On March 7, 2013, a government watchdog organization reported the Department of Veteran’s Affairs has been sending sensitive information — including names, addresses, Social Security numbers and health information of patients — over unencrypted networks to health care providers, advocates and other individuals. Because the data was not encrypted, it was vulnerable to theft or tampering.
While the VA does not believe there has been a recent security breach (although they have occurred in the past), the VA Inspector General’s report brings to the forefront an important issue for anyone concerned about Internet security: the need for endpoint encryption. Even one instance of unauthorized access to a VA-owned computer or device, or a mistake in a recipient’s email address, could have compromised sensitive data and cost the VA millions of dollars in corrective and punitive actions.
Endpoint Encryption: Not Just Computers
IT security experts have helped their teams understand why data encryption is important for years. It’s not simply a matter of encoding data during transit or while it’s in storage, though. With the proliferation of devices in the typical business environment, including computers, tablets, phones, USB storage devices and more, it’s important that data encryption occurs at every endpoint. There’s no sense in encrypting data on a main server, for example, if it’s not going to be protected when shared via smartphone. In some cases, encrypting endpoints may even be law.
The VA’s failure to encrypt data sent over its networks is no small issue. In fact, the regulations set forth by the Healthcare Portability and Accountability Act (HIPAA), which place strict protections on consumer health data, specifically require healthcare providers, insurance companies and any organization dealing with personal health-related data to encrypt their networks and endpoints. In the event of a data breach, an organization’s failure to provide adequate endpoint protection is grounds for fines and other disciplinary action.
Endpoint encryption compliance issues aren’t limited to the healthcare industry, though. In fact, any business that handles private customer information, meaning everything from names and addresses to financial data, is required to maintain adequate security measures to protect that information, including encryption of electronic data. If there is a data breach, the organization bears the burden of proof to show data was properly secured. With proper encryption in place, the organization remains in compliance with the law and is at least partially protected from the potentially devastating consequences of announcing a security breach.
Endpoint Encryption Best Practices
Ensuring your data remains secure and your organization stays compliant with industry and government regulations requires a solid strategy and state-of-the-art tools. Your data is vulnerable not only to criminals, but well-meaning individuals who may unknowingly risk your data by using their own unprotected devices for work or failing to adhere to security protocols.
At minimum, your endpoint data protection strategy should include:
- A centrally managed and integrated endpoint solution. Users are accessing your network from a variety of devices, and your encryption solution needs to offer FFE, FDE and RME encryption to protect them all. You also need to manage and control if or how each endpoint accesses the central data system. This fine-tuned level of control allows you to accept or deny an endpoint trying to access the system, designate certain devices to operate in “read-only” mode, designate certain storage devices as usable or unusable and more. The system should also allow the capability to remotely lock or destroy any encrypted device, file or folder that is compromised.
- Secure key management. Encrypted data is only as good as the key used to secure it. Avoid encryption solutions that require storage of the key on a USB device, in an online escrow service or via paper trail, all of which leave the key vulnerable. Choose a service that secures the encryption key in a transparent online escrow service with access limited to those with administrator privileges, using one protected workstation.
- Pre-boot authentication. Not only should endpoint protection require users to enter a password before accessing encrypted data, the solution should also update in real time, denying or allowing access based on the most current security protocols.
Protecting Your Data Means Protecting Your Business
No one wants to tell their clients or customers their personal data may have fallen into the hands of a criminal. While the Department of Veteran’s Affairs may be embarrassed by the revelation they haven’t been properly protecting data, it’s better the encryption problem was discovered before a data break occurred. Consider your organization’s data protection plan and employ endpoint encryption for an extra layer of security.
About the guest author: Malcolm Eubanks is a freelance IT consultant and entrepreneur who works with some of the biggest names in IT security, including Trend Micro. He also enjoys blogging about new developments in IT when his schedule permits. You can follow him on Google Plus here.
This is a unique article published on SEO Desk with exclusivity.