Device encryption and compliance

Most companies want to protect data at rest on devices that are susceptible to theft. This will ensure that the data is inaccessible even if the hard drive is removed and replaced in another machine. Yet, lost and stolen devices continue to be the one of the leading causes of data breaches. Compliance standards tasked with the protection of personal data require security parameters, such as device encryption, to combat this reality.

Device encryption is a security mechanism that protects data at rest on an endpoint. By converting information into an unreadable format, encryption technology protects data from unauthorized access. This blog examines device encryption requirements and recommendations set forth by regulatory bodies.

Health Insurance Portability and Accountability Act (HIPAA)

Established in 1996, the HIPAA Privacy Rule sets the national standards for protecting individuals’ medical records and personal health information. The impermissible disclosure of protected health information (PHI) is just one of the ways that the HIPAA rules can be violated.

According to the HIPAA Journal, the loss or theft of unencrypted electronic devices containing electronic protected health information (ePHI) was one of the three main causes of security breaches in healthcare between 2015 and 2017. However, many health organizations still don’t have encryption in place.

Does HIPAA require encryption? Even though HIPAA doesn’t make encryption mandatory, the answer is yes – but implicitly. There are two types of implementation specifications: “required” and “addressable.” Those labeled “required” must be implemented in order to be HIPAA compliant. Encryption falls under “addressable” which should be implemented when the covered entity has determined that it is a reasonable and appropriate safeguard for managing ePHI. HIPAA left the specifications around encryption vague to accommodate for future technologies that would offer the same level or better protection than encryption. If your organization decides that encryption is not necessary, you are required to document your rationale behind the decision as well as enacting another safeguard that is equivalent to encryption.

Here’s where things get tricky. If your organization ever undergoes a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and rationale for disregarding encryption. If the OCR doesn’t agree with your decision, you will be fined. And if your organization suffered a breach due to the lack of encryption or equivalent safeguard, you will be subject to fines based on the severity of the violation and your organization’s knowledge of noncompliance. Aside from the financial impact, it can also cause reputation damage.

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS is a set of security controls that applies to organizations that store, process, or transmit payment card data. The requirements include technical controls for encryption, hashing, masking, and truncation methods to protect card holder data. According to PCI DSS sub-requirement 3.1, you should only be storing the cardholder data that is absolutely necessary for your business. In those cases, the data should not be stored on unprotected endpoint devices.

In addition to reputation damage, PCI non-compliance fees range from $5,000 to $100,00 per month on business owners by their credit card processors. Additional penalties are imposed if non-compliance results in a breach, and can even mean termination of relationship between the business and its bank/payment processor.

General Data Protection Regulation (GDPR)

The GDPR is a regulation in EU law that protects the data and personal information of individuals. Beyond the EU, the regulation applies to any organization that stores or processes the data of EU residents. To comply with the regulation, organizations need to understand how data moves in their organization while putting in to place systems and processes to maintain compliance.

The GDPR, like HIPAA, does not explicitly require encryption but it does consistently call for appropriate technical and organizational measures. This language appears in Article 32 where the protection and security of personal data is concerned. Encryption is also suggested in the Article 32, followed by: 2) “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Essentially the document says that your security controls, in this case encryption, should be considered alongside the risk of a personal data breach. For example, are your corporate devices (mobiles, laptops, etc.) susceptible to accidental, unlawful, or unauthorized disclosure of personal data? If users are working remotely, or you’re not always locking up your server room, the answer is likely Yes. Most companies will want to protect data at rest, especially on devices that are susceptible to theft. This will ensure that the data is inaccessible even if the hard drive is removed and replaced in another machine.

In the event of data loss, the GDPR states that organizations have 72 hours to notify the appropriate supervisory authority. However, when encryption is in place, there is no regulatory obligation to inform the Data Subject following a security incident (Article 34).

Considerations and next steps

Data is the most valuable asset for most organizations and data privacy laws and regulations dictate how organizations must protect this data. Device encryption plays an important role in safeguarding that data but not without introducing its share of challenges.

Device encryption implementations involve a pre-boot authentication environment protected with a password. An authorized user can trigger a device lockout if they forget their password, or when working remotely. Many vendors offer a key recovery method to alleviate this pain-point. These can have a self-service component or depend entirely on the helpdesk. These key recovery methods usually rely on a challenge-response (security questions) mechanism. Security questions introduce a security gap as their answers can be easily guessed or uncovered via social engineering.

Do you want to increase security without compromising usability? Specops Key Recovery is a self-service solution for unlocking computers encrypted by Microsoft BitLocker and Symantec Endpoint Encryption. Specops secures the key recovery experience by verifying users with multi-factor authentication, without burdening the helpdesk.