Problem solve Get help with specific problems with your technologies, process and projects.

How to encrypt data-at-rest to meet the HITECH act regulations

What's the best way to encrypt data-at-rest to meet the HITECH act regulations? Learn how to interpret guidance from NIST 800-111 in this security management expert response from David Mortman.

NIST 800-111 does not address encryption of data "at-rest" on network servers. In fact, it indicates that this guidance is "outside its scope." HITECH reporting requirements for breaches of unsecured PHI only specify NIST 800-111 as encryption guidance for data "at rest." Where would one find encryption guidance that would meet the HITECH requirements for securing data "at rest" found on networks?

Even though servers are out of scope of the paper for NIST's purposes, I would still use NIST 800-111 as the basis for my server encryption strategy, as it is the only document that is clearly permitted. The same general principles apply for hard drive encryption whether it's for a desktop, laptop or server, especially with regard to algorithms and key management.

It's true that NIST has yet to publish official recommendations on server encryption, but section 3.1 of 800-111 covers the basic options for different encryption types, and section 4.2 has some recommendations on how to design an encryption system. So to make things easier, just pretend servers are in scope and follow the recomendations NIST 800-111 lists for other types of encryption.

Although not specifically cited in HITECH or NIST publications, database encryption options should be investigated as well. Most commercial databases today offer this functionality at one level or another. Additionally, there are a number of third-party products that can assist with adding cryptography to databases. You do want to ensure, however, that whatever encryption product you choose is compliant with FIPS 140-2. That way you know the cryptography is sufficiently strong. Keep in mind, though, that just because a product is secured and FIPS-certified, not all of its modes may be secure, so check the documentation carefully.

This was last published in December 2009

Dig Deeper on HIPAA

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.