3 hours 42 minutes
Welcome back, you cyber cryptographers and encryption mathematicians. This is less than 2.2 of the cyber implementing a HIPPA compliance program for leadership. And our topic is the very important control encryption. We have to protect our data at rest, in motion and in use from evil doers out there. So if you're ready, let's start our 256
bit encryption algorithms, which will encrypt our data 14 different times.
And let's get that process started now.
So before we go too far in this lecture, I want to say to all you HIPPA professionals out there Yes, I understand encryption is not called out is a requirement in the hippest standard. So, according to HIPPA, encrypting health data is addressable rather than required. So that doesn't mean that a covered entity can simply ignore data encryption.
What it means is the health care organization must determine which privacy and security measures will benefit. It's workflow
and what that means that the bottom line is that a covered entity needs to ensure that its comprehensive technical safeguards in this case encryption, along with strong administrative and physical safeguards, are there to protect ph. I one of these measures by itself is not gonna be good enough. Health data encryption will be a beneficial addition to a security program.
An encryption is a standard go to in every security program I know of,
but it will need to be working with other protection measures as well. So in today's lecture, we're gonna use encryption is an example of how we view a technical control, evaluate its usefulness to us and based on the cost benefit analysis. Well, either implement encryption into our program or we won't.
But we will learn a lot about how to review our controls on the process. We're gonna look at the network, evaluate our controls in this case encryption,
and we're gonna look at the benefits of the control outside of HIPPA to determine if we move forward with the control. Because it's not just about HIPPA. It's best practices as well. We want to increase our network efficiencies. We want better user response times and, oh, yeah, by the way, the control helps us adhere to the hip or privacy and security rules, too.
So let's first define our data. And let's start by saying all data is not created equal. What I mean by that is that if we use encryption as our technical control example, well, we'd be broke if we had to encrypt every single bit and byte of data in our network. We just couldn't afford it, even if we're in enterprise. So, like all controls, we have to pick which ones apply to our business and where to apply them.
We start that process, but to finding our data
there are five types of data transactional data, which is the day to day business data of our company Master data, which is the application specific data meaning that it's uses air specific for the application with business processes related to it are health care organizations, employees master data is created, stored and maintained within our health. Record application
reference data is a subset of the master data,
like our address as an employee might change often, but our country code reference data where we reside rarely changes. Reporting data is a strategic data usually being produced as an ingredient of a decision making process. And metadata is data about data. We created 265 new patient records today
in our health record system that utilized 164 megabytes of storage space on our storage array and cloud backup system.
And that, my friends, is metadata.
So data and network differentiation is key. Since we can't afford to place controls everywhere and protect everything in our network, we can't afford to store every one of our emails, all our spam, all our outgoing, non patient related emails on encrypted solid state hard drives we can only afford putting our low level business class data on budget priced and budget performing, spinning hard drives
and reserve our encryption budget toe only putting our E P. H. I on the most expensive, solid state encrypted flash drives. To do this, we have to classify our data using email for our example, which emails or spam, in which emails air pH I within one to physically and logically segment or network to isolate r P h. I from other transactional and reference data.
And then, when the pH. I is separated and then stored on separate storage solutions like a storage array, we could build the storage array using what is called tearing,
putting our critical pH. I on solid state high performance encrypted flash drives and are lower level business data where we can put that on lower tiered, lower cost spinning discs. And then now that we have are classified our traffic and segmented our traffic and then protected our traffic proportionally to its importance, we can control access to the data
based on organizational group policy
based on our role in the organization and having the privilege to read the data, right the data or even destroy the data based on your active directory group policy.
So now that we've class A part of our data segment aired on the network and placed our E. P. H I and encrypted solid state drives, well, we're not quite done. All we've done is protect the E p h I. While it's stored in the physical disk drive media. We also have to protect the confidentiality, integrity and availability of our data into other aspects. When our data is being transmitted place to place serving a client
cloud to Physician
Data center, headquarters to remote user working from home over the Internet, e virtual private network, VPN, encryption and data and use an example of data and use would be the use of screensavers on your PC, So if you step away for a few moments to refresh your coffee, the screen doesn't have a patient record with protected health information on it. For anyone who walks by
your workstation to see
there are screen capture prevention controls like software that runs on a personal computer, preventing users from taking a screen capture of a patient record that has, for example, a credit card number. But nothing is preventing the user from taking a picture of the record from their phone. So your control is having your employees signed a non disclosure agreement
and having them here to the organization's acceptably use policy
and enforce the same policy within your business associate agreement. So again, the point is, we can't afford and use encryption everywhere and for everything. It is through the combination of controls based on organizational use and requirements that we comply with the hip of privacy and security rules.
