Practical Encryption TipsUsing the Technology as a Breach Prevention Tool
One of the most important ways to prevent breaches is to make widespread use of encryption, especially for mobile devices and media, says security expert Melodi Mosley Gates. Here are few practical tips for leaders.
Encrypting mobile devices makes sense even if an organization bans storage of sensitive data on the devices, she contends. "Even with the best of intentions, and the most technically enforced policy, a ban for putting sensitive information on mobile devices is probably not going to be 100 percent effective," Gates says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). That's because all mobile devices enable users to enter data and to receive e-mails that may, in some cases, contain sensitive information.
As a result, her advice is to "have a policy in place that minimizes the amount of sensitive information that can land on mobile devices - and still encrypt mobile devices." Although this approach "may feel like a belt and suspenders," it's the best way to minimize the risk of data breaches involving tablets, smart phones, laptops and other mobile devices, which can easily be lost or stolen, Gates says.
In an in-depth interview, Gates offers other practical insights on encryption, including:
- Consider conducting a small-scale encryption pilot that involves representatives of various departments. This can help overcome outdated perceptions about the practicality of encryption.
- Identify sensitive information that needs to be encrypted by using a two-pronged approach: Survey staff members to map their business processes and identify how they use data, and implement a data loss prevention application to scan all computers and pinpoint where sensitive data resides.
- Consider using data mirroring as an alternative to backup tapes to minimize the risk of a breach.
Gates is an attorney at Patton Boggs LLC, a national law firm with offices in Denver and Washington, D.C. She advises clients on data privacy, cybersecurity and regulatory compliance matters. She formerly served as chief information security officer for the telecommunications firm Qwest Communications.
HOWARD ANDERSON: For starters, why don't you tell us a little bit about your firm and your role there?
MELODI MOSLEY GATES: I work with Patton Boggs, a national law firm. We have strong public policy roots, but we work in a variety of areas, including a pretty significant focus in healthcare practice in both Denver and D.C. In my role, I focus on healthcare information technology issues along with other technology issues outside of the healthcare realm, and I particularly work with organizations that are concerned about compliance activities and transactions as they're related to privacy and information security.
Lack of Encryption
ANDERSON: Many of the hundreds of major health information breaches reported to federal authorities so far have involved the loss or theft of devices or media containing unencrypted data. Why isn't the use of encryption more widespread do you think?
GATES: I think there are a couple of reasons for that. First off, despite all of the things that we see in the news on a regular basis, it's still my concern that a number of organizations simply don't get it. They don't value the data that they're carrying around or they don't recognize that there's a need to protect it with tools like encryption. That's one part of the community.
I think for another part of the community, encryption just has a certain reputation of being difficult to implement. It's a high-touch implementation for IT organizations, and by that I mean you need to interact and schedule with every user, with every device. You have to sit down with people, make sure they understand the dynamics of it; so it's just a high-touch implementation. In the past also, encryption had a bit of a reputation with IT organizations for being difficult to implement, hard to deal with, problematic, causing problems with other software, slowing machines down. Several years ago, some of those concerns I would say were fair. In the past, I was a chief information security officer for a large telecom organization, and we deployed encryption to a large number of devices and we were fairly early in the curve and it could be difficult. But that was some time ago.
These days, the software is much better, and the implementations are much easier, so it's not nearly as difficult of a thing to do. However, IT organizations tend to have really long memories. I think that's another one of the challenges that organizations have is a number of their IT staff members may be looking at that reputation, if you will, that encryption had several years ago and they're worried about it. They're not comfortable with it. They're not as eager to get out there and get it done as you might like them to be.
So it's really an education process for both of those communities, for that community that doesn't understand the value proposition and the need for encryption, and then also that community of those long memories in IT to say, "Hey look, the software has gotten better. Take another look at it; try it again."
Small-Scale Pilot Program
ANDERSON: You recommend a small-scale pilot of encryption to help win over skeptics and educate people. Can you explain how that approach works?
GATES: There are a couple of real wins out of a small pilot kind of approach. Again, encryption can be a high-touch implementation. It can be very impactful for an organization in terms of scheduling. You've got to get to every device. You've got to get to every person potentially that's carrying a mobile device. That means you've got to disrupt their work day in some way. Also, we've got those credibility issues with encryption. Is it going to cause me a problem? Is it going to be hard? Both of those factors put you into what I call a "show me" kind of situation, if you really want to have a successful project.
The way you can make that work with a small pilot is to carve out a subset of your organization. It might be one particular work group, but the concern I have with choosing a particular work group is what you're trying to do here is learn about what the organization is going to need, what issues are going to come up and also build credibility with the organization. I think the better way to choose a pilot is to look for people that can be champions - people that can be supporters out in different parts of your organization. And the ideal situation would be to choose a handful of people from several different business groups or process groups across your enterprise and have them involved in the pilot and then they become your champions, if you will. They're able to tell others, "Hey, they've got the bugs worked out. This thing works. It's not a problem for me." You're able to get past some of those credibility issues and also get people out there in each one of the work groups who can help you build that awareness and value for encryption. Because it's always better to have someone who's actually hands-on in the work group who recognizes the value and can talk to their colleagues, rather than having someone from the outside, whether that's legal or IT or another group, be the only ones that are talking up a particular project.
