The HIPAA and HITECH regulations were put in place to protect personal health record information from fraud and abuse. Over the past several years, more than 20 million patients have had their medical information exposed in data security breaches, even with HIPAA and HITECH regulations already being in place. This paper will document how Gazzang zNcrypt™ and Gazzang zTrustee™ can help organizations that store HIPAA data maintain a secure and compliant posture through robust encryption and key management.
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a United States federal law that regulates the use and disclosure of student education records. The law gives parents and students access to education records, allows corrections to be made in cases of inaccuracy or misleading information, and regulates the disclosure of records between entities. As with health records, protecting student privacy is paramount because of the potential for malicious use of the information – such as discrimination or identity theft. More than three million student records have compromised since 2010 as a result of hack attacks or lost, stolen or missing files. Fortunately, these incidents are preventable. Compliance with FERPA can be facilitated by robust encryption and key management systems for electronic education records. Gazzang zNcrypt™ and Gazzang zTrustee™ can be applied easily, quickly and economically to assist with FERPA compliance.
The Data Protection Directive (Directive 95/46/EC) is a European Union (EU) regulatory framework that aims to protect the privacy of personal data within the EU. Implemented in 1995, the directive requires all member countries of the EU to enact laws to enforce these regulations. The EU data protection regulations are stricter and more comprehensive than those in the United States. As a result, U.S. companies that handle data from EU citizens must put extra measures into place to comply with the directive under the so-called “US-EU Safe Harbor” agreement. Data security is just one aspect of the Data Protection Directive. Compliance with the directive and protection under safe harbor requires robust encryption and key management that ensures the privacy and confidentiality of citizen records.
The Payment Card Industry Data Security Standard (PCI-DSS) is an industry-wide framework for protecting consumer credit card data. Any company that stores, processes, or transmits credit card data must comply with PCI-DSS by properly securing and protecting the data. In April 2011, one of the largest data security breaches in history occurred when Sony PlayStation’s network was attacked and the accounts of over 70 million users were compromised. While many of these accounts contained credit card data, the data was fortunately encrypted and thus very few cases of credit card fraud resulted from the breach. In July 2012, Global Payments revealed it had incurred more than $84 million in expenses associated with investigations, remediation and fines related to a data breach that included the theft of 1.4 million credit card numbers. While encrypting or hashing card numbers wouldn’t necessarily have prevented these cases, using these security best practices can typically lessen, if not eliminate, the costly blowback. Transparent encryption, by comparison, is relatively inexpensive and simple to deploy, even for data stored in the cloud.