{"id":2591,"date":"2013-08-23T00:00:00","date_gmt":"2013-08-23T00:00:00","guid":{"rendered":"http:\/\/otava.test\/solving-the-encryption-dilemna\/"},"modified":"2013-08-23T00:00:00","modified_gmt":"2013-08-23T00:00:00","slug":"solving-the-encryption-dilemna","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/","title":{"rendered":"Solving the Encryption Dilemna"},"content":{"rendered":"

Everybody\u2019s screaming for protection of their personal information – thank you Edward Snowden. But the latest outcry, presumably prompting Google\u2019s announcement last week that they are now defaulting to 128-bit AES encryption1<\/sup>\u00a0for the services they provide, is only the most recent echo in an escalating conversation about the stake of protecting digital information. In 2011, it was the uproar about Sony\u2019s loss of personal user information.2<\/sup><\/p>\n

Since then, the Department of Health and Human Services has issued multiple fines in excess of $1M not safeguarding patient health information (including not addressing encryption)3<\/sup>. Daily reports of compromised data breach of personal information have become routine4<\/sup>, with a recent study by the Ponemon Institute and Experian revealed that 21% of businesses reported the theft of confidential information that required notification to victims5<\/sup>. Now that 91% of American adults packing a cell phone (56% of those \u201csmart\u201d) with our life\u2019s email, pictures, and passwords all in one convenient, portable bundle, we should get used to this trend continuing.<\/p>\n

So, what to do? Encrypt everything, right? Wrong. Why? It\u2019s very, very rare to accomplish encryption<\/a> of \u201ceverything\u201d without serious impact to performance, ability to backup and preserve data, and\/or managing a rat\u2019s nest of encryption keys that end-users (think all patients in the U.S.) could lose every time they lose or break their cell phones or forget their password. Now there\u2019s a helpdesk nightmare for you. Encryption is GREAT protection. It just comes with a lot of complexity – especially when all data is in \u201cthe cloud\u201d. As Eric Ouellet and Brian Lowans from Gartner wrote about6<\/sup>, there\u2019s \u201cassembly required\u201d:<\/p>\n

\n

Organizations considering the use of cloud-based services to host or process their sensitive data continue to face significant hurdles in seamlessly integrating encryption offerings to secure their data.<\/p>\n<\/blockquote>\n

For healthcare data, encryption is considered an addressable requirement as a technical safeguard for electronic protected health information (ePHI), but addressable is not equivalent to optional. As far as HHS ONC\u2019s Director Leon Rodriguez is concerned, you either have to do it, or have a good reason for not doing it and some other form of equivalent protection. In their first round of audits, they discovered that many entities did not address the requirement at all, but it\u2019s not yet clear if that was from lack of awareness, or some other objection or conflict. In response, they published encryption guidance in a Risk Assessment Toolkit that reiterates:<\/p>\n

\n

We should keep in mind that this requirement is simply restating and reinforcing the encryption requirement found in the HIPAA Security Rule under the standard for access control (45 CFR 164.312(a)(2)(iv)). What this means is that a longstanding, but possibly unclear, requirement to encrypt data at rest is now receiving a great deal of well-deserved attention.7<\/sup><\/p>\n<\/blockquote>\n

What is certain is that encryption is not a silver bullet. Why? After all, some very effective encryption algorithms are free – so what\u2019s so prohibitive? First of all, encryption is only one small part of what should be a comprehensive and layered system of protecting data. Secondly, practical application of encryption such as managing encryption keys can be a complete nightmare. Imagine every healthcare patient has an encryption key – conveniently integrated with their cell phone to validate who they are and access their patient information. So far, so good. But, what happens when the phone is lost, stolen, damaged, upgraded, given to a child, etc. Who\u2019s going to manage all of that?<\/p>\n

Writing the latest and greatest cloud app? You probably need to hire someone to address encryption in the application code itself and maintain it. You might buy a third-party software application like BitLocker or TrueCrypt or an Enterprise version of SQL to implement if you have the resources to afford purchase and integration. Another option is a hardware encryption appliance or storage device such as Porticor to handle encryption – easy management if you have the budget to afford it.<\/p>\n

If you can find a way past the resource cost of encryption, that still leaves you with weighing the potential cost of other consequences such as crippling performance, or conflicts with other tools like backup software that can\u2019t unlock encrypted data. We\u2019ve been watching our customers struggle with all of these methods while they try to find a solution that will protect sensitive data without compromising the very functionality they are serving to their end users. It\u2019s an expensive and confusing Gordian Knot.8<\/sup><\/p>\n

