From: Healthcare IT News, June 2, 2014, by Benjamin Harris, Contributing Writer
‘Even if your data is encrypted, how well is it encrypted?’
It seems that everybody under the sun has been asking “you’re in the cloud, right?” But it’s important to take a step back and realize that not all clouds are equal. Maybe it’s time for people to be asking, “Are you doing the cloud right?”
Fred Eberlein of Tresorit, a Hungary-based cloud storage service, likes to talk about the roles that encryption plays, and how the word alone can create a false sense of security. For instance, he notes that almost everyone says they encrypt data. And that’s true. But how?
“When you push a medical file to the cloud, it’s encrypted on the path to the cloud,” Eberlein says. “But when it gets to the server they decrypt it and encrypt it in storage. That’s the Achilles heel for most established cloud data solutions.”
[See also: Has the cloud found its moment?.]
Problem? You bet.
The solution to this lies in client-side encryption, where data is encrypted on the device it’s created on and stays that way until it reaches its final destination. Once that data is encrypted and uploaded to the cloud it’s safe, right? Well, maybe. It depends on how it was encrypted.
Take, for instance, a picture of a penguin. Encrypt that image using an industry standard 256-bit AES algorithm. Chances are very good that someone with a high level of understanding about encryption and a reasonably powered computer can coax enough sense out of the chaos of that encrypted file to get most of the picture visible.
This actually happened. Eberlein says that while the image was still garbled, it was recognizable as a penguin. That should worry anyone who thinks that just because his or her data is encrypted, it’s safe.
“Even if your data is encrypted, how well is it encrypted?” Eberlein asks.
Here, the prospective buyer wants to see their cloud provider offering multi-level encryption, something well beyond the 256-bit standard.
A secure file still has a history that needs to be overseen. Who has access to what and on what terms? Provided a file is encrypted, what next? Any cloud provider worth its salt should come with a slew of administrative features that allow an IT director to see when it’s been edited, how and by whom. Client-side solutions with these features give a tremendous leg up to the mHealth and BYOD camps.
Eberlein cautions that while it is a given that control features need to be built into a system, proper encryption and security trump even that. “A lot of administrative features are good, but if the data is accessible to attack, the control doesn’t really do too much,” Eberlein says. <READ MORE>