Introduction to Data Encryption
Data encryption is the process of converting data from a plain-text, or readable, form into a form that can be understood by the sender and the intended recipient, and no one else. Encrypted data usually looks like a long sequence of random letters and numbers. The intended recipient of the data has the key, or unique way to change the data from its encrypted form back into plain text.
Encryption is a critical component of data security. It ensures that if the data is accessed by an unauthorized person, he or she will not be able to read it and thus cannot misuse it.
What Should Be Encrypted?
All digital communications and storage media that contain confidential data, and that leave the security boundary of the NPCR program network, should be encrypted. This includes—
- Transmitted data files or communication (Web, FTP, e-mail).
- Portable storage devices (laptop and palmtop computers, external drives, CD-ROMs, tape backups).
- Databases on servers.
- Backups of confidential data.
The procedures and requirements for encryption vary—
- Transmitted data files. Web-based tools usually have this functionality built-in though Secure Socket Layer (https://) and secure certificates (VeriSign™).
- Portable storage devices and backups of confidential data. Encryption software that is on the National Institute of Standards and Technology’s (NIST) approved vendor list must be installed on every device on which confidential data is stored.
- Databases on servers. Databases should meet Federal Information Processing Standard 140 (FIPS).
Cost of Encryption
The cost of encrypting cancer registry data is an issue for some NPCR programs. If the cost is not covered as part of your institution’s technical support, check with your state public health department or other organization to see if the cost can be spread across multiple programs. Cost sharing is often done in health departments, universities, and hospitals.
The National Cancer Institute (NCI) and CDC’s NPCR are assessing the potential costs of various encryption solutions for programs. These agencies need input from NPCR programs regarding potential local solutions, costs, and problems to develop best practices and help control costs.
CDC’s NPCR will communicate with management about the encryption burden and costs for NPCR programs, and will keep costs to NPCR programs in mind when considering solutions.
The U.S. General Services Administration (GSA) provides acquisition support for civilian agencies, including state and local governments, to protect sensitive, unclassified data residing on government laptops, other mobile computing devices, and removable storage media devices. This support is provided through a blanket purchase agreement.
Encryption’s Impact on Performance
Encryption must be planned carefully to make sure it does not slow your system’s performance. Encryption can be done at three levels, ranked from best to worst performance: hardware such as chips or hard drives, operating systems such as Microsoft® Windows® or Linux, and encryption applications from NIST-certified vendors.
Vendor benchmarks for all three levels of encryption indicate that systems will experience only a fraction of a percent loss in performance, and the end user should not notice the difference. More benchmarks may be needed to verify these claims. Staff who provide technical support to other programs in your institution may have this information; if not, CDC’s NPCR can work with NPCR programs to compile a list of benchmarks.
For more technical information about encryption, read Details about Data Encryption.