It's all about "show me" and that's one of the best ways to make that small-scale pilot work - to pick out a handful of people in each group and give yourself a reasonable amount of time to walk through the problems that you find as you go along, and make it very clear that you're taking those problems seriously and acting on them. You're literally building up a reputation for the project. At the same time, you're fixing technical problems. It can be a really powerful combination.
ANDERSON: Before applying encryption to stored data, organizations must determine where all their protected health information actually resides. What's the best way to do that, especially for structured data such as information in spreadsheets?
GATES: Well, that's a challenge, isn't it? I think organizations struggle with this issue. I think every organization does to some extent because data has become so mobile - and by mobile I mean not just on mobile devices, though that's certainly the case in many organizations, but also in end-user computing environments, as you mentioned in spreadsheets, and documents and all sorts of places that are hard to track down.
There are a couple of steps that can really help organizations go about inventorying and understanding where their data lives. One of those is to take a business-process view. Survey work groups ... that are the most likely to be interacting with this kind of information. Of course, at some point, you want full coverage, but I think you can get a lot of bang for your buck by prioritizing in terms of who's the most likely to have access to this kind of data. Then map their business processes. If you sit down and talk with them, rather than asking the question, "What data do you have on your shared server," instead say, "Tell me more about what you do, what kind of data might you have?" There's a business interaction way to do this.
There's also a technical way to do this. There are tools available now, and this software is another great example of software that has gotten much better in the last few years. It's called data-leakage prevention software. Some people call it data loss prevention software or data loss protection software and it's kind of funny they all turn into the acronym DLP. ... These products can do a lot of things in terms of protecting sensitive data within your environment. And one of the really interesting things they can do is they can help to scan your environment and inventory that kind of data, even if it's embedded out in things like Excel files. It's not a simple process. It can be a lengthy one, but it can be very helpful.
For instance, this kind of software can be pointed at a shared server where work groups keep their spreadsheets and their documents and that kind of thing, and can scan that content in an automated kind of way and come back and say, "Here are the hits we have for data that looks like it might be protected health information or looks like it might be a Social Security number."
If you combine those two approaches, the business process, interviewing, prioritizing kind of process with the technical DLP-oriented kind of process, at that point you can have some pretty good confidence that you've located a lot of the data that we're talking about. At the same time that you're doing both of those activities, you've also got a great opportunity to build awareness in your organization for why it's important to keep track of this kind of sensitive data and where it lives. So again, you can see there's a running theme when we talk about encryption and protecting sensitive data - that you need the combination of people and their awareness, business processes and understanding those things, and the right tools. ... I think there's a "good news" story on all three of those fronts. Still a lot of hard work, but it's a very solvable problem.
Encrypting Mobile Devices
ANDERSON: Should all mobile devices and media that store protected health information be routinely encrypted? What about desktop PCs or servers - should they be encrypted as well?
GATES: I think when we're talking about what devices should be encrypted and what data should be encrypted, it's important to always remember what we're talking about here is a risk calculation. What's it cost to encrypt something versus what's the benefit of encrypting?
Now in the case of mobile devices, I would offer that risk calculation is almost a no-brainer. Mobile devices - things happen to them. People lose stuff. People drop devices in airports; people leave them in taxicabs. They get stolen out of cars. Bad things happen to mobile devices. And so I have to say, from my perspective, it's very hard for me to hear a convincing version of a risk calculation that says, "It's not worthwhile to encrypt every mobile device."
From my perspective, that's an objective that all organizations should have, because there are just all sorts of sensitive data on those mobile devices, in the healthcare environment that we're talking about - enormously sensitive data - and regulatory implications when those devices are lost. Nobody wants to be on the front page of the papers for tomorrow's breach. But there's also a lot of other sensitive information stored on mobile devices, and so when organizations are thinking about that risk calculation, they need to be thinking even more broadly about the harm that they can suffer when those mobile devices are lost. It can range from organizational to personal embarrassment if e-mails or certain kinds of information are taken out of context, not with the intent that it may have originally been created with. There may be other sorts of liabilities that are created, just a variety of issues that, again, make that risk calculation for mobile devices, given the ease of encrypting them these days, pretty much a no-brainer.
Now, when you start talking about desktop PCs and servers, that calculation gets a lot more complicated and becomes much more organization-specific. And so rather than blanket rules in those kinds of environments, it's important that organizations really take a hard look at what their IT environment looks like, where the data lives and what their risks associated with them are. In the case of desktop PCs, it may well be that with some minor changes to their business processes or their working environment, organizations may be able to get the sensitive data off of those desktop PCs and stored back in a more controlled, centralized kind of an environment. That may be a better approach from a cost perspective than encrypting every one of those desktop PCs. So again, it's very organization-specific once you get out of that mobile realm.
