What Is Encryption?

In cryptography, encryption is the process of encoding a message or information in a way that only authorised parties can access it and those who are not authorised cannot.

Asymmetric Encryption

In public-key encryption schemes, the encryption key is published for anyone to use and for encrypting messages. Only the receiving party has access to the decryption key that enables messages to be read. Public-key encryption was first described in a secret document in 1973. Before that, all encryption schemes were symmetric-key (also called private-key).

Symmetric Encryption

In symmetric-key schemes, the encryption and decryption keys are the same. Communicating parties must have the same key in order to achieve secure communication.

Triple DES Encryption

Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers learned to defeat with ease. At one time, Triple DES was the recommended standard and the most widely used symmetric algorithm in the industry.

Triple DES uses three individual keys with 56 bits each. The total key length adds up to 168 bits, but experts say that 112-bits in key strength is more like it.

Though it is slowly being phased out, Triple DES is still a dependable hardware encryption solution for financial services and other industries.

RSA Encryption

RSA is a public-key encryption algorithm and the standard for encrypting data sent over the internet. It also happens to be one of the methods used in PGP and GPG programmes.

Unlike Triple DES, RSA is considered an asymmetric encryption algorithm because it uses a pair of keys. The public key is used to encrypt a message and a private key to decrypt it. It takes attackers quite a bit of time and processing power to break this encryption code.

Advanced Encryption Standards (AES)

The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. government and many other organisations.

Although it is extremely efficient in 128-bit form, AES encryption also uses keys of 192 and 256 bits for heavy-duty encryption.

AES is considered resistant to all attacks, with the exception of brute-force attacks, which attempt to decipher messages using all possible combinations in the 128-, 192- or 256-bit cipher. Still, security experts believe that AES will eventually become the standard for encrypting data in the private sector.

1. Know the laws: When it comes to safeguarding the personally identifiable information, organisations must adhere to many overlapping, privacy-related regulations. The top six regulations that impact many organisations include: FERPA, HIPAA, HITECH, COPPA, PCI DSS and state-specific data breach notifications laws.
2. Assess the data: A security rule under HIPAA does not explicitly require encryption, but it does state that entities should perform a data risk assessment and implement encryption if the evaluation indicates that encryption would be a “reasonable and appropriate” safeguard. If an organisation decides not to encrypt electronic protected health information (ePHI), the institution must document and justify that decision and then implement an “equivalent alternative measure”.
3. Determine the required or needed level of encryption: The U.S. Department of Health and Human Services (HHS) turns to the National Institute of Standards and Technology (NIST) for recommended encryption-level practices. HHS and NIST have both produced robust documentation for adhering to HIPAA’s Security Rule. NIST Special Publication 800-111 takes a broad approach to encryption on user devices. In a nutshell, it states that when there is even a remote possibility of risk, encryption needs to be in place. FIPS 140-2, which incorporates AES into its protocols, is an ideal choice. FIPS 140-2 helps education entities ensure that PII is “rendered unusable, unreadable or indecipherable to unauthorised individuals”. A device that meets FIPS 140-2 requirements has a cryptographic erase function that “leverages the encryption of target data by enabling sanitisation of the target data’s encryption key, leaving only the cipher text remaining on the media, effectively sanitising the data”.
4. Be mindful of sensitive data transfers and remote access: Encryption must extend beyond laptops and backup drives. Communicating or sending data over the internet needs Transport Layer Security (TLS), a protocol for transmitting data over a network, and AES encryption. When an employee accesses an institution’s local network, a secure VPN connection is essential when ePHI is involved. Also, before putting a handful of student files on a physical external device for transfer between systems or offices, the device must be encrypted and meet FIPS 140-2 requirements to avoid potential violations.
5. Note the fine print details: Unfortunately, many schools fail to engage in proper due diligence in reviewing third-party services’ privacy and data-security policies, and inadvertently authorise data collection and data-mining practices that parents/students find unacceptable or violate FERPA. Regulatory compliance entails much more than simply password-protecting an office’s workstations. It requires using encryption to protect data-at-rest when stored on school systems or removable media device. Remember that data at rest that is outside the school’s firewall (or “in the wild”) is the top source of security breaches.