Key Management: Healthcare's Secret Ingredient for Better Encryption
Data encryption is emerging as a top consideration in the healthcare industry, which means it will have to implement effective key management strategies as well.
Proper data protection is a must for any enterprise, but in the healthcare industry it can become a matter of life and death.
One of the most effective ways to protect data is to encrypt it, both at rest and in motion. But given the explosion of health-related data, which is expected to continue unabated well into the future, encryption poses a particular challenge to the healthcare industry. (Read The Growing Cybersecurity War on the Healthcare Industry.)
Devices in hospitals, our homes and even in our bodies are poised to begin streaming volumes of data back to central analytics engines on a continual basis, all of which must be integrated with data coming from providers, insurance companies, pharmacists, drug manufacturers and distributors and a wide range of other stakeholders, literally creating new data from existing data. (Read 4 AI Advances in the Hospitality Industry.)
At the same time, healthcare data is among the most regulated in the world, with strict rules governing where, when, how and why it is shared with others. Failure to comply with these regulations could lead to massive civil fines or even criminal charges. (Read Can Big Data Save Health Care?)
The Key to Protection
This leads to a particularly thorny problem as healthcare enterprises embrace data encryption: how to ensure that the keys needed to decrypt this data are given only to those authorized to use them?
Key distribution is not a challenge unique to healthcare, of course, and fortunately the data security industry has produced a steady stream of new technologies to make it easier and less costly to implement. But with the rising sophistication of the underground hacking community, much of which is now state-sponsored, it seems questionable whether broad protection of health data can be implemented in time to thwart significant exposure.
According to the Ponemon Institute, nearly half of healthcare and pharmaceutical companies today employ data encryption in one form or another. At the moment, no single approach has achieved anything close to dominance across the data industry as a whole, with some enterprises applying encryption at their Internet connections, others to their databases, and some to compute workstations and other areas.
Can Encrypted Data Vary?
The actual data being encrypted can vary as well. The majority of encryption efforts, in fact, are applied to payments and other financial matters, while protection of actual health data is infrequent at best.
"This is somewhat surprising considering that encrypting patient data is not just good business, it’s an economic imperative," said Alex Loo, VP of Operations at EchoWorx. In addition to preventing lawsuits and criminal penalties, studies have shown that effective encryption can actually lower operating costs by accelerating the adoption of digital health records and other advancing technologies.
This, in turn, reduces the cost of records management and delivery while also streamlining call center operations and slashing administrative overhead.
To create what Loo calls “customer-centric encryption,” organizations would be wise to adopt a robust key management system.
“Customer-centric encryption is so important in healthcare because many agencies are transforming from paper to digital records while dealing with preventable insider threats (often in the form of delivery errors). This means to get the most out of encryption, healthcare organizations must consider how easy it is for patients, employees and business associates to use and trust the encryption solution.”
But what constitutes an effective key management strategy? According to Shachar Roth, VP of R&D at Kindite, key management only works if it can effectively prevent unauthorized access without placing an undue burden on authorized users.
To that end, he recommends a full key lifecycle management program that encompasses:
- Key Storage: to ensure that no one can steal your keys.
- Rotation/Destruction of keys: to ensure new keys are applied to new data sets even as the old keys are preserved for older sets.
- Key Generation Granularity: enabling a zero trust approach while still providing access to the lowest tier of authorized users.
- Automation: to improve the speed of key management while lessening the burden on administrators and minimizing mistakes.
- Ease of Use: even the most feature-laden key management system is ineffective with a poor user interface.
Blockchain and the Healthcare Industry
Key management is also likely to grow in importance as the healthcare industry starts to deploy blockchain into production environments for functions like records management, service fulfillment and billing. (Read 5 Industries That Will Be Using Blockchain Sooner Rather Than Later.)
A blockchain may create a tamper-proof record of transactions, but it must still be restricted to authorized users.
However, as Equinix’ Jason Sfaelos notes, key management requires a few tweaks when it comes to blockchain, such as the need to work with non-standard cryptography and the ability to incorporate multiple keys into multi-platform environments.
The key to effective encryption, therefore, is effective key management. Providing keys in ways that keep the bad guys at bay while allowing ready access for the good guys will be a top challenge going forward.
The healthcare industry has more at stake in this effort than most other industries, so it has the least time to waste.