Purpose
The purpose of this Information Technology Standard is to establish a baseline for protecting confidential, protected, or sensitive data with encryption technologies.
Definitions
ePHI: PHI stored, transmitted or accessed in electronic form
Data at rest: The state of data when it is not actively being used by a process or sent over a network connection. Typically this entails storage on a physical device such as a hard disk, USB thumb drive, CD/DVD ROM, floppy drive, etc.
Data in use: The state of data when it is actively being used by an application process.
Data in transit: The state of data when it is being transmitted using a data network protocol over either an internal or external network. Typically the phrase, “data in transit” is used generically when discussing transmission over a LAN (Local Area Network), WAN (Wide Area Network), VPN (Virtual Private Network), or Internet connection.
Structured Data: Data that has an enforced composition. Structured data is managed by technology that allows for querying and reporting against predetermined data types and understood relationships.
Unstructured Data: Data that does not have an enforced composition. This type of data resides in various formats which are typically difficult to search or formally organize including images, video, audio, Microsoft Word, Excel, E-mail, etc.
Encryption Key: A sequence of numbers that is used to encrypt or decrypt a data resource much in the same way as a physical key is used to lock and unlock a physical lock.
Hashing: Cryptographic hashing is a process whereby an encryption algorithm is used to generate a fixed-size string of letters and numbers when given an input of arbitrary length. Different inputs will produce different hashed values. Hashing is a common practice used when storing passwords so that the actual password is not stored.
Elements of the Standard
This standard applies to all data that is considered confidential information, when it is at rest, in use, or transmitted between information technology resources. The scope of this standard may later be defined by a Data Classification Policy.
Approved Encryption Algorithms / Key Lengths
Encryption is a very complex topic that involves the use of complex mathematical algorithms, cryptanalysis and threat modeling. Therefore, only industry recognized encryption schemes or algorithms should be used for the purpose of encrypting data at rest, data in use, or data in transit.
The encryption algorithms listed below have been selected because they are recognized as industry standards which are reasonable for meeting the Security Rule and Data Breach Notification Rule requirements of the HIPAA Omnibus Final Rule.
Further information about algorithms and ciphers can be found in the following publications:
- National Institute of Standards and Technology (NIST) Special Publication 800–111, Guide to Storage Encryption technologies for End User Devices
- NIST Special Publication 800–52 Rev.1, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST Special Publication 800-67 Rev. 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
- NIST Special Publication 800–77, Guide to IPsec VPNs
- NIST Special Publication 800–113, Guide to SSL VPNs
- NIST Special Publication 800-106, Randomized Hashing for Digital Signatures
- Federal Information Processing Standards (FIPS) PUB 197, Announcing the Advanced Encryption Standard (AES)
- FIPS PUB 140–2, Security Requirements For Cryptographic Modules
Encryption algorithms approved for use at Pacific University include:
Symmetric encryption algorithms (same key is used to encrypt/decrypt):
- Preferred: Advanced Encryption Standard (AES) with at least 256 bit key.
- Allowed but less preferred: Advanced Encryption Standard (AES) with at least 128 bit key.
Asymmetric encryption algorithms (different key is used to encrypt/decrypt – otherwise known as Public Key Cryptography):
- Rivest, Shamir, and Adleman (RSA) algorithm with at least 2048 bit key.
- Diffie-Hellman algorithm with at least 1024 bit key.
- Elliptic Curve Cryptography (ECC) algorithm with at least 256 bit key.
One-way hashing algorithms:
- Preferred: Secure Hash Algorithm: SHA-256 or greater (256 bit key)
No longer allowed: SHA-1 (160 bit key), MD5 (to be used only when preferred options are not available), and Triple DES are not allowed.
Approved Encryption Protocols For Secure Communications
- Transport Layer Security must not be lower than TLS1.2 with at least 128 bit key.
- Secure Shell (SSH) version 2 for remote access to a system shell. AES encryption should be used for SSH services hosted by Pacific University.
- SSH File Transfer Protocol (SFTP) over SSH v2 connections using AES only.
- Secure Copy (SCP) on systems that have SSH v2 with AES in use.
- File Transfer Protocol over TLS/SSL (FTPS) only when a valid certificate from a public certificate authority exists and uses at least a 128-bit key.
- Internet Protocol Security (IPSec) using AES encryption with at least a 128-bit key.
- Wi-Fi Protected Access 2 (WPA2) or for all wireless network connectivity and use AES encryption with at least a 128-bit key.
Implementation Elements of the Standard - Key Management
Business partners, customers, and other authorized third parties often require access to data even though it may be encrypted. This calls for flexible and effective key management to ensure that authorized third parties will have appropriate access to data.
Encrypted data is only as secure as the keys used to authenticate, encrypt and more importantly to decrypt or “unlock” data. The security of these keys is paramount and steps must be taken to ensure both the availability and confidentiality of these keys since lost or exposed keys can compromise the security of the data they are supposed to protect.
Key management also addresses the phases of the cryptographic key lifecycle. It must provide for the secure and reliable generation of keys, the protection of keys while in use and must safely destroy keys when no longer needed.
Since Pacific University has not deployed an enterprise-wide centrally controlled key management system, proper key management practices are the responsibility of each key’s respective “owner.”
The following key management practices are required:
- Key sharing:
- Preferred: The use of public and private keys is the preferred method for encrypting and decrypting data. The use of PKI (Public Key Infrastructure) using a recognized Certificate authority or the use of an ISC approved public key cryptography application are acceptable methods for public/private key generation and use;
- In all other cases where a decryption key or passphrase needs to be communicated to another party, such communication will occur out of band, that is, via a separate channel (e.g. secure email or telephone) or media than used to transmit the encrypted data payload.
- Key generation:
- Keys should be random and the algorithm should use the full spectrum of the keyspace (the range of possible values to construct a key);
- Preferred: All keys will be generated using Pacific University-approved software applications that support the algorithms listed above. Passphrases used to generate keys must conform to Pacific University password standards
- Key and passphrase storage:
- Keys will be stored using key management software or capabilities native to the application or system responsible for encrypting or decrypting the data. A backup of the key and its associated passphrase will be stored on a separate system on the Pacific University network. Keys and passphrases should not be stored on desktop workstations or portable devices (which are not subject to backup and can therefore be stolen or lost).
The following key management practices are recommended:
- A key’s lifetime should correspond with the sensitivity of the data it is protecting –i.e. the more sensitive the data, the shorter the lifetime;
- The more a key is used, the shorter its lifetime should be.
This document does not specify commercial or open source products that implement the standard. To obtain an encryption product, please contact UIS.
Encryption of Data At Rest
Data
All protected or sensitive Pacific University data must be encrypted at rest. Exceptions to this must be approved, documented, and continually reviewed by UIS.
Encryption of Data Being Processed (In Use)
All protected or sensitive Pacific University data must be encrypted in transit. Exceptions to this must be approved, documented, and continually reviewed by UIS.
Encryption of Wireless Connectivity within the Pacific University Network
Any device which is connected to the Pacific University internal production network by way of a wireless connection will do so using WPA2 PSK or Enterprise, which utilizes AES encryption. If not, the pre-shared key shall be periodically changed, and distribution of it shall be tightly controlled.
Exception Process
Requests for exceptions from any of the requirements of this policy will be submitted to compliance@pacificu.edu for tracking and must be approved by the Information Security Officer and/or Privacy Officer prior to implementation.