When all else fails: make sure your data’s encrypted
There’s no shortage of press stories about data losses these days - they’ve become as much of a media staple as the European Union and Amy Winehouse.
If things like laptops are going to go missing, encryption is the IT manager’s last refuge. High time, then, for our security expert, Davey Winder to investigate.
Since the Caldicott Review was established to examine the confidentiality of patient information in the late 1990s, the NHS has seen a technological revolution.
“New technology has provided improvements in efficiency and patient care” enthuses Sean Martin, VP of marketing for SkyRecon. “But it has also exposed the NHS to new security challenges, such as the management of CD ROMs, printers, email, USB sticks and other mobile devices.”
New directives
Some of these challenges have been highlighted by the loss of data on child benefit claimants by HM Revenue and Customs (HMRC) and more recent losses of laptops by the Ministry of Defence and other public services.
The issue is being taken very seriously by NHS chief executive David Nicholson, who recently informed all NHS trusts that - unless there was a pressing clinical need - there should be no transfers of unencrypted person-identifiable data (PID) in electronic format across the NHS.
The guidelines on use of encryption to protect person identifiable and sensitive information, published on 31 January 2008, say that: “Any data stored on a PC or other removable device in a non-secure area or on a portable device such as a laptop, PDA or mobile phone should also be encrypted.”
Indeed: “This is also now a requirement across all public sector organisations set by the Cabinet Secretary.” Nigel Trevena, IT security advisor at Avanquest Solutions, sees this as a major policy shift. Previously, he says: “Individual trusts had acted alone, given the lack of any official NHS policy regarding the safekeeping of confidential data.”
“Security strategy has evolved from ‘detect and block what you know’, to ‘prevent what you don't’ based on predicted behaviour so that should there be a compromise, data will be automatically protected.”
Do it yourself data protection
NHS Connecting for Health is implementing a robust NHS information governance architecture. This will include suitable encryption functionality for the core services it provides, to ensure that patient information is protected as it flows between the component parts of its national and local applications.
Yet NHS CFH recognises that it may take some time to achieve a fully encrypted system. Therefore, the January guidelines admit that “NHS bodies will need to make a local judgement on the balance of risk to patient care against the risk to personal data security in determining whether use of unencrypted devices should continue as an interim measure.”
There is a requirement that, for systems under local NHS organisational control, trusts should consider, select and, where relevant, implement security protections that comply with NHS Information Governance policy, standards and legal requirements.
Reading between the (guide) lines, Mr Trevena suggests that as things stand “any NHS trust that wishes to use encryption software to protect its data is fully entitled to fund itself and do so.”
And in the light of comments made last year by Information Commissioner Richard Thomas that a “blatant breach of the fundamental observation” of the Data Protection Act should attract criminal penalties, perhaps that is exactly what they should be doing.
Caroline Ikomi, UK technical director at Check Point, points out that “doctors who have laptops containing unencrypted patient records stolen, could end up in court” - and so could the trusts who employ them if the Information Commissioner remains this bullish.
Getting encryption right: files versus the whole disk
Sean Martin says trusts need sophisticated security policies to respond to these new issues and public concern about confidentiality. “Security strategy has evolved from ‘detect and block what you know’, to ‘prevent what you don't’, based on predicted behaviour so that should there be a compromise, data will be automatically protected.”
It is precisely within this part of the security landscape that encryption comes to the fore. But what are the encryption technologies on offer today, and which should you choose?
NHS Connecting for Health, once again, has plenty of guidance to help make the right choice when it comes to product selection (see box). But the choice boils down to one of two options: full-disk encryption or file-based encryption.
Encryption Best Practice
NHS Connecting for Health guidelines say that NHS organisations should adopt a structured approach to the identification, implementation and management of their local data encryption needs. This will normally comprise five stages:
• Perform a risk assessment and identify outline data encryption needs
• Develop a local data encryption policy
• Establish local roles and responsibilities
• Define how data encryption will operate within the local infrastructure and with business partners
• Implement and monitor the deployed solution’s effectiveness
Ms Ikomi argues that the file-based encryption as built into Microsoft Windows XP is tempting, because data stored in specific folders can be encrypted automatically. However, this relies on users putting their files into the correct encrypted folders.
“Do you want to rely on your users to know what is sensitive information, and to place it into the appropriate folder, every single time?” she asks, perhaps rhetorically. “File encryption is only as good as your end-users’ level of interest or knowledge.”
Whereas full disk encryption, such as that built into Windows Vista with BitLocker, has the advantage of automating the process by securing the entire disk.
“Do you want to rely on your users to know what is sensitive information, and to place it into the appropriate folder, every single time?”
Bitlocker uncovered
BitLocker uses two distinct security approaches: full drive encryption and “early boot component integrity checking.” The latter ensures that data decryption is only performed if the encrypted drive itself is in-situ in the original computer and has not been tampered with.
The encryption itself is achieved by protecting the entire Windows drive so that all user and system files, including swap and hibernation varieties, are encrypted. It does this using any of several modes, in conjunction with TPM - a chip physically fixed to the motherboard of the computer:
• In Transparent mode, a user logs into Windows; the encryption key is retrieved from the TPM hardware and this authorises the decryption of the files.
• User Authentication mode requires an additional layer of authentication in the form of either a PIN or USB dongle in order to boot Windows.
• If no TPM hardware is available then a USB Key mode, as the name suggests, requires a user to insert a USB thumb-drive or similar which contains the startup key and allows volume decryption.
How good is “good”?
Whichever mode is chosen, BitLocker will encrypt data using the 128-bit Advanced Encryption Standard (AES) format by default.
This involves having a secret key (code) with which to scramble (encrypt) your data. The strength of any encryption system lies in how difficult it is to solve the underlying mathematical puzzle of that key code.
A 40-bit key can be cracked in under 5 seconds, but a 128-bit key increases the number of mathematical possibilities from 2 to the power of 40, to 2 to the power of 128. Put another way it is 309,485,009,821,345,068,724,781,056 times as random, and puts Bitlocker protected data well out of reach of today’s hackers as far as brute force cracking goes.
In simple mathematical terms, that’s what encryption is all about: stacking up the odds in your favour against the chances of a hacker managing to “guess” the code required to access your data.
You could get a very large calculator right now, just to check our figures are right… or spend the time more wisely - beginning with an inventory of all mobile kit (particularly laptops) which could do with attention.
However, there is just one more point to stress. Encryption is only one tool in your security armoury. As security experts never get tired of saying, security comes from a combination of good policies, good processes and good technology. You don’t want to forget any one of them. On the other hand, if all else fails, it’s nice to know that any lost, stolen or wandering data is well protected.