Encryption | Viewpoint

Staying Out of the Headlines through Encryption

Hardly a week goes by without a newsworthy breach of sensitive or confidential data. In fact, the website privacyrights.org reports 2,625 data breaches from 2005 to August 2011 affecting more than 500 million records. Beyond the staggering number of records breached, indications are that some people have had their records breached more than once. While the definitions of "record" and "breach" can be debated, the negative impact of the news that records have been breached is well understood.

Universities and healthcare providers are not immune from breaches of records. In fact, they tend to be popular targets of criminal hackers because, by nature, their systems contain vast quantities of sensitive personal and financial information. Students, parents, staff, patients, and healthcare workers are realizing that they are fast becoming high-value targets for hackers and cyber criminals. Thomas Jefferson University, an institution with a large medical school and physician practice group, is combating this threat with a data encryption strategy. [Photo, above right: The Dorrance H. Hamilton Building at Thomas Jefferson University, Philadelphia , PA. With permission.]

Jefferson is comprised of six colleges and schools, including Jefferson Medical College. The university offers undergraduate, graduate, first professional, and research doctorate degrees to more than 3,500 students focused on earning a health-care related degree. Many of Jefferson’s 2,000-plus medical faculty also practice within the physician practice group and have admitting privileges at the affiliated teaching hospital. Because Jefferson is both a higher education institution and part of an academic health center, there are regulations it must follow, including but not limited to the Family Education Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) requirements.

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. This law significantly increased the regulatory burden on the university. The legislation mandated that institutions publicly disclose every data breach involving 500 or more unique records not only to the affected patients but also to the Department of Health and Human Services and to the media. But Congress built in a notable exception to the HITECH Act disclosure requirement: If data covered by the HITECH Act is lost or stolen, and the data is encrypted, there is no reporting obligation.

Because of the disclosure requirements of the HITECH Act, Jefferson has placed a new priority on robust end-user data encryption. Based in large part on an exhaustive review of the issues surrounding the HITECH Act, it became abundantly clear that encrypting university data on end-user devices would not only protect important information, but it would help protect Jefferson from damaging fines, possible audits by government agencies, and the potential for negative publicity.

Jefferson identified several criteria that needed to be met in its encryption strategy. From an IT perspective, it needed control over the deployment from a single management interface compatible with both PCs and Macintosh operating systems. The institution also needed to encrypt data being transferred to addresses outside of the university network. And because the university operates a large number of multi-user computers, disk-based encryption was not a viable option since it forces users to share decryption passwords (password sharing is against university policy). So, if Jefferson were to keep data segregated by user, the university would need to encrypt the data--not the disk--giving users their own reliable information security.

The encryption technology would have to be deployable quickly and transparently using existing management tools, since the university could not tolerate having entire departments’ desktops and laptops down for extended periods of time. So the university deployed its encryption software, Credant Mobile Guardian, within the existing Symantec Altiris environment: Users did not need to surrender their computers while they were being encrypted. There was very little down time and just one of the university’s IT staff successfully deployed the new encryption technology to more than 700 end-users on a 16-acre campus over a period of a little more than three months.

After implementation, IT reached out to the individual departments where the software was deployed to discuss the importance of encryption and elicit feedback. The results were overwhelmingly positive. Most users agreed that the encryption technology was not disruptive and they liked having peace of mind that their sensitive data--whether it was student information from the registrar’s office, health care records, or confidential research--was adequately protected.

Keeping researcher data secure is a priority for the university, and we keep in mind that academic and health care data security does not end when a user leaves campus. One Jefferson professor who traveled to Europe to present research findings at a conference had the unfortunate experience that his laptop was stolen from the trunk of his rental car--the acid test for Jefferson’s new encryption system. Happily, the university’s robust endpoint data protection solution rendered his data and computer to be of no value to the thieves. The laptop hard drive had been encrypted and the computer was configured with LoJack-like software that permanently disabled it on command. What could have been a major compliance headache or an equally serious breach of intellectual property was effectively neutralized before it ever began.

The viral impact of tales like this serves to educate our community very effectively. And the deployment of encryption technology has been so easy and pain-free that researchers, faculty, and staff are actively approaching the university’s IT department to have their information encrypted--a result not typical of many of Jefferson IT initiatives. Rather than resistance to the encryption mandate, Jefferson is experiencing an appreciation of the security benefits of encryption technology. Departments whose laptops and desktops were not in the original deployment are now requesting that those computers be encrypted as well.

Encryption technology has helped turn what could have been the significant challenges of new regulations into a straightforward maintenance routine. Although we began with a basic deployment of about 1,000 licenses, it is now IT policy that all computers purchased through the central IT purchasing function be encrypted. Jefferson’s IT department is confident that the university’s valuable data is protected both at rest and in transit--helping the university stay in compliance with relevant regulations and keeping us out of the breach notification headlines.

About the Author

David Reis is Associate Vice President of Information Technologies and Information Security Officer at Thomas Jefferson University.

comments powered by Disqus