Data encryption plays an important role in a security configuration management plan. Unfortunately, according to recent reports and alerts, the healthcare industry is lacking in its use of encryption schemes. In this two-part article, I will take a look at current cryptographic techniques. Part 1 will set the background and review the most common cryptographic systems. As we’ll see, an important aspect of cryptography involves the keys used in conjunction with encryption algorithms to encrypt and decrypt data. Management of the keys becomes an important chore. Part 2 will explore the principles of key management and will discuss the importance of certifying that the senders are who they say they are.
Healthcare IT at Risk
The FBI’s Cyber Division released a Private Industry Notification in April 2014 claiming that healthcare systems and medical devices are at risk for increased cyber intrusions. It pointed out that the EHR transition has a deadline of January 2015 and that it will create a flood of medical device connectivity to EHR systems. This pending situation represents a “rich new environment for cyber criminals to exploit.” It also pointed out that cyber criminals could sell partial EHR information on the black market for $50 each, while stolen credit cards or social security numbers can go for just $1 each. It’s more lucrative to deal in EHR data!1
Another recent analysis of healthcare IT vulnerability comes from Verizon’s annual Data Breach Investigative Report (DBIR), also released in April 2014. According to the DBIR, the healthcare industry is somewhat behind other industries in implementing security controls.2 As one news article noted, the DBIR emphasizes that healthcare’s biggest shortcoming is “encryption, encryption, encryption.”3 The DBIR states that the most common cause of data breaches in healthcare involves unencrypted devices that are lost or stolen. Encryption doesn’t prevent hacking or the theft of devices, but it does reduce the chances that data can be recovered from them.
Encryption, or cryptography, is the process of taking clear text, called plaintext, and transforming it into a recoverable ciphertext for the intended recipient while keeping it secret from everyone else. Of course, the intended recipient will need to know the process or algorithm to decrypt and recover the plaintext. This sort of encoding of messages has been going on for a long time. Julius Caesar used character substitution to communicate with his generals. They substituted each letter of plaintext with a letter three places down in the alphabet. The recipient simply needed to know the system used to encode the information to be able to decode or decrypt back into plaintext.
In time, more complicated cryptographic schemes became necessary. By using cryptanalysis techniques, enemies could decrypt simpler alphabetic substitution algorithms by knowing the frequency with which letters and letter pairings occur. (In English, the most common two-letter combination is th. The most common three-letter combination is the.) Thus, more complex algorithms were needed to guarantee secrecy.
This is where secret keys came into play, adding a factor to the algorithm. Without the secret key, decrypting becomes more difficult. In 1885, Dutch linguist and cryptographer Auguste Kerckhoffs said that the encryption should be strong enough that even if the enemy knows the system or encrypting algorithm, they can’t easily decipher it without knowing the key.4
With the advent of computers, more complicated mathematical methods became available. These days, the encrypting algorithms are designed with computational hardness, making them difficult to break. Computational hardness is defined by ease of ciphering while making deciphering without the key extremely difficult. The goal is a high-quality cipher that is very efficient; that is, enciphering that works fast and needs little CPU or memory capability. However, you also want breaking the cipher text to require an enormous effort in order to make decrypting a very uneconomical, impractical, and nearly impossible task.
Two Main Encryption Methods
In general, there are two types of encryption: symmetrical and asymmetrical.
Symmetrical encryption is when the same key is used to encrypt and decrypt a message. Symmetric systems encrypt information either in blocks or in streams. Block ciphers encrypt data into various-sized blocks or tables of plaintext, rather than individual characters as in stream ciphers. (For more information on block ciphers, look up the Data Encryption Standard [DES] and the Avanced Encryption Standard [AES]. For an example of a stream cipher, look for RC4.)
The difficulty with symmetrical encryption becomes maintaining the secret key, especially when no secure communication channel already exists. Each pair of communicators must maintain a secret key known only to them. Therefore, for each possible connection pair, there will need to be a new secret key. The total number of keys grows quickly along with the network, particularly if each individual communication session requires another new key to be agreed upon. The secure key management system soon becomes complex.