While policy makers, businesses, vendors, and consultants may all agree that encryption is essential to protect sensitive data, many organizations have yet to accomplish an encrypted-at-rest solution. When HHS ONC Director Leon Rodriguez reviewed the results of the KMPG trial HIPAA audits, his favorite finding was about encryption9<\/sup>. He posited that if they performed a risk analysis, then they would incorporate encryption; otherwise, they must not have thought about it. I suggest there\u2019s a third option – that security and IT officers would LOVE to encrypt all the data at rest, but this requirement probably doesn\u2019t outweigh the business priority of having a functional EMR or similar application. When encryption puts the function of the application at risk by compromising performance or conflicting with things like backups, then even diligent businesses are likely to choose an unencrypted implementation over no implementation.<\/p>\n

Industries that manage sensitive digital information and online applications need affordable vendor solutions that bring encryption together more seamlessly and less painfully with infrastructure or platform services. Good digital protection will always involve layered defense (aka defense in depth10<\/sup>). Despite this, encryption as a part of a patchwork quilt of application deployment adds complexity to implementation for organizations that are already stretched thin for precious IT resources yet obligated to deliver applications in a timely and functional way. When a company is lucky enough to maintain in-house programming talent who can integrate encryption at the software level, or can afford the intense capital costs of storage like EMC\u2019s VMAX SAN to encrypt without the hit to server or application performance, encryption provides effective protection. Without these types of resources, it\u2019s hard to use encryption as an effective tool to protect data without significant compromise in other areas.<\/p>\n

Online Tech now provides a high-performance, encrypted enterprise cloud<\/a> that includes encryption-at-rest for all multi-tenant<\/a>, private<\/a>, and enterprise cloud<\/a> clients. It\u2019s our hope that we can simplify one piece of the security puzzle and leverage the infrastructure across all of our clients to facilitate encryption without sacrificing performance or intensive capital outlay. We would love your feedback.<\/p>\n

Learn more about the addressable but highly recommended requirement – encryption – in our upcoming webinar,\u00a0Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI<\/a><\/strong><\/em>, on September 17 @2PM ET.<\/p>\n

1)\u00a0Hack This, NSA: Google Now Triple-Encrypts All Data in Google Cloud Storage<\/a>
\n2)\u00a0Sony Encrypted Credit Card Data, But Not User Account Info<\/a>
\n3) Alaska DHSS Settles HIPAA Security Case for $1,700,000<\/a>
\n4) Privacy Rights Clearinghouse<\/a>
\n5) Avoiding Business Disruptions Caused by Data Breaches<\/a>
\n6) Cloud Encryption: Some Assembly Required<\/a>
\n7)\u00a0HIMSS Risk Assessment Toolkit<\/a>\u00a0(PDF)
\n8) Gordian Knot, Wikipedia\u00a0<\/a>
\n9) HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR<\/a>
\n10) Defense in Depth<\/a>\u00a0(PDF)<\/p>\n","protected":false},"excerpt":{"rendered":"

Everybody\u2019s screaming for protection of their personal information – thank you Edward Snowden. But the latest outcry, presumably prompting Google\u2019s announcement last week that they are now defaulting to 128-bit AES encryption1\u00a0for the services they provide, is only the most recent echo in an escalating conversation about the stake of protecting digital information. In 2011, it was the uproar about Sony\u2019s loss of personal user information.2 Since then, the Department of Health and Human Services has issued multiple fines in excess of $1M not safeguarding patient health information (including not addressing encryption)3. Daily reports of compromised data breach of personal information have become routine4, with a recent study by the Ponemon Institute and Experian revealed that 21% of businesses reported the theft of confidential information that required notification to victims5. Now that 91% of American adults packing a cell phone (56% of those \u201csmart\u201d) with our life\u2019s email, pictures, and passwords all in one convenient, portable bundle, we should get used to this trend continuing. So, what to do? Encrypt everything, right? Wrong. Why? It\u2019s very, very rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, ability to backup and preserve data, and\/or managing a rat\u2019s nest of…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2591","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nSolving the Encryption Dilemna | OTAVA<\/title>\n<meta name=\"description\" content=\"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Solving the Encryption Dilemna\" \/>\n<meta property=\"og:description\" content=\"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2013-08-23T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Solving the Encryption Dilemna\",\"datePublished\":\"2013-08-23T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\"},\"wordCount\":1206,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\",\"url\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\",\"name\":\"Solving the Encryption Dilemna | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2013-08-23T00:00:00+00:00\",\"description\":\"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Solving the Encryption Dilemna\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Solving the Encryption Dilemna | OTAVA","description":"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/","og_locale":"en_US","og_type":"article","og_title":"Solving the Encryption Dilemna","og_description":"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?","og_url":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/","og_site_name":"OTAVA","article_published_time":"2013-08-23T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Solving the Encryption Dilemna","datePublished":"2013-08-23T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/"},"wordCount":1206,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/","url":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/","name":"Solving the Encryption Dilemna | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2013-08-23T00:00:00+00:00","description":"It\u2019s rare to accomplish encryption of \u201ceverything\u201d without serious impact to performance, so how do we solve the encryption dilemna?","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/solving-the-encryption-dilemna\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Solving the Encryption Dilemna"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2591"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2591\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2591"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}