In 2012, a faculty member at the M.D. Anderson Cancer Center, part of the University of Texas, discovered that his home had been robbed. A laptop lost in the robbery contained 30,000 unencrypted patient medical records including patient health information and Social Security numbers. In addition to informing those whose information had been lost, M.D. Anderson offered free credit monitoring to anyone affected by the breach. Also, under new HITECH regulations, health care organizations like M.D. Anderson could face up to $1.5 million per privacy violation.
Regulated industries, like health care, have an obvious need for data encryption and control solutions. However, companies outside of heavily regulated industries also need to encrypt customer data. Large data breaches make headlines, and bad media publicity can scar loyal customers away. As businesses of all sizes transition into cloud computing and storage, they face security threats not only from external hackers but also from inside the datacenter.
How Data Breaches Happen
When people think of stolen data, they may assume criminals are constantly penetrating company networks to snatch consumer data. Unfortunately, human error causes most data loss incidents, and stolen data is often taken by someone working inside the company. In fact, the shadowy hacker working from an overseas home computer accounts for only 8 percent of all data breaches. Data encryption doesn’t prevent data loss and theft, but it ensures that no one can read the data after they steal it.
The top causes of data loss include:
- Lost devices. Lost laptops, tablets, smartphones, USB drives and other devices account for over 50 percent of data breaches. For example, 80 percent of health care providers and staff use laptops or mobile devices to access work information. Data remains unencrypted on half of those devices.
- Workforce errors. In many cases, data isn’t lost by the company that owns it. Instead, it is lost by vendors and business associates that have third-party access to that data.
- Criminal activity. Stolen Social Security numbers and financial information provide access to a person’s credit and financial accounts. Even more frightening – some experts estimate that a person’s medical records may be worth 50 times as much as a Social Security number to criminals.
Common Encryption Myths
Some companies are afraid to encrypt data for the widespread myths that are out there. Contrary to rumor, data encryption does not:
- Destroys database performance. You may notice a slight difference in performance, especially with application encryption. However, file encryption delivers an almost unnoticeable effect.
- Requires complex solutions. The key to effective encryption is knowing what to encrypt, where to find it and who should be able to access it. If you want to encrypt an application, then you can find an easy-to-use encryption tool that sits beneath the application layer. That way, you don’t have to modify your operating system, data, application or storage.
- Only matters if you have compliance requirements. Even if you aren’t affected by HIPAA, PCI-DSS or other regulations, your customers deserve the security of having their data secured by encryption.
- Provides only minimal security improvements in a cloud environment. In many ways, storing encrypted data offsite may be more secure than storing it on-premises. Just remember to never hand over your encryption keys to your cloud provider. Always keep them in a separate, secure location.
- Costs too much. When businesses consider the costs associated with a data breach, including notifying involved customers, paying for their credit monitoring and losing sales because of negative publicity, the value of encryption becomes clear.
Tips to Remember
Keep in mind that SSL only encrypts data in motion, which is data being transferred between two endpoints. It doesn’t encrypt stored data. Also, companies should never store their encryption keys on the same server as their data. If a criminal acquires both the data and its keys, then the data is completely vulnerable.
Up-to-date encryption meets industry compliance requirements for data security and privacy. Therefore, no regulated business can ignore the importance of encryption. However, using encryption and sensible key management protocols protects any company and its customers from the exposure of valuable personal or proprietary data.
Encryption is an older data protection method, but it still delivers strong protection in any NoSQL environment. Firewalls and virtual private networks (VPN) can prevent some unauthorized access, but they can’t prevent all breaches.
About the Author: Dennis McKutcheon writes about database security and data analysis.
