Companies and individuals alike take data security for granted, assuming your data is stored on a computer safely somewhere. A recent survey on cybersecurity breaches by the Department for Digital, Culture, Media and Sport (DDCMS) reported that “over 4 in 10 businesses and 2 in 10 charities experienced a cybersecurity breach or attack in the last 12 months”. In addition, they reported that 74% of businesses consider cybersecurity a high priority, but only 27% of businesses have a formal cybersecurity policy in place.
If you work with data from your customers or even just keep your employees’ information on your company server or cloud, then data protection should be one of your big priorities. There are several reasons for spending money, time, and effort on data protection. The primary one is minimising financial loss. Compliance with regulatory requirements whilst maintaining high levels of productivity and meeting customer expectations comes after.
Let’s highlight some good data protection practices with the objective of how encryption solutions should be evaluated and implemented. It enables protection of data on local and removable media such as email and connections to untrusted networks.
The purpose of this guide is to simplify the procedures involved in the creation and implementation of an encryption policy. With this article, we intend to provide greater detail on how 3 data encryption policy requirements can be achieved:
- Assess current encryption techniques surrounding the protection of an organisation’s data on various devices and communication links.
- Implement suitable encryption mechanisms according to data classification and/or sensitivity.
- Manage data encryption policies effectively and continuously throughout all data exchanges in the organisation.
Organisations of different sizes or different market segments will require different levels of management and should be scaled accordingly. Many large medical practices have large IT divisions whom undertake this process ‘in-house’. For smaller practices, these guidelines may be used to drive contractual requirements for third-party IT service providers.
Why Do You Need to Assess Encryption Requirements?
Healthcare providers must ensure that encryption is enabled for the data in transit as well as the data at rest. In addition, an analysis of potential data breaches can include the following processes:
- Identify what data needs the additional protection
- Where this protection is required and
- When it should be implemented.
In order to formulate a holistic data protection policy, the following criteria need to be carefully considered and addressed.
1. Data Identification and Security-Sensitivity Categorisation
The effective management of data requires the understanding of what data your healthcare practice handles. In addition, the identification and categorisation of such data is a major determining factor to decide whether encryption is required and what mechanisms to use.
The security classification and sensitivity of the data can fall into one of the following categories:
- Commercial – This includes all commercial or market-sensitive information used to drive different business units; for example financial data.
- Personal – As defined by the Data Protection Act, this includes information stored on your customers.
- Loecsen – Sensitive information that refers to the department or organisation, for example marketing statistics.
- Third party – Any data exchanged with another organisation for a variety of purposes; for example a financial institution.
The volume and exchange of data with other third parties is also a major driver and influences how robust data encryption tools have to be. It will become essential to ensure that third-party service providers also have the correct policies in place for the appropriate protection of your institution’s data. Where and how the data is stored and the volume of data influences this process further.
2. Data Storage and Transfer
All the various consumer devices available today such as servers, laptops, tablets and mobile phones can have access to storage mediums like USB flash drives, DVDs, CDs, SD cards. Storage can be either within the organisation, by a third party data centre provider or a third party data cloud provider; e.g. Microsoft Office 365.
Data transfer falls within 2 categories: Internal and external.
Internal data exchanges can occur through email and file sharing over a local network. External data sharing can be labeled as all transmissions outside your healthcare practice’s network via email and data sharing. The identification of data and where it is stored can allow for the appropriate analysis of where encryption is potentially required.
3. Identify Encryption Protection Opportunities
As part of a data risk management and mitigation, a decision must be made on where data protection policy must be applied. The following guidelines can assist:
- User devices and removable storage media should be prioritised with additional protection by a level of encryption. The classification and sensitivity of the data/information will determine the level of encryption.
- Personal data should always be encrypted to protect an individual’s privacy when stored or transmitted.
- It is essential to manage and control bulk storage on servers with encryption tools native to sever technology stacks.
- All email transmissions should be encrypted when sending official data out of the organisation to other organisations; for example, third-party provider’s, individuals (staff or patients) and suppliers.
4. Encryption Level Assessment
Upon the decision to implement additional data protection based on the scenarios above, the next stage involves ascertaining the level of protection required. The complexity of appropriate protection levels are based on the classification and/or sensitivity category and the volume of such data.
In addition, the use of encryption is very strongly recommended – in some cases even mandated. An aspect particularly pertinence in this regard is the handling of personal data of clients as losses or mishandling of personal data can result in considerable fines and legal actions.
Para 1: The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
Para 1a: The pseudonymisation and encryption of personal data.
The General Data Protection Regulation of 2018 states in Article 32 – Security of Processing
5. Decision on Encryption Solution
All encryption methods have involved an encryption key – a string of generated numbers is used to scramble data before it is transmitted or stored. This ensures that anyone who accesses this data cannot really read the data because without the right key they will only see useless data. The only way to unscramble the data would be to use the exact right key to decrypt. The factors that influence the type of encryption solution to optimally protect your healthcare practice’s data includes the following:
- The use and location of information. Where is the data stored and how is it being used? For example is the data at rest on a laptop or does it reside within an email?
- Management of the encryption product. This will include the management of the cryptographic material, amount of user interfaces and password complexities.
- Is the solution affordable to implement and maintain?
- Human resource requirement. Will extra IT staff be required?
- Vendor support requirements.
- Whether the IT solution (in-house or third-party IT provider) can support the solution.
The Zapro Digital Advantage
These guidelines aim to assist every organisation in finding the most optimal data security methods and policies in order to be more GDPR compliant. Data protection assists in the overall management of an information security policy across the whole spectrum of a company’s activities, thus protecting the integrity of your data, IT infrastructures and ultimately the information rights of your clients.
With our technical solutions we can help your healthcare practice stay protected from exploitation, loss of revenue and even reputational damage. We offer speciality IT security services to review, identify and secure your company’s data infrastructures from a wide range of vulnerabilities. Our services includes the following 4 essential resources in order to offer a complete data protection solution.
- Identity & Access Management (IAM): Access rights and user management.
- Network Intrusion Protection: Protection from Viruses, Malware and Hackers.
- Data Management Strategy & Legal Compliance (GDPR): Provide you with an industry standard data management process which will cover you for many legal compliance requirements.
- Training & Policy Implementation: We can deliver training and guidance on security and acceptable use of your IT systems to ensure your data is protected and all end-users adhere to proper conduct.
Following our review you will receive a detailed report, which will provide our recommendations in order to effectively secure your law firm’s data. We will also work with you to build a data strategy that we guide you through a successful implementation, which will also be in line with the latest GDPR regulations. This complete policy will guide you on what to do in the event of a data breach.
Contact us ← today to discuss this topic in further detail.