Encryption | Viewpoint
Staying Out of the Headlines through Encryption
Hardly a week goes by without a
newsworthy breach of sensitive or confidential data. In fact, the website
privacyrights.org reports 2,625 data breaches from 2005 to August 2011
affecting more than 500 million records. Beyond the staggering number of
records breached, indications are that some people have had their records
breached more than once. While the definitions of "record" and "breach" can be
debated, the negative impact of the news that records have been breached is
well understood.
Universities and healthcare
providers are not immune from breaches of records. In fact, they tend to be
popular targets of criminal hackers because, by nature, their systems contain
vast quantities of sensitive personal and financial information. Students,
parents, staff, patients, and healthcare workers are realizing that they are
fast becoming high-value targets for hackers and cyber criminals. Thomas
Jefferson University, an institution with a large medical school and physician
practice group, is combating this threat with a data encryption strategy. [Photo, above right: The Dorrance H. Hamilton Building at Thomas
Jefferson University, Philadelphia , PA. With permission.]
Jefferson is comprised of six
colleges and schools, including Jefferson Medical College. The university
offers undergraduate, graduate, first professional, and research doctorate
degrees to more than 3,500 students focused on earning a health-care related
degree. Many of Jefferson’s 2,000-plus medical faculty also practice within the
physician practice group and have admitting privileges at the affiliated
teaching hospital. Because Jefferson is both a higher education institution and
part of an academic health center, there are regulations it must follow,
including but not limited to the Family Education Rights and Privacy Act
(FERPA) and Health Insurance Portability and Accountability Act (HIPAA)
requirements.
In 2009, Congress passed the Health
Information Technology for Economic and Clinical Health Act, or the HITECH Act.
This law significantly increased the regulatory burden on the university. The
legislation mandated that institutions publicly disclose every data breach
involving 500 or more unique records not only to the affected patients but also
to the Department of Health and Human Services and to the media. But Congress
built in a notable exception to the HITECH Act disclosure requirement: If data
covered by the HITECH Act is lost or stolen, and the data is encrypted, there is no reporting obligation.
Because
of the disclosure requirements of the HITECH Act, Jefferson has placed a new
priority on robust end-user data encryption. Based in large part on an
exhaustive review of the issues surrounding the HITECH Act, it became
abundantly clear that encrypting university data on end-user devices would not
only protect important information, but it would help protect Jefferson from
damaging fines, possible audits by government agencies, and the potential for negative
publicity.
Jefferson identified several
criteria that needed to be met in its encryption strategy. From an IT
perspective, it needed control over the deployment from a single management
interface compatible with both PCs and Macintosh operating systems. The
institution also needed to encrypt data being transferred to addresses outside
of the university network. And because the university operates a large number
of multi-user computers, disk-based encryption was not a viable option since it
forces users to share decryption passwords (password sharing is against
university policy). So, if Jefferson were to keep data segregated by user, the
university would need to encrypt the data--not the disk--giving users their own
reliable information security.
The encryption technology would
have to be deployable quickly and transparently using existing management
tools, since the university could not tolerate having entire departments’
desktops and laptops down for extended periods of time. So the university
deployed its encryption software, Credant Mobile Guardian, within the existing
Symantec Altiris environment: Users did not need to surrender their computers
while they were being encrypted. There was very little down time and just one
of the university’s IT staff successfully deployed the new encryption
technology to more than 700 end-users on a 16-acre campus over a period of a
little more than three months.
After implementation, IT reached
out to the individual departments where the software was deployed to discuss
the importance of encryption and elicit feedback. The results were
overwhelmingly positive. Most users agreed that the encryption technology was
not disruptive and they liked having peace of mind that their sensitive
data--whether it was student information from the registrar’s office, health
care records, or confidential research--was adequately protected.
Keeping researcher data secure is a
priority for the university, and we keep in mind that
academic and health care data security does not end when a user leaves campus.
One Jefferson professor who traveled to Europe to present research findings at
a conference had the unfortunate experience that his laptop was stolen from the
trunk of his rental car--the acid test for Jefferson’s new encryption system.
Happily, the university’s robust endpoint data protection solution rendered his
data and computer to be of no value to the thieves. The laptop hard drive had
been encrypted and the computer was configured with LoJack-like software that
permanently disabled it on command. What could have been a major compliance
headache or an equally serious breach of intellectual property was effectively
neutralized before it ever began.
The viral impact of tales like this
serves to educate our community very effectively. And the deployment of encryption
technology has been so easy and pain-free that researchers, faculty, and staff
are actively approaching the university’s IT department to have their
information encrypted--a result not typical of many of Jefferson IT
initiatives. Rather than resistance to the encryption mandate, Jefferson is
experiencing an appreciation of the security benefits of encryption technology.
Departments whose laptops and desktops were not in the original deployment are
now requesting that those computers be encrypted as well.
Encryption technology has helped
turn what could have been the significant challenges of new regulations into a
straightforward maintenance routine. Although we began with a basic deployment
of about 1,000 licenses, it is now IT policy that all computers purchased
through the central IT purchasing function be encrypted. Jefferson’s IT
department is confident that the university’s valuable data is protected both
at rest and in transit--helping the university stay in compliance with relevant
regulations and keeping us out of the breach notification headlines.
