Regardless of the level of security provided for both facilities access, and for electronic access, if the data being accessed is not encrypted, then there’s a gaping hole in security. Encryption, both of data in transit and at rest fills this hole.
Encryption of Data in Transit
Encryption of data in transit includes any part of the electronic authentication process as well as any data being accessed or transferred electronically. Modern standards, using well tested and used technologies should always be sought. For most systems this would be SSL/TLS implemented in HTTPS and SSH. HTTPS ensures encryption of data via browser access to your systems. SSH is a protocol providing a secure channel to login, almost as if the user is at a terminal. The specific configuration of these technologies is beyond the scope of this blog. Note that the SSL/TLS version being used is very important as well as the configuration of servers providing the HTTPS and SSH access.
Encryption of Data at Rest
Encryption of data at rest is also very important. For instance, if a hard drive is properly encrypted, then even if the drive is installed in another computer, the contents can not be decrypted and read. Again, the specific technology used for encryption is important and modern standards based, well tested technology is preferred. AES is an excellent choice for encryption as compared to older algorithms like DES. Again, the specific deployment of encryption technology is beyond the scope of this article. There are many good sources of information about selecting and configuring encryption technology. The OWASP cheat sheets, at https://www.owasp.org/index.php/Cheat_Sheets, are a good source that cover many topics including encryption and much more.
ActivePrime has worked hard to make sure we can help with these CRM system security challenges and rules. Get started today!
This post is part of the ActivePrime HIPAA Compliance Blog Series, a series of articles designed to give healthcare organizations technical insight and techniques upon which to build a HIPAA compliant organization. For the introduction to the series and other posts in the series, please click here.