The Gap in HIPAA’s Requirement for Encryption in Transit and at Rest

This post is going to get a wee bit technical so bear with me. There is a well publicized HIPAA requirement that

PHI (protected health information) must be encrypted in motion and at rest.

This requirement has been interpreted to mean that:

  • PHI transmitted over a network (or even carried via removable media) must be encrypted
  • Data on disk must be encrypted

HHS documents often refer to NIST’s Guidelines on TLS. (TLS is what has replaced SSL except in normal discussion). What the current Heartbleed problem with OpenSSL lays bare for all to see is the gaping hole in what encryption in motion can mean.

The problem is that for the most part the encryption in motion is different than the encryption at rest. Different algorithms and keys are used and different systems have responsibility for crypto. Simply put, this requires the data to be unencrypted when moving from the network to the disk.

Cloak Labs’ technology allows a message to go from one server behind a firewall to another server behind a second firewall without exposing either server to the outside world. Inbound firewall ports don’t need to be opened on either side and the data stays encrypted in webserver RAM, essentially adding an extra barrier between your sensitive data and potential attackers.


About the author

Dr. Michel Floyd: Michel has spent his entire career in Silicon Valley in a succession of technology and business leadership roles. Most recently Michel was Global CTO at YouGov Plc, a global opinion research company based in London. In that role he helped integrate a large number of acquisitions in different parts of the world. He built up a world-class development team distributed from Germany to Alaska to Peru. His accomplishments include releasing an interactive, 14 country brand tracker which is both the company's fastest growing and most profitable product. Before YouGov Michel was EVP & CTO at Knowledge Networks (subsequently acquired by GfK). There he focused on technology, operations, and driving business efficiency throughout the company. He had P&L responsibility over $13M in revenues and also served as interim CEO. Michel earned his SB, SM, and ScD degrees in aeronautical and astronautical engineering from MIT. He has participated in two IPOs and numerous acquisitions, primarily on the buy side. He has been awarded 4 patents. Dr. Floyd is also on the board of directors of VLAB, the Silicon Valley chapter of the MIT Enterprise Forum.


0 Comments

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply