“It is either tested and validated, or it is not”.
- Why certifications are valuable.
- Why the expression “caveat emptor” applies in the data security sector.
- The effectiveness of encryption varies by vendor application.
The true additional (and some will say ‘essential’) value of encryption products’ ‘certification’ and other high-assurance standards is highlighted by Ray Potter of SafeLogic in his revealing article published by HealthIT Security.
In short Potter argues in plain logical terms that testing by international independent certification authorities like FIPS (US) and Common Criteria (international) that sign-off encryption products as “suitable for government and defence use”, is essential and must not be reserved for governments alone.
Although Potter’s purpose is to highlight data security risks in the health sector and how they may seriously compromise patient privacy; his point is that not all encryption solutions are equal is an important wake-up call to all organisations.
Potter’s article goes further saying: “Essentially this means that crypto is useless until proven otherwise, a blunt but accurate sentiment. Other sectors have adopted the standard as their own, as well, with increasingly strict adherence in state and local government, finance, and utilities. Either encryption is validated or it is not. It’s very black-and-white.” He states the case for health sector organisations to only select encryption solutions that have been certified – in his terms, ‘validated’ – and goes on to be critical of vendors that sell non-certified encryption products.
“It’s glossing over a key distinction and allowing technology vendors in the healthcare space to continue cutting corners and building mediocre products.” Potter adds. Whether Potter is referring to non-certified ‘hybrid’ (or ‘embedded’) encryption products, such as routers and switches with encryption blades added, his warning is significant and real. Near enough is not good enough.
Potter seems to be telling customers that they should seek certified high-assurance encryption solutions and vendors should not sell low-assurance, non-certified products into security dependent organisations just because they are relatively cheap and easy to sell because he believes these products are insufficient.
Ultimately, the answer appropriately lies in the saying: “Horses for courses”.
HealthIT Security Article
Proper healthcare encryption methods can be greatly beneficial to organisations as they work to improve patient data security.
Technology vendors building solutions for deployment in healthcare love to talk about encryption and how it can help patient data security. It’s the silver bullet that allows physicians and patients alike to embrace new apps and tools. Symptoms may include increased confidence, decreased stress, and a hearty belief in the power of technology.
But what if that encryption was creating a false sense of security? What if the technology wasn’t providing a shield for ePHI at all?
Patient data security measures can be improved by proper healthcare encryption
Say goodbye to privacy, say goodbye to HIPAA compliance… and say hello to breach notifications and financial penalties.
Safe Harbor, as outlined by the HITECH Act, provides for the good faith determination of whether ePHI has indeed been exposed when a device with access has been stolen or misplaced.
It is based on the concept that strong encryption, properly deployed, would thwart even a determined attacker with physical access to an authorised device. Thus, even when a laptop or mobile device or external hard drive is lost, the data is considered to be intact and uncompromised inside the device if the data was properly encrypted.
This is a key distinction, and it is the difference between a breach notification (causing a significant hit to the brand and future revenues as well as serious financial penalties) and Safe Harbor (causing a large exhale of relief and a flurry of high-fives).
Here’s the rub – how is strong encryption differentiated from weak encryption for the purposes of HIPAA compliance?
Nobody would actually admit that their installed crypto was subpar or was not integrated correctly, but that would make all the difference in the world. Certain cryptographic algorithms, such as Dual EC DRBG for example, have been proven to be defective and have been removed from circulation.
The once popular (and now discontinued) BSAFE encryption module used to deploy this algorithm at the core of their solution, but the NSA knew exactly how to exploit it… and likely so did hackers that didn’t work for a three-letter agency. If this algorithm was still actively used, let’s say in a supposedly compliant EHR portal on a physician’s laptop that had been stolen, should Safe Harbor have been invoked? No; it wasn’t safe or secure and the data was not properly obfuscated.
Senetas High-Assurance Security Comments
Senetas encryptors were born from a total commitment to independent international certifications. That commitment remains today.
The first encryptors designed and built by Senetas to solve network data security issues for US government and defence forces and Australian government and federal law enforcement, were certified by both FIPS and Common Criteria respectively (as suitable for government and defence use).
At that time, about 20 years ago, both first Senetas customers could not find a vendor with certified network data encryptors that would solve their security issues and maintain maximum network performance.
That commitment to certifications of all Senetas network data encryptors remains alive and thriving today (as does their zero performance impact). Today Senetas encryptors also have NATO and CAPS (UK) certifications.
Whether Senetas customers are government or non-government (including the health sector), every Senetas encryptor sold is covered by relevant certification/s.
In addition to being certified encryption products, Senetas encryptors are high-assurance security products. They include the four essential high-assurance features:
- Are 100% secure and tamper-proof hardware dedicated to encryption
- Use state-of-the-art ‘client-side’ encryption key management
- Provide true end-to-end and authenticated network data encryption
- Use standards based encryption algorithms (e.g. AES 256).
It is fair to say that organisations that choose certified high-assurance encryption products to protect data genuinely take data security seriously. Rather than simply ‘tick the box’ to choose an encryption solution and abrogate themselves of full responsibility to protect customer, supplier, employee and other stakeholders’ data, they invest in tested solutions (certified) that go beyond an ‘it will do’ attitude.
Increasingly, smart and responsible organisations are not just accepting the lowest common denominator solutions. Instead they prefer to invest in the most robust security available. Today these smart organisations are using a high-assurance security approach to differentiate themselves among customers and other stakeholders.