We notice you are currently visiting the UK site. Would you like to visit our main site instead?

Medical professional using tablet. Medical technology concept.

The Hard Truth of Proper Security for Healthcare Data

Healthcare organisations will always need to store and transfer personal health data, often referred to as Protected Health Information (PHI). Prioritising data security will continue to be crucial to protect against cyberattacks and data loss to keep PHI safe. In fact, a survey by the American Medical Association found that 92% of patients believe that the privacy of their health data is a right and that it should be protected. This is easier said than done with data that has to be portable and shareable at a moment's notice.

While protecting PHI might appear trivial, a breach can have real consequences. For example, Scripps Health reached a settlement of $3.5 million after a 2021 ransomware attack.

Without scaremongering, let’s be clear and acknowledge that the volume of breaches involving healthcare entities is growing. Bad actors understand the value in compromising healthcare data, and ransomware attacks are growing fast, making healthcare worldwide a strategic target.

So, what can be done to ensure strong data security?

Security and medical icons. Concept of data security concerns for healthcare organizations.

Let’s address these unique challenges and the need to comply with ever-changing regulations by simplifying things, with the simple requirement that data encryption needs to be a key part of any healthcare organisation's security strategy.

After all, what can be seen can either be attacked, or secured! This is important to know when considering your data security plan.

At Kingston, we know that the proper protection of health data is serious business. There are several things to keep in mind when implementing encryption security for health data. First, it's important to understand the value of data encryption for regulatory compliance. HIPAA and other international regulations like GDPR and CCPA have requirements for personal data encryption. By using encryption, healthcare organizations can protect themselves from the consequences of a data breach and maintain compliance with these regulations.

But even encryption is tricky, as there are usually two types: Hardware- and software-based encryption.

Understanding the difference between software and hardware encryption holds implications for the security of patients' health data. Software encryption is often cheaper to implement upfront, but its security is reliant on the host system. As a result, it is vastly more vulnerable to hacking when passwords or recovery keys can be found in the host system memory, paging and hibernation files. In addition, many encrypted file formats can be attacked using software tools found on the internet for free or at minimal cost, which can execute brute force password attacks to break the authentication process. Today’s computers can attempt one billion password guesses a second, or even more. Software-encrypted files can also be copied and attacked in parallel by a network of computers, further cutting down the time to conduct brute force password attacks.

Hardware encryption is a dedicated security ecosystem completely contained within the storage device, whether a USB drive or an external SSD. Hardware-based encryption is always on, always protecting data, whereas anyone can remove software encryption on a drive by just reformatting it. For healthcare providers, this means that a rogue employee can disable the protection and turn a software encrypted drive into a breachable storage device.

As a result, hardware encryption in general is exponentially more secure as it does not expose passwords and encryption keys to the host system. However, that added security comes at a cost premium compared to unencrypted storage drives. Given that the average breach costs over $4.35* million in the United States in 2022, software encryption savings can be illusory when there is a better option for mobile data – hardware-encrypted USB and external SSD drives with XTS-AES 256-bit encryption that incorporate brute force and BadUSB attack protections. If a hardware-encrypted drive is lost, it can reasonably be assumed to remain secure and keep protecting the PHI data with its strong security.

The Kingston IronKey XTS-AES 256-bit hardware-encrypted drive line-up includes user-friendly drives that address user frustrations with security. Multi-password support is available to allow users or providers to recover access to drives should a password be forgotten. There is now an alternative to complex passwords that no one can remember – a passphrase password consisting of up to 64 characters that can be the title of a favourite book or a song, a list of words, a line from a poem or song, or other phrases that are easy for doctors and other healthcare practitioners to remember – yet nearly impossible for an attacker to guess within the limited brute force password attack lockdown and crypto-erase retries.

Passphrases are available on Vault Privacy 50, 50C and Vault Privacy 80 External SSD drives. Keypad drives like the Vault Privacy 80ES and Keypad 200 are PIN based, and are similar to using a mobile phone for use cases where people prefer a PIN. The VP80ES drive also supports passphrases using a user-friendly alphanumeric keyboard on a touch screen.

Layout of the various Kingston IronKey hardware-encrypted drives. Hardware-encrypted USB drives and SSDs.

All IronKey drives feature strong brute force password attack protection on the drives. When an attacker guesses passwords, the drive counts the invalid attempts and locks the User passwords; when the Admin password attempts are exhausted, the drive automatically crypto-erases, and all data is lost forever. Software encryption does not possess the ability to strongly protect against such attacks.

OS-independent drives like the Vault Privacy 80ES and the Keypad 200 are ideal for protecting data transferred between medical machines and computers, as is commonly required for many devices used in the healthcare services. For example, many lab machines require the manual transfer of data by technicians into the provider’s computer system.

Five healthcare workers meeting in a well-lit office with laptops. A whiteboard is in the background. The workers are gathered around a table. One is standing while the others sit. One smiles, facing the camera.

In addition to hardware-encrypted devices, healthcare organisations should consider additional cybersecurity data hygiene measures like training employees on best practices, implementing multi-factor authentication, and regularly updating software and systems. Even for small healthcare providers, regular backups on hardware-encrypted external SSDs can be the difference between being a victim of ransomware attacks and being able to recover systems quickly.

By taking a layered approach to security and ingraining data protection in the daily habits of employees, healthcare organisations can effectively protect patient data. Integrating Kingston IronKey hardware-encrypted drives into a data security strategy is an effective way to ensure compliance with HIPAA and other health data protection regulations.

You can find more Kingston IronKey products to meet healthcare data security needs or Ask an Expert on Kingston IronKey who can help you keep your patients’ data safe.

#KingstonIsWithYou #KingstonIronKey

Kingston’s ask an expert icon on a circuit board chipset

Ask an Expert

Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.

Ask an Expert

Related Videos

Related Articles