Asymmetrical encryption, also called public-key or two-key encryption, arrived on the scene in 1976. This is when the Diffie-Hellman key exchange protocol was published, a solution in wide use today. Diffie and Hellman showed that it was possible to use one key (a public key) to encrypt and another (a private key) to decrypt. The two keys used in public-key encryption are unique but are mathematically related. Each user is assigned a pair of keys used to encrypt and decrypt a message, document, or file. The public key is shared with others.
If I want to send you an encrypted message, I would use your public key to encrypt. This encrypted message or cipher text can only be decrypted by your associated private key. The key pairs come from a trusted third party, such as a certificate authority (CA). A CA is in business specifically to authenticate identity by managing cryptographic key pairs and digital certificates. Again, you give your public key to others to receive an encoded message from them. Only you can decode the message with your paired private key. If you want to send a message back to those correspondents, you’ll need their public key.
This approach avoids the security risk of passing keys with the message, as in a symmetrical scheme. If the only key (or “secret key”) is captured or known by another party, security fails. For asymmetrical schemes, I can send you my public key to enable a secure means of communication. The only remaining question in asymmetrical encryption is this: When you get a public key for the first time, how do you know it’s valid? Spoofing or representing yourself as someone else is easily done on the Internet. The answer lies in using a digital signature or certificate that vouches for and guarantees an individual’s identity and key ownership. These digital certificates are also issued by a CA.5
Why No Encryption in Healthcare?
In the healthcare industry, it’s commonly thought that the added activity of encryption will slow down network communications, eventually interfering with how quickly clinicians can tend to patients. However, with our exceptionally fast computing systems these days, properly installed and configured encryption should not interfere with medical systems. But unless this is explicitly stated, healthcare executives worried about lawsuits are hesitant.
“Installing any security measures on machines that may slow performance or cause instability is considered by these conservative users to be far more risky for the patients they are tending than the ramifications of a security breach,” says Jason Fredrickson, a senior director at Guidance Software.6 The situation is also confusing. While HIPAA does not require medical records to be encrypted, the federal Meaningful Use program (stage 2) requires encryption on end user devices—specifically for electronic messaging and tracking medications—while giving patients the ability to see their health information.7 The debate and hesitancy will continue, but a security configuration management policy should still be required to define and stipulate enterprise cybersecurity practices.
Part 2 of this column will round out this exploration of cryptography. In it, I will look at digital certificates and key management strategies—two important functions in an encryption system.
Jeff Kabachinski is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC. For more information, contact [email protected]. To comment on this article,?visit 24x7mag.com/?xxxx.
1. FBI Cyber Division. (2014, April 8). illuminweb. Available at: WorldPress: http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf. Accessed June 10, 2014.
2. Verizon. (2014). VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT. USA: Available at: http://www.verizonenterprise.com. Accessed June 10, 2014.
3. Healthcare IT News. (2014, April 22). Healthcare security stuck in Stone Age. Available at: www.healthcareITnews.com: http://www.healthcareitnews.com/news/healthcare-security-stuck-stone-age?topic=16,17,18. Accessed June 10, 2014.
4. Wikipedia. (2014, May 12). Cryptography. Available at: Wikipedia: http://en.wikipedia.org/wiki/Cryptography. Accessed September 14, 2013.
5 Kabachinski J. DRM: Tales from the Crypt(ography). Biomed Instrum Technol. 2007;41(3):223-224.
6 Schuman E. (2014, April 17). Why does healthcare resist encryption? Available at: http://www.healthcareitnews.com/news/why-does-healthcare-resist-encryption. Accessed June 10, 2014.
7 PricewaterhouseCoopers. (2013). Top health industry issues of 2013 – Picking up the pace on health reform. Delaware: PwC Health Research Institute. Available at: http://www.pwc.com/us/en/health-industries/top-health-industry-issues/download-publication.jhtml [registration required]. Accessed June 10, 2014.