cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Healthcare IT Policy - Considering Data at Rest and Data in Motion

Level 10

Hey everybody! It’s me again! In my last post, "Introducing Considerations for How Policy Impacts Healthcare IT," we started our journey discussing healthcare IT from the perspective of the business, as well as the IT support organization. We briefly touched on HIPAA regulations, EMR systems, and had a general conversation about where I wanted to take this series of posts. The feedback and participation from the community was AMAZING, and I hope we can continue that In this post. Let's start by digging a bit deeper into two key topics (and maybe a tangent or two): Protecting data at rest and in motion.

Data at Rest

When I talk about data at rest, what exactly am I referring to? Well, quite frankly, it could be anything. We could be talking about a Microsoft Word document on the hard drive of your laptop that contains a healthcare pre-authorization for a patient. We could be talking about medical test results from a patient that resides in a SQL database in your data center. We could even be talking about the network passwords document on the USB thumb drive strapped to your key chain. (Cringe, right?!) Data at rest is just that: it’s data that’s sitting somewhere. So how do you protect data at rest? Let us open that can of worms and talk about that, shall we?

By now you’ve heard of disk encryption, and hopefully you’re using it everywhere. It’s probably obvious to you that you should be using disk encryption on your laptop, because what if you leave it in the back seat of your car over lunch and it gets stolen? You can’t have all that PHI getting out into the public, now can you? Of course not! But did you take a minute to think about the data stored on the servers in your data center? While it might not be as likely that somebody swipes a drive out of your RAID array, it CAN happen. Are you prepared for that? What about your SAN? Are those disks encrypted? You’d better find out.

Have you considered the USB ports on your desktop computers? How hard would it be for somebody to walk in with a nice 500gb thumb drive, plug it into a workstation, and grab major chunks of sensitive information in a very short period of time, and simply walk out the front door? Not very hard if you’re not doing something to prevent that. There are a bunch of scenarios we haven’t talked about, but at least I've made you think about data at rest a little bit now.

Data in Motion

Not only do we need to protect our data at rest, we also need to protect it in motion. This means we need to talk about our networks, particularly the segments of those networks that cross public infrastructure. Yes, even "private lines" are subject to being tapped. Do you have VPN connectivity, either remote-access (dynamic) or static to remote sites and users? Are you using an encryption scheme that’s not susceptible to man-in-the-middle or other security attacks? What about remote access connections for contractors and employees? Can they just "touch the whole network" once their VPN connection comes up, or do you have processes and procedures in place to limit what resources they can connect to and how?

These are all things you need to think about in healthcare IT, and they’re all directly related to policy. (They are either implemented because of it, or they drive the creation of it.) I could go on for hours and talk about other associated risks for data at rest and data in motion, but I think we’ve skimmed the surface rather well for a start. What are you doing in your IT environments to address the issues I’ve mentioned today? Are there other data at rest or data in motion considerations you think I’ve omitted? I’d love to hear your thoughts in the comments!

Until next time!

8 Comments
MVP
MVP

data encrypted at rest and in motion is not just an HIPAA and EMR thing..that requirement (it should be a requirement) should pretty much touch everything from your personal life to your job.

Level 20

Like Jfrazier says this goes way beyond Health Care.  With RMF coming down in Fed space one of the new requirements is crypto for all data at rest.  This includes CD/DVD's that are burned (hello Roxio Secure Burn) and also all hard drives and storage.  Any data in motion that goes beyond a secure enclave is already encrypted (has been for years in defense industry)... I expect we'll see more unclassified data become treated this way as well.

It can be tricky though with the NAS crypto... all the keys that must be kept and oh my if they ever become corrupted or lost... all your data will be useless gibberish!

Long ago my company implemented a policy that all automatically encrypted all USB devices connected to our USB ports. 

If you plug your smartphone's data transfer cable into one of our USB ports, your smartphone will be encrypted.  So just don't do it.

Then they disabled USB ports from accepting drives.

This works well.

Level 12

ciscovoicedude​ truly AMAZING with all the BIG Data being handled.

Level 13

Encrypted data should be a way of life in the world we live in. 

Level 20

What happens after your smartphone is encrypted?

MVP
MVP

bad things happen.... 
On that note, some applications to integrate email with company email on your phone or tablet leave the option to the company to wipe the device even though they don't own it or all of the data on it.

Imagine needing to use your smart phone, needing to access data on it, take pictures with it, listen to music stored on it, and being unable to do so.

Then imagine yourself going out and buying another one.

About the Author
I'm a Unified Communications engineer by trade, but I've got a background (and passion for) in systems management technologies of all kinds.