I read a blog post today from Fred Trotter entitled “Athem Was Right Not To Encrypt” – a topic sure to engender flames.
For those of you living under a rock, Anthem Health got hacked last week. Big Time. Fred’s blog post questioned the value of encryption at rest and took a somewhat contrarian view to provoke a reaction. Having said that, he made some good points. In particular, I like this quote:
Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than encrypted records, which is simplistic and untrue.
So, when is encryption useful? What do we really need to do to be good healthcare custodians?
Bear in mind, we’re talking specifically about encryption at rest.
At the strict end of the scale, encrypting at rest can mean a different key for every file or even block stored on media. This is generally considered impracticable, but it can be done. On the other end of the scale, whole disk encryption uses the premise that a single key (ideally entered at boot) accesses the entire data set.
Whole disk encryption is very common. It is most useful when you need to protect media that may be stolen, i.e. when a thief enters your data center or when a laptop is removed from the boot of your car.
Whole disk is of basically no value against online penetration attacks viz a viz the attack against Anthem. Once the attacker has administrator access all files are in the clear.
Did Anthem provide whole disk encryption? That doesn’t appear to be clear. Whole disk encryption would certainly meet HIPAA/ requirements and show intent to protect. It wouldn’t help much in this specific situation.
So, what about single file or even directory encryption on top of whole disk encryption? It can be done. However, unless the keys are managed in such a way that the systems administrator cannot obtain them at will, it is of no value. In most hospitals the infrastructure and budget for such a system does not exist. Practically speaking you are more likely to see this kind of approach in a defense environment.
So what’s right? Well, whole disk encryption is base protection that should always be there. It is valuable and necessary to prevent against physical theft. More complex forms of encryption such as file and directory level encryption must be combined with software and systems administration practices that support their use, and frankly, there is a huge skills gap in this area.
Unfortunately, Anthem was wrong and I think HHS will inform them of that in no uncertain terms.