Ask the Expert

How to encrypt data-at-rest to meet the HITECH act regulations

NIST 800-111 does not address encryption of data "at-rest" on network servers. In fact, it indicates that this guidance is "outside its scope." HITECH reporting requirements for breaches of unsecured PHI only specify NIST 800-111 as encryption guidance for data "at rest." Where would one find encryption guidance that would meet the HITECH requirements for securing data "at rest" found on networks?

    Requires Free Membership to View

Even though servers are out of scope of the paper for NIST's purposes, I would still use NIST 800-111 as the basis for my server encryption strategy, as it is the only document that is clearly permitted. The same general principles apply for hard drive encryption whether it's for a desktop, laptop or server, especially with regard to algorithms and key management.

It's true that NIST has yet to publish official recommendations on server encryption, but section 3.1 of 800-111 covers the basic options for different encryption types, and section 4.2 has some recommendations on how to design an encryption system. So to make things easier, just pretend servers are in scope and follow the recomendations NIST 800-111 lists for other types of encryption.

Although not specifically cited in HITECH or NIST publications, database encryption options should be investigated as well. Most commercial databases today offer this functionality at one level or another. Additionally, there are a number of third-party products that can assist with adding cryptography to databases. You do want to ensure, however, that whatever encryption product you choose is compliant with FIPS 140-2. That way you know the cryptography is sufficiently strong. Keep in mind, though, that just because a product is secured and FIPS-certified, not all of its modes may be secure, so check the documentation carefully.

For more information:

  • Learn best practices in security program management in this NIST tip.
  • Check out HIPAA guidelines on encryption and data destruction

  • This was first published in December 2009

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: