Educational institutions of all sizes routinely handle multiple types of sensitive data, including Social Security numbers, credit card numbers, driver’s license numbers, medical information, and other personally identifiable information (PII) which can potentially be stolen. In addition, due to some institution’s focus on research, these organizations may also have access to confidential government and/or business intelligence data regarding trade, scientific or military secrets.
PII requires special handling via encryption to adhere to compliance regulations – but sometimes education providers encounter nebulous compliance verbiage that can be misunderstood and therefore not executed on properly. Organizations that do not encrypt PII data at rest and in transit are at significantly higher risk for security breaches. But SANS estimates that on average only 54 percent of higher educational institutions encrypt PII in transit, and a mere 48 percent encrypt PII at rest. Following encryption best practices will keep institutions protected in times when the letter of the law proves hard to decipher. Here are some essential PII encryption best practices every higher education organization should follow to keep sensitive data out of the hands of hackers and the media headlines:
- Know the laws: Academic organizations must adhere to numerous, overlapping, privacy-related regulations when it comes to safeguarding the personally identifiable information they manage. The top six regulations that impact educational institutions include: FERPA, HIPAA, HITECH, COPPA, PCI DSS, state specific data breach notifications laws
- Assess the data: A security rule under HIPPA does not explicitly require encryption, but it does state that entities should perform a data risk assessment and implement encryption if the evaluation indicates that encryption would be a “reasonable and appropriate” safeguard. If an institution decidesnot to encrypt electronic protected health information (ePHI), the institution must document and justify that decision and then implement an “equivalent alternative measure.”
- Determine the required or needed level of encryption: The U.S. Department of Health & Human Services (HHS) turns to the National Institute of Standards and Technology (NIST) for recommended encryption level practices. HHS and NIST have both produced robust documentation for adhering to HIPAA’s Security Rule. NIST Special Publication 800-111 takes a somewhat broad approach to encryption on end-user devices. In a nutshell, it states that when there’s even a remote possibility of risk, encryption needs to be in place, and FIPS 140-2, which incorporates the Advanced Encryption Standard (AES) into its protocols, is an ideal choice. FIPS 140-2 helps education entities ensure that PII is “rendered unusable, unreadable or indecipherable to unauthorized individuals.” A device that meets FIPS 140-2 requirements possesses a cryptographic erase function that “leverages the encryption of target data by enabling sanitization of the target data’s encryption key, leaving only the ciphertext remaining on the media, effectively sanitizing the data.”
- Be mindful of sensitive data transfers and remote access: Encryption must extend beyond laptops and backup drives. Communicating or sending data over the internet needs Transport Layer Security (TLS), a protocol for transmitting data over a network, and AES encryption. When an employee accesses an institution’s local network, a secure VPN connection is essential when ePHI is involved. Also, before putting a handful of student files on a physical external device for transfer between systems or offices, it is imperative that device is encrypted and meets FIPS 140-2 requirements to avoid potential violations.
- Note the fine print details: Unfortunately, many schools fail to engage in proper due diligence in reviewing third-party services’ privacy and data-security policies, and inadvertently authorize data collection and data-mining practices that parents/students find unacceptable or violate FERPA. Regulatory compliance entails much more than simply password-protecting an office’s workstations. It requires using encryption to protect data-at-rest when stored on school systems or removable media device. Remember that data at rest that is outside the school’s firewall (or “in the wild”) is the top source of security breaches.
[su_box title=”About Paul Brown” style=”noise” box_color=”#336588″][short_info id=’102062′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.