by Kapua Iao
Article filed in
Encryption at rest: what you need to know
by Kapua Iao
Encryption at rest protects data in storage (i.e., at rest). It is just as imperative as encryption in transit, especially for organizations that must protect sensitive data.
Safeguarding protected health information (PHI) within the healthcare industry is not only vital for solid patient care but is also mandatory under HIPAA (the Health Insurance Portability and Accountability Act of 1996).
RELATED: HIPAA stands for . . .
Data at rest vs. data in transit
Generally, there are two types of data: data in motion (i.e., in transit) and data at rest (i.e., in storage). Some analysts also discuss a third type, data in use or active data: information that is being processed, accessed, or read.
Data in transit is data that actively moves from one location to another, such as through the internet or a private network.
Opposite to this, data at rest is not actively moving. Wikipedia defines data at rest as “data that is housed physically . . . in any digital form” whether in cloud storage or kept on a hard drive, personal computer/device, or archived/stored in some other way.
Knowing what data to protect and store, and who needs access, is essential to understanding how to safeguard it.
What is encryption?
Encryption is a type of cryptography that encodes data in a complex, undecipherable manner. This coded data can only be unlocked with a specific key given to authorized parties.
What this means is that data remains protected even if access controls (e.g., passwords and/or two-factor authentication) fail. Encryption does not prevent a breach but it does keep cybercriminals (who don’t have the decryption key) from opening and using data.
Methods of encrypting data in transit and in use include Transport Layer Security (TLS) and end-to-end encryption. The aim is to keep data unreadable and/or to keep a “conversation” from being hijacked by an unauthorized party.
On the other hand, encryption at rest must keep inactive data invisible and secure wherever and however it is stored. Strong methods of encryption at rest include the Advanced Encryption Standard (256-bit AES) or the Rivest-Shamir-Adleman (RSA) cryptosystem.
Why encryption at rest?
IT specialists tend to focus on data in transit or use because it appears to be more accessible and less secure. In fact, data at rest is more vulnerable and easier to reach by threat actors given the right circumstance.
For example, a cyberattack may start with a simple phishing email that asks a victim to click on a link or attachment, and/or share credentials. And anyone who inadvertently does what is asked may give system access to an unauthorized party.
And once a hacker accesses a system, unencrypted data at rest is exposed. If the data were encrypted, there would be no way the data could be accessed, ransomed, or released without the decryption key.
In fact, encryption at rest limits exposure to some attack surfaces due to lost or stolen devices, unintentional password sharing, and accidental permission granting. Moreover, for healthcare providers, it could mean avoiding a HIPAA violation and interrupted patient care.
PHI, healthcare, and encryption
HIPAA is U.S. legislation that protects the rights and privacy of patients. To be HIPAA compliant and avoid a HIPAA violation, healthcare providers must protect patients’ rights and PHI.
Under Title II of HIPAA, the Security Rule (2005) focuses on the necessary safeguards, whether labeled as “required” or “addressable,” for keeping PHI safe. All “addressable” safeguards, including encryption, were labeled as such to give organizations the ability to find their own solution. This means fitting “addressable” safeguards to their requirements as needed rather than vice versa.
It is also worth noting that while encryption is “addressable” rather than “required,” there is no appropriate, alternative method to securing data. Therefore it is de facto a HIPAA requirement.
Paubox Email Suite—email encryption made easy
Every access point (or threat vector) must be safeguarded in conjunction with the three types of data. Email is the most common and most successful threat vector, which is why email security (i.e., HIPAA compliant email) and email encryption are essential.
Paubox provides seamless and safe HIPAA compliant email for better, more secure communication with patients. Our patented HITRUST CSF certified solution Paubox Email Suite utilizes blanket TLS 1.3 encryption on all outgoing messages.
All outbound emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace), requiring no change in email behavior. No extra logins, passwords, or portals for your or your email recipients.
Moreover, our patent-pending Zero Trust Email feature for our Plus and Premium customers adds an AI-powered proof of legitimacy to all inbound emails before they are delivered. This feature, along with ExecProtect which stops domain name spoofing, keeps hackers from finding a back door into any system.
Finally, Paubox also provides encryption at rest using a unique volume encryption key generated for each Paubox disk volume.
Encryption is more than the protection of data in motion and/or use. Rather, organizations must safeguard all three types of data, as well as all access points, at all times.