So they're further share with you the complexity of controls. I'm listening out for you at least seven examples of encryption in the network. You've got encrypted hard drives, encrypted US Bs and external drives, and you have to build the drive from minute one for encryption. You just can't use it for a while and encrypted later. The drivers set for encryption encryption before you right to it on the get go, or the drive will be unencrypted,
so you're either in or you're out.
There is also software based encryption and encrypted communications, such as virtual private network technologies. There are digital certificates, which are means of encrypting messages with the sharing of public and their corresponding private keys. Digital certificates are really cool on air used to verify the identity of websites by sending them an encrypted message
using a public key from her certificate
and then the site decrypt the message using private keys. Really cool stuff. Authentication protocols Use all kinds of different encryption algorithms and then at the file level is part of your computers or network based file system. Folder level and file level encryption could be accomplished. Your pH I is unencrypted drives and an encrypted folders
using a complex authentication protocol, also using encryption
to identify that you have privilege to read the patient record pretty neat, but also pretty complex stuff. So get your arms around all of it and encryption is just one of the hundreds of controls we can see implemented in our HIPPA compliant network. So there's lots of work to do, folks.
So if there is a single key take away from this course. If I can impart on you a single unifying concept of what our role is, the security leader is our goal is not to achieve compliance. Our goal in life is not to get the check box every check box when the auditor shows up so that we can keep our job Improving the critical infrastructure of our organization is our only job, our primary goal.
And there's a lot of really good network standards frameworks out there that can help us from the NUS cybersecurity framework
to the Center for Internet Security Critical Security Control CS to the International Standards Organization ISO frameworks 27,000 and one and 27,000 and two. Well, these controls in our network are there to improve our organizations critical infrastructure, be that from a security perspective or through efficiencies or resilience and fault tolerance.
All of these improvements are in this case for our health care organization
designed, installed and in our production network to improve patient care and promote overall patient well being and achieving this health care mission statement as a byproduct of making our network better and increasing our ability to service the patient well. We also achieve HIPPA compliance.
So now it's time for a quiz question. We name seven different examples of encryption technical controls that might be in our network based on our organizations. Unique requirements. Can you name three of the seven so hit pause? Solve a Rubik's Cube. For a brilliant person like yourself, that means about 10 seconds for me 14.5 years, then come back and we're going to review our answers together.
What? We had a couple of examples of physical media like encrypted solid state
and spinning hard drives and encrypted USB and external drives. We mentioned software encryption and encrypted communications like VPNs, which will use to guarantee the privacy and integrity of point to point communications and mitigate man in the middle attacks and eavesdropping. We like digital certificates and the way Web applications use them for secure authentication,
and we like the various encryption protocols, and we mentioned file level and folder level encryption used by many of the file systems used by today's
computer operating systems. So when we talk about technical controls and using them to ensure compliance to the hippo security rule, you can see the complexity and the challenges around knowing where to start and how to ultimately reach that in state of your security program, improving your critical infrastructure while delivering on your business goals and in this case, improving patient care
and patient well being.
So in today's lecture, we learned about the five types of data, like transactional data and metadata and reviewed how, when evaluating a control like encryption, we have to use to control across the lifespan of our data while our data is at rest, in transit and in use. We looked at several examples of how encryption is used as a control in our network, and we learned that we have to pick our battles
that we just can't afford deploying any control everywhere to protect everything
in our network and compliance is not an end goal. Although a worthy one, compliance is an end result of our organization improving its critical infrastructure by using frameworks, likeness, CSF and ISO 27,000. Our goal is to improve our infrastructure and meaningful and substantial ways that will improve our patient care and the overall health of our clients.
And as a result of these improvements,
we strengthen our capabilities, harden our environment, making our infrastructure more secure and more resilient and with the byproduct of our hard work achieved HIPPA compliance.
So we hope you enjoyed our lecture today about encryption as part of the implementing a HIPPA compliance program for leadership. Sai Buri, Siri's. And yes, it's just like the movies were on paper. It takes 72.6 years to break that 80 s to 56 algorithm. You can actually break encryption in 30 seconds because you're brilliant and that's just who you are.
So for now, on behalf of all of us
at Sai Buri, thanks for joining us. Our next lecture is gonna be on business continuity and disaster recovery. So take care,
pleasant journeys and talk to you soon.