What is encryption? Encryption takes plaintext (your data) and encodes it into unreadable, scrambled text using algorithms that render it unreadable unless a cryptographic key is used to convert it. Encryption ensures data security and integrity even if accessed by an unauthorized user.
Encryption can be applied at various levels, including hardware and storage level. Watch a webinar about Encryption at the Hardware and Storage Level. For information about encryption at the software level, watch Encryption at the Software Level: Linux and Windows.
Encryption is considered a best practice for any security-conscious organization, including those that need to meet specific industry compliance requirements (HIPAA compliance for healthcare, PCI DSS compliance for ecommerce and retail, and SOX for financial reporting).
Encrypting Data to Meet HIPAA Compliance
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) developed to protect patient data in the healthcare industry:
A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))
HHS.gov also provides guidance on how to render ePHI (electronic protected health information) unusable, unreadable or indecipherable to unauthorized individuals by dictating that the decryption tools or keys must be stored on a device or location separate form the data they’re used to encrypt or decrypt.
§164.306(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Protecting ePHI at rest and in transit means encrypting not only data collected or processed, but also data stored or archived as backups.
Although the standard is addressable (optional) under the HIPAA rule, encrypting sensitive healthcare data at rest, in transit and while stored as backups is considered a best practice, and can help your organization prevent data breaches. Data breaches affecting greater than 500 individuals and involving unencrypted data fall under the scope of the HHS Breach Notification Rule, while encrypted data does not.
Encrypting Data to Meet PCI DSS Compliance
According to the Payment Card Industry Data Security Standard developed to protect credit cardholder data in the retail and ecommerce industries:
3.4 Render PAN (Primary Account Number) unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography (hash must be of the entire PAN)
- Truncation (hashing cannot be used to replace the truncated segment of PAN)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and procedures
3.4.1.c Verify that cardholder data on removable media is encrypted wherever stored.
Encryption in the Cloud
Ask your cloud hosting provider if they are able to provide encryption for data at rest, and if they provide encrypted offsite backup. Without encryption, your data may be at risk if accessed by unauthorized users.
However, encryption is not enough for complete cloud security. Our private cloud provides dedicated disks on a SAN (Storage Area Network), and dedicated servers. Additional layers of security can be provided by File Integrity Monitoring (FIM), a Web Application Firewall (WAF), Daily Log Review and other technical security services.