Today’s encryption technology can be cheaper, simpler and safer.
The deadline for complying with the HIPAA Security Rule has come and gone. Many consultants who once specialized in HIPAA compliance now have new work, such as advising clients about Sarbanes-Oxley, the Gramm-Leach-Bliley Act or the Payment Card Industry Data Security Standard. While many security vendor Web sites have removed HIPAA compliance as a compelling reason to buy their products, entities covered under HIPAA are still required to perform a periodic review of the security measures used to comply with the Security Rule, and to modify the measures that they implement as appropriate.
Today’s encryption technology can be cheaper, simpler and safer.
The deadline for complying with the HIPAA Security Rule has come and gone. Many consultants who once specialized in HIPAA compliance now have new work, such as advising clients about Sarbanes-Oxley, the Gramm-Leach-Bliley Act or the Payment Card Industry Data Security Standard. While many security vendor Web sites have removed HIPAA compliance as a compelling reason to buy their products, entities covered under HIPAA are still required to perform a periodic review of the security measures used to comply with the Security Rule, and to modify the measures that they implement as appropriate.
As threats and vulnerabilities change over time, the best way to implement the HIPAA security standards also change. Implementing part of an addressable implementation specification may once have been unreasonable and inappropriate. This may change as new technologies make existing technologies easier and cheaper to use. For instance, the use of encryption for access control and transmission security is an area of significant progress, thereby making newer encryption technologies more deserving of consideration in periodic review of security measures.
Traditional Encryption Technology Challenges
The reputation of encryption has traditionally been one of notorious difficulty and expense to use, which may be well deserved. The 1999 study by Alma Whitten and J. D. Tygar at Carnegie-Mellon University entitled, “Why Johnny Can’t Encrypt,” found that 75 percent of study participants could not send an encrypted e-mail within 90 minutes. That’s probably not a technology that you would want to support unless there was absolutely no alternative.
How expensive can using traditional encryption technologies be? A 2006 study by messaging industry analyst Ferris Research, estimated that the total cost of ownership of encrypted e-mail using traditional encryption technology (X.509 digital certificates) was $816 per user per year. That level of cost likely justifies the “expensive” label that is associated with encryption, making it difficult to justify an investment in such technology.
The common element that made encryption both difficult and expensive was the difficulty of managing cryptographic keys. This is the secret information that lets you encrypt and decrypt information. Managing keys was simply too hard for both users and administrators, and these difficulties translated into high costs for training and support, keeping the technology from being as widely adopted as it could have been.
Solutions from Next Generation Technology
Fortunately, newer encryption technologies manage to avoid the problems of their predecessors. This new breed of technologies might be called “Encryption 2.0.” They make encryption simple and easy to use by sharing three features that their predecessors did not have: 1) These technologies allow for easy federation; 2) they are often available in the form of software as a service; and, 3) can be implemented in a service-oriented architecture (SOA). All of these features greatly simplify key management, and make the technology easy to use and inexpensive to support.
The term “federation” describes an operating environment where no single organization manages all users and resources in a distributed environment. Instead, administrators manage their local security policies that support transactions between their own systems and the systems managed by others.
Traditional encryption technologies did not adequately support federation. Each organization that runs its own public-key infrastructure, for example, typically insists on complete control over the terms and conditions for using the certificates that it creates and manages. While this structure may be appealing to those who want formal models of the trust relationships in such a model, it often turns out to be too rigid to support existing business practices.
Adapting existing processes to new technology is typically much more difficult than developing new technology that works with existing processes. Older encryption technologies often tried to force users to adapt to their rigid requirements. Newer encryption technologies finally allow users to use existing processes, which makes a fully-federated model possible. The ability to support such federated environments deserves to be added to the requirements of any new encryption solution.
Software as a service has also gained popularity in the past few years, which has contributed to the increased usability of encryption software. After all, if you outsource the administration of an application, then your outsourcing vendor incurs the costs of supporting it. If the vendor that provides the outsourcing is the same vendor that developed the application, then usability issues tend to get addressed more quickly than they would otherwise. This is often due to the vendor’s clear incentive to make the application as user-friendly as possible to keep their costs down. Consequently, the expectation is that software as a service that is offered by security vendors will be much easier to use and administer than software that is just licensed to customers.
The Road to Encryption
Anecdotal evidence suggests that looking for a security technology vendor that uses their own technology to offer a service is a good indicator that their product does not have the high support costs associated with difficult key management of earlier technologies. Even if you do not want to outsource security technology, the fact that a technology can be profitably used to offer a service should suggest that its support costs are fairly low—a beneficial fact of licensing the solution to run in-house.
SOAs are another simplifying factor that has made newer encryption technologies more usable. In such architectures, resources are available as services that can be accessed independently of the underlying implementation so that integration and consolidation of services is easier. Consequently, it is possible to reuse a service instead of reusing software that is integrated into applications. This means that instead of worrying about the complex details of managing encryption keys, you can call a service that encrypts or decrypts sensitive data and relieve the calling applications of key management difficulties.
SOA can also make integrating encryption into legacy environments easy. Instead of having to port an encryption toolkit to several different platforms to implement encryption throughout the enterprise, SOA provides a way for each application needing encryption to access an encryption service. This is typically done through an XML-based Web service. So if the ability to use such a service exists on any platform, then it is possible for that platform to call the encryption service. This makes it just as easy to encrypt data on mainframes as it is on desktop PCs, and just as easy to encrypt data on Linux-based servers as it is on Windows-based servers. Additionally, because an SOA provides a common, central place to manage encryption keys, it greatly reduces the costs that come with
key management.
The latest generation of encryption technologies that deserve the name “Encryption 2.0” greatly simplify key management and reduce the expense of using encryption to protect sensitive data. This is accomplished by allowing easy federation, supporting software as a service and implementation as an SOA. Such technologies promise to make encrypting data simple and easy, making them worthy of serious consideration in your periodic review of HIPAA Security Rule implementation.