Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; "Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.
I spent the last few days at the RSA conference in San Francisco. I’ve been attending for many years now and there seems to be a growing discontinuity between what’s being presented in the sessions (and the discussions following) and the stories pitched on the expo floor.
One theme that echoed throughout many vendor booths was “we’ve got the latest technology to stop APT threats in their tracks”. Not only is that redundant, but by definition you can’t make a threat go away with technology or anything else short of changing the motivation of the class of attackers. Perhaps some psychological software could be in order. Barring that, strong security processes, well thought-out policies and consistent enforcement go along away towards encouraging attackers to seek out easier targets.
Cloud security was another consistent topic on everybody’s mind. I heard many comments from enterprise security types saying things like “we’ve been doing cloud computing for years, it’s just the name that’s new”. To a certain extent, it seemed that often a contest was emerging – my MVS “cloud” solution in the ‘70’s was better than your VAX deployment in the early ‘80’s. My opinion is that the economic model that the cloud offers (public, private or both) puts new pressure on enterprise security practices and risk management programs (or lack thereof).
A clear example of this is data classification. It’s hard to do well and consistently, so many enterprises ignored it when they could layer on technology in their own data centers. But when you are making decisions about what data to move into the cloud, it really helps to have a clear approach to information classification and thus drive policy decisions and enforcement. The other big risk that didn’t get enough airtime were legal issues. I suppose that’s to be expected at RSA though. My personal guidance on taking advantage of the cloud is that not only should you have a plan for moving there, but make sure you have an equally strong plan to move back again (or to another provider).
I did appreciate the viewpoints from many different stakeholders. Enterprises, tool providers, security vendor and the government were well represented.