NIST 800-111 does not address encryption of data "at-rest" on network servers. In fact, it indicates that this guidance is "outside its scope." HITECH reporting requirements for breaches of unsecured PHI only specify NIST 800-111 as encryption guidance for data "at rest." Where would one find encryption guidance that would meet the HITECH requirements for securing data "at rest" found on networks?
Even though servers are out of scope of the paper for NIST's purposes, I would still use NIST 800-111 as the basis for my server encryption strategy, as it is the only document that is clearly permitted. The same general principles apply for hard drive encryption whether it's for a desktop, laptop or server, especially with regard to algorithms and key management.
It's true that NIST has yet to publish official recommendations on server encryption, but section 3.1 of 800-111 covers the basic options for different encryption types, and section 4.2 has some recommendations on how to design an encryption system. So to make things easier, just pretend servers are in scope and follow the recomendations NIST 800-111 lists for other types of encryption.
Although not specifically cited in HITECH or NIST publications, database encryption options should be investigated as well. Most commercial databases today offer this functionality at one level or another. Additionally, there are a number of third-party products that can assist with adding cryptography to databases. You do want to ensure, however, that whatever encryption product you choose is compliant with FIPS 140-2. That way you know the cryptography is sufficiently strong. Keep in mind, though, that just because a product is secured and FIPS-certified, not all of its modes may be secure, so check the documentation carefully.
- Learn best practices in security program management in this NIST tip.
- Check out HIPAA guidelines on encryption and data destruction
Dig Deeper on HIPAA
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.