This week we saw another announcement in the news where personal data had been stolen. This time it was student data from a prestigious UK University. As discussed in our last blog, some systems such as those relating to healthcare or that hold medical records, encrypt data as a matter of course. But we questioned why other systems such as LIMS and Customer Relationship Management (CRM) software applications don’t. These systems also hold sensitive personal and commercial data that you should protect using encryption. And systems providing rules-based data encryption can give you even more security.
Identifying your sensitive data
Data that is deemed sensitive varies and depends on what information you are capturing.
If you use a laboratory information management system, you may record personal identifiable information such as name and hospital numbers which you deem as sensitive. If you are a University using CRM systems to manage student recruitment, you may be capturing name, email address, address and date of birth which you consider sensitive.
Additional data that you associate with a person such as their qualifications or treatments may not be identifiable in isolation, but if combined with other such data might still pose a risk. However, you may see notes as sensitive as your users may not always follow best practice and include personal identifiable data in the text itself.
Different types of encryption to protect your sensitive data
If you choose to encrypt your data, there are different types of encryption offering different levels of protection.
- Database-wide data encryption – The system holds all the data as encrypted and when your users log in it decrypts the entire database. This offers you some protection as you must have valid login credentials to access the data. But you should consider the risks if someone were to obtain a user’s credentials to gain access to your system.
- Rules-based data encryption – The system holds the data as encrypted and only decrypts based on specific criteria being met such as set data values on records. This approach gives you an increased level of data protection as should a hacker obtain credentials to your system through the front-end, the information they have access to is still restricted.
The benefits of rules-based data encryption
Rules-based data encryption is where the data is only visible to users when specific criteria are met. And even then, it may only be for selected data values or when carrying out certain tasks. This means you only expose subsets of decrypted data on a “need to know” basis – not the entire database.
For example, you can only see decrypted data if you have a specific role on a project. And even then you only see the data linked to that project. This gives you greater control – at a more granular level.
Taking this a step further, for example, you can only see decrypted data if you have a role on a project and the assigned data protection officer has granted you access to see that sensitive information. This adds a further layer of protection where you need a project role to do your job, but you don’t automatically see any associated sensitive information.
Our Achiever software customers use exactly these rules-based encryption options to manage access to their data. We built in our data protection and encryption rules at several levels – not just user and project role. You control Achiever’s unique data security and encryption capabilities and you can change and add to them at any time. Achiever dynamically applies these security options as users access screens, workflows and data. And you can add your own fields and rules to the ‘out-of-the-box’ security.
Final thoughts on rules-based encryption
Many businesses may see encrypting data as an additional overhead that they must manage and that may impact system performance. Others may think that they already have other adequate security measures in place. Some also don’t realise that there are software systems that have encryption already included as part of their standard product. We have provided encryption in our Achiever Medical sample management software and CRM systems for more than 10 years.
It is important to understand that encryption is not the same as data obfuscation. Some systems show data as obfuscated on screen, but they do not actually encrypt the data in the database. This means that someone with access to the back-end database can access your data.
Encryption does not replace your existing security measures – it enhances them. If you use ‘at rest’ encryption to protect your sensitive data, it can only be decrypted through the front-end application. This gives you an added layer of security and control.
And if you apply rules-based encryption you are adding a further layer of protection by limiting the data sets that you are exposing should a user’s credentials be compromised.