We explained the concepts of encryption in Episode 2: Let’s Talk Encryption but people continue to ask more about what they really need to do with encryption.
Links
Episode 2: Let’s Talk Encryption
The government and privacy advocates can’t agree on what ‘strong’ encryption even means
Notes
First, what can encryption do for you and what it can’t do for you.
- VPN, HTTPS, SSL, SFTP, etc. Protect communications from prying eyes.
- Everything else is about encrypting data on the devices themselves.
If you encrypt data on a device but you are hacked when you are logged into the device, encryption isn’t too helpful. Encryption is helpful when someone tries to access the data on the device without your key (or password).
Strong Encryption is also subjective – there is no solid authority on what is really strong encryption because law enforcement wants a back door.
What does HIPAA say about encryption? Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Not very helpful…….
What does OCR say about it? At NIST / OCR HIPAA 2015 conference: If it moves it should be encrypted.
Now that’s a line that can be drawn.
- Encryption of your files stored in the cloud (certainly something that moves)
- File encryption by an app on the computer over specific files like 7Zip
- Windows built in encryption – Bitlocker, EFS
- NAS and Flash drives with built-in encryption
- Encryption on your phone built-in
- Cloud based encryption management – MDM – Alertboot, MaaS360, Manage Engine https://www.manageengine.com/mobile-device-management/
Create an encryption plan:
- Includes all devices – laptops, phones, external drives, etc.
- Specs required like AES 128 or FIPS should be written down
- Methods used for implementation on all types of devices
- Encryption key management plan
- Audits and verification plans
