We could offload encryption to a third party, we could encrypt the entire hard drive, or we could encrypt data at the application layer, which would provide encryption at rest.
The operations team was leaning toward encrypting the hard drives, because options that are fairly easy to deploy are available. I agreed that it would be easy to do, but I objected that the method wouldn’t really be effective from a security perspective (and encryption is one thing that should be all about security). When you encrypt a hard drive, you are ensuring that anyone who comes into possession of that drive can’t access the data. In other words, the only way such encryption would protect the company would be if the hard drive were stolen. Now, the likelihood is infinitesimally small that a bad guy is going to determine where our highly secure data center is located; get past the security guards, man traps and biometrics; and then figure out which of the hundreds of drives to pull out.
Encrypting the data as it sits in the database is more secure, but it requires a considerable amount of coding. Besides encrypting the required data, you have to be able to unencrypt it when it’s needed in reports, visually rendered in the application or called up during other required data-delivery operations.
Now that the gap analysis is complete, the findings will be presented to the executive staff, which will make a business decision: Is it worth the time, money, resources and shifting of other priorities to become HIPAA-compliant, or do we continue to turn away business?
Phrasing the question like that should do the trick.
Sign up for CIO Asia eNewsletters.