Health Information Management

TIP: Know the basics of data encryption

HIM-HIPAA Insider, March 30, 2009

In simplest terms, data encryption is the process of converting data into an unrecognizable form, known as “cipher text.” Decryption is the process of transforming the data back into a recognizable format, says Tom Walsh, CISSP, of Tom Walsh Consulting in Overland Park, KS.

“It’s basically the act of jumbling up data … so that it cannot be read or otherwise compromised in an unauthorized way,” adds Kevin Beaver, CISSP, an independent security consultant with Principle Logic in Atlanta.

There are two types of data encryption:

  1. Encrypting data at rest [e.g., laptop hard drives and databases]
  2. Encrypting data in transit [e.g., secure Web connections, virtual private networks (VPN), and wireless networks]

Encryption is especially important for wireless transmissions, to prevent unauthorized access.

According to Walsh, the cost of encryption depends on several variables:

  • The encryption solution, such as file or full disk encryption (for data at rest)
  • The scope of the solution—individual (for example, per laptop user) vs. enterprise
  • The number of users or licenses
  • Ongoing maintenance and support costs

Beaver says encryption can be expensive, but not as a rule.

“Depending on the application, encryption can be free (e.g., with wireless, VPNs, and Web transactions), but it’s not necessarily cheap when it comes to encrypting data at rest,” he says. “There are licensing costs and administrative costs, but hardly any that justify not using it, especially to encrypt the hard drives in laptop computers.”

Most Popular