage Encryption – Aegis Secure Storage – http://www.apricorn.com/aegis-secure-key.html