RSA 2012 – The move is on towards self-encrypting hard drives
Robert MacBride, the information systems security officer for the United Network for Organ Sharing, the non-profit organization that tries to match donors and recipients for the transplantation of hearts, lungs, livers, kidneys and pancreases, has shifted his organization from using software-based encryption on its laptops and other computers to deploying self-encrypting hard drives. He has concluded that the hardware-based approach makes it less likely that his organ-sharing network will accidentally disclose sensitive patient information, and inadvertently run afoul of regulations spelled out in HIPAA or the HITECH Act.
MacBride was one of several experts who appeared on a panel at the RSA conference in San Francisco on Feb. 26 which focused on the benefits large organizations and commercial enterprises are experiencing by shifting from software encryption to hard drive encryption. The presentation was organized by the Trusted Computing Group, a not-for-profit, vendor-neutral group that helps develop industry standards, “trusted computing building blocks and software interfaces.”
Dr. Michael Willet, a technology exec with Samsung, noted that governments at the federal and state levels have enacted “breach disclosure” laws that require commercial organizations to notify their customers if they have lost sensitive data. He cited one statistic suggesting that its costs U.S. companies, on average, about $6.65 million for each incident in which they’ve been involved in data losses. “Some companies that have lost data have folded,” he noted.
He told the audience at the Moscone Center in San Francisco that the transition from software-based encryption to hard-drive-based encryption was something of a no-brainer. “Where better to do encryption for stored data -- duh -- than on the storage hardware,” he pointed out. He did acknowledge, however, that a transition from software to hardware encryption would require user organizations to purchase new hardware.
One of the key benefits that customers experience when they move to hardware-based encryption, most of the panelists agreed, was that a user of such hardware-based encryption has an immediate defense to any government accusation that a data breach it experienced was caused by its own negligence. “Using self-encryption allows you to report compliance,” explained Thi-Nguyen-Huu, the CEO of WinMagic, which has been active in the self-encryption hard drive field.
A group of four health-related users of encryption on the panel all seemed to agree that shifting from software to hardware was not very difficult, that their employees accepted the shift with very few complaints, that costs could be trimmed, and that it was easy to manage such hard drive-based systems.
MacBride’s United Network for Organ Sharing (UNOS), which is headquartered in Richmond, VA, has about 350 users and 150 laptops, he said. If his organization were ever to experience a disclosure of personal patient information, which would require UNOS to decide whether or not it was legally required to notify the affected patients and family members. By reducing the likelihood of such a breach, MacBride said, it would reduce the necessity to make such a tough decision. “By using the things that encryption buys us,” he explained, “it puts that decision back in our hands.”
He used this argument -- as well as many of the other apparent benefits from self-encrypting hard drives -- to convince his upper management to make the transition. The fact that the new chief information officer at UNOS had experienced a breach at an earlier employer made the pitch that much more compelling. “Showing management breaches in real-life helped to get our management’s buy-in,” he recalled.
MacBride pointed out that a report issued by the Government Accountability Office (GAO) in late 2008 noted that many government agencies had been maintaining that their laptops were fully encrypted, using software-based approaches, but that a careful examination of these laptops revealed that in many instances they were, in fact, not being encrypted.
He explained that UNOS has a contract from the federal government to help match potential organ donors with appropriate organ recipients. “We have the algorithm that does that matching,” he told Government Security News, after the formal presentation was completed.
UNOS is undertaking important work, in which a breach of security would be particularly painful.