...There are still some legitimate arguments on the server side ... with older applications, with certain kinds of data bases [about encryption being challenging]. And so there's really not a good blanket rule for the server side. It's something that an organization needs to take a good, hard look at and really pressure their vendor for. These days, we see so many organizations looking at cloud computing solutions, or looking at off-the-shelf software that they're buying from a vendor. They really need to be pressuring their vendors to say, "Make encryption happen; make it easy for us and make it work in this application environment." Those kinds of issues come into play on the server side. Again, [it's a] much more complicated set of scenarios than back on those mobile devices.
ANDERSON: Is it ever practical to just ban the storage of information on mobile devices, or any other device for that matter, to help minimize the cost of encryption? And how do you go about enforcing such a policy?
GATES: I think you hit the nail on the head there. Enforcing that kind of policy can be extremely difficult to do. And so, for that reason, it's important for organizations, if they want to take the approach of, "We're just going to ban having this kind of data on a device," you really have to take a deep breath and say, "Is this practical? Is this a policy that's going to be enforceable in my environment?" Because frankly, the only thing worse than having no policy at all is to have a policy on your books that you don't enforce. ....
There are technical solutions. Data leakage prevention tools, data loss protection tools, those kinds of software products can help you prevent downloads for certain kinds of data. You can do things in your centralized environment so that data is not downloadable. Organizations have often adopted solutions, especially recently, where the mobile device user doesn't carry any data on their device. Instead, they connect back to the central environment and the sensitive data lives there. Those kinds of solutions are great from a risk perspective because they minimize the opportunity for sensitive data to be on that mobile device.
However, every mobile device out there has a way for me to type data into it. Every device out there has a way for me to get an e-mail from someone that perhaps I didn't expect to get, and perhaps the person on the other side of that e-mail didn't realize that sending sensitive information that way wasn't the best idea. So, in other words, even with the best of intentions, the most technically enforced policy out there, a ban for putting sensitive information on mobile devices at the end of the day is probably not going to be 100 percent effective. Take that reality, lay it against the ease of encrypting those mobile devices with the technical solutions that are out there these days. And I don't mean to make it sound as if large-scale deployments for encrypting mobile devices are a trivial or an easy thing to do. They're hard. They take hard work, but they can get done and they can get done effectively.
So you can see where I'm going with this. The answer is really do both. Have a policy in place that minimizes the amount of sensitive information that can land on a mobile device and still encrypt that mobile device. It may feel like belt and suspenders, but given the risk and the issues that can be created by an organization when that mobile device is lost, when a data breach occurs, again that calculation really points to putting those protective measure in place.
Encrypting Back-up Tapes
ANDERSON: There have been some high-profile breaches involving the loss or theft of unencrypted back-up tapes. Should these back-up tapes be encrypted? What are some other methods beyond back-up tapes for securely backing up information?
GATES: Back-ups are really troubling areas for a lot of organizations. In many cases, back-ups are being done off of legacy applications, a term that the IT community uses for something that has been out there for a while. There can be some real feasibility issues with how back-up tapes are created, which leads to a very costly environment to try to encrypt those. The bottom line is back-up tapes need to be protected if you're going to put your back-ups on removable media.
Another approach, though, that organizations can look at, and many organizations engage in these days, is rather than using removable media like tapes to do their back-ups ... instead use services that provide back-up capabilities -data mirroring. That's basically copying your data from one location to another over the network. That may be from one data center to another, from one city to another, from one state to another. It provides you a couple of benefits. By doing those kinds of back-ups across a network, you can encrypt those connections. You can maintain a high level of control over that data. You also may potentially be able to recover more quickly from a disaster. The reason we have back-up tapes in the first place is to recover from certain ... disasters and events. If you're doing those online back-ups rather than those traditional tapes, you've got the potential of being able to recover more quickly.
Now migrating from the traditional tape environment to the online data-mirroring environment can be a significant investment for organizations, depending on how their applications are created. It's another one of these examples that we come back to over and over of a cost/benefit trade-off and really sitting down and understanding what the risks are.
There are a number of other steps that you can take with your back-up tapes and, again, talk with your software vendors. "What can we do when these tapes are created to put encryption in the data stream, in the activities, if we're not able to destroy the back-ups in a more centralized kind of way?" It's not as simple as mobile devices, where there are standard capabilities out there that everyone can use. In the environment of back-ups, it's much more challenging because there are so many application-specific and organizational-specific variables that have to be met. But organizations that have a significant number of tapes and a significant amount of sensitive data that's being handled that way would be smart to start looking at, if they haven't already, this opportunity to do their back-ups online across a network in a way that they can control them and not have these removable storage devices running around.