Encryption – First line of defense

Plamen MartinovDirector of Systems and Security

Agenda

• Encryption basics• Importance of encryption• Encryption solutions

– Laptops/Desktops– USB/CD– Email/Cloud

What is Encryption?• Encryption is a security process that scrambles

information. It changes information from a readable form into something that can not be read unless you have the key.

This:

Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq

…so ONLY the person with the decryption key or password can read the information

Becomes something like this:

Encryption changes data into an unreadable format

Encryption vs. Passwords• Having a password does not necessarily mean

something is encrypted.– Passwords by themselves do not scramble the information.

• If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information.

Original Password Protected Encrypted

Why is Encryption Important?

Encryption protects confidential information and helps keep it private!

• Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer

• Laptops and USB devices can be easily lost or stolen

Why is Encryption Important? (Cont’d)• HIPAA – Health Insurance

Portability and Accountability Act to ensure confidentiality of patient health information

• Regulatory efforts impose stiffer fees and fines in the event that a breach occurs and steps are not taken to appropriately protect sensitive data

• Breach Notification Laws - require notification if information was not encryptedEncryption technologies can assist with ensuring the confidentiality of patient health information and also serve as a strong measure of protection against

today’s commonly anticipated threats, such as unauthorized access, modification, and disclosure.

HIPAA Fines

• April, 2014 - OCR levies $2 million in HIPAA fines for stolen laptops: – $1,725,220 against Concentra Health Services for

an unencrypted laptop that had been stolen from one of Concentra Health Services facilities.

– $250,000 against QCA Health Plan, Inc. of Arkansas after an unencrypted laptop containing personal health information for 148 people was stolen from an employee's car.

High Risk Confidential Information:

A person’s name or other identifier, in conjunction with:

• Personally-identifiable Medical Information• Dates (birth date, admission date, discharge date, etc.)• Social Security number• Driver’s license• State ID or Passport number• Biometric information• Medical Record # (MRN)• Health Insurance #

Other Confidential Information:

• Human Subjects information• HR Records• Credit Card Information

• Whatever you considers confidential

What to Encrypt?

BSD Encryption SolutionsType Encryption Solutions Cost/Impact Purpose

Apple

Filevault 2

$0; native security feature, easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well-documented install guide.

Encrypt the contents of your entire drive; Solution will work for personally owned and BSD-owned laptops.

CBIS Credant**$60; CBIS installed and managed; CBIS technical staff required to restore system.

Solution will only work with BSD-owned laptops.

Windows

BitLocker*$0; native security feature; AES 128-bit and 256-bit; some hardware dependencies.

Encrypt the contents of your entire drive. Solution will work for personally owned and BSD-owned laptops.

CBIS Credant**$60; CBIS installed and managed; CBIS technical staff required to restore system.

Solution will only work with BSD-owned laptops.

* To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. ** CBIS Credant is a commercial software solution installed and supported by CBIS. There may be licensing and support fees associated with this product. Contact CBIS for more information.

BSD Encryption Solutions (Cont’d)Type Encryption Solutions Cost/Impact Purpose

Files/Volumes

Filevault 2 $0; native for Apple devices; AES 128 encryption for data protection; capable of creating secure disk images and file volumes

Creates secure disk images and files for data sharing via email, cd or cloud

AxCrypt$0; has native versions for both Window and Apple; Uses strong compliant encryption.

Creates secure disk images and files for data sharing via email, cd or cloud

External Storage

Aegis Secure USB Key

$65; unlocks with onboard PIN pad, 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad

Securing transport of data, documents, and presentations

Aegis Padlock Fortress

$250; Secure PIN Access; Real-time 256-bit Military Grade AES-XTS Hardware Encryption; Software free design - No admin rights required; Water and Dust Resistant

Securing transport of data (500GB +), documents, and presentations.

11

Good Security Standards follow the “90 / 10” Rule:• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user

(“YOU”) to adhere to good computing practices

The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%.

Security – “Isn’t this just an I.T. Problem?”

Resources & References • Center for Research Informatics

– Cri.uchicago.edu• BSD HIPAA Program Office

– Hipaa.bsd.uchicago.edu• Apple Encryption – FileVault 2

– http://support.apple.com/kb/ht4790• Windows Encryption - Bitlocker

– http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview

• Files/Volumes Encryption – Axcrypt– http://www.axantum.com/axcrypt/

• External Storage Encryption – Aegis Secure Storage– http://www.apricorn.com/aegis-secure-key.html