On May 22, a physician's unencrypted personal laptop was stolen from Beth Israel Deaconess Medical Center (BIDMC). It contained information on ~4,000 patients. The organization is busy cleaning up the mess today. And, this breach has caused a "priority project" to be undertaken, which focuses on encrypting mobile devices (laptops, iPads and other tablets, etc.) at a cost of around $300,000.
Encrypting the devices ("full disk encryption") seems to be the popular recommendation industry-wide. But is it the right approach?
(See, for example, this post by John Halamka, MD, MS, Chief Information Officer of Beth Israel Deaconess Medical Center, Chief Information Officer at Harvard Medical School, Chairman at New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, Professor at Harvard Medical School, and a practicing Emergency Physician -- https://geekdoctor.blogspot.com/ )
Herein lies the problem: Sensitive data travels. It can be sent or moved anywhere. Like water it can leak through the holes in containers and persist in all manner of places —in this case PCs, storage devices, mobile devices and so forth. And that's why encrypting containers has never, ever really worked. . . keep encrypting them, and you'll continue to still see plenty of data breaches. Proven fact. Encrypting devices is only a measure—a layer if you will—which means while it's a good thing, it has severe limits: it ONLY protects the "data at rest" within that container - and really then only when the device is powered off - and powering off is becoming rare in the mobile "always on" world.
Here's what needs to happen: Encryption of sensitive data MUST start "at the source" or data level. That way, no matter where the data travels or is sent, it remains protected. If you don't do this, you will always and forever be playing a game of catch-up with thieves, and you'll never get past them. Bottom line: If your organization needs to collect private or sensitive information for whatever reason, encrypt it using an end-to-end or data-centric approach. If not, it's simply NOT protected. And that, unfortunately, my friends, is what all data breaches—large and small—have in common.
The good news is that today, it's very easy to protect data at the source, wherever it goes. It can be done quite easily and cost-effectively, so there's simply no reason or excuse for not doing it. Further, not only is it a straightforward to de-identify data such that it protects people, but it also enables you to do more without the traditional impact on business processes or patient care. Leading organizations are already doing it with tremendous success, using breakthrough techniques such as Format-Preserving Encryption or FPE - for HIPAA compliance in Healthcare to data governance and control in other industries. Simply put, FPE makes sensitive data useless to anyone who – wittingly or unwittingly – gets their hands on it. Yet the power of FPE is that the right people and process can continue to operate using the FPE protected data. Powerful, and a new way to manage data risk - from mainframe to mobile.
With the barrage of data breaches now spanning many years, not just months, it's unbelievable that data still isn't being encrypted. Yet the benefits are sound: executives wouldn't have cause to worry about sensitive data or PHI falling into the wrong hands any longer. Their e-records or intake systems can automatically encrypt data just as soon as it's collected, using proven end-to-end protection technologies like FPE. This means by default the data meets the goals of Safe Harbor provisions in related privacy mandates.
If you're interested in learning more about Format-Preserving Encryption, you can vist this link (https://www.voltage.com/technology/Technology_FormatPreservingEncryption.htm) or drop us an email to firstname.lastname@example.org.