Close this search box.
Data Protection

CipherTrust: Simplifying the Protection of Sensitive Data

Highly distributed workforces, evolving regulations and technologies, endless data growth and the explosive use of multi-cloud services put sensitive information at risk and make data security even more challenging. This is where the CipherTrust solution makes a difference.

According to the Thales 2020 Data Threat Report – Global Edition, organizations use 29 different cloud services on average.

Lack of visibility and operational complexity has led to organizations not knowing where all their sensitive data is stored.

This concern around complexity, identified as the number one barrier to security by nearly 40% of respondents to the Thales Data Threat Report – 2020 Global Edition, is simplified with the CipherTrust Data Security Platform.

Complexity is one of the main barriers to data security

Partly because overall data security remains quite specialized and isolated, forcing companies to manage multiple vendors and point products.

Indeed, Covid-19 has changed the way we use, store and access data. Hackers are looking for potential vulnerabilities to access this sensitive data in remote databases and big data arrays.

The CipherTrust Data Security Platform solution is a single platform dedicated to simplifying the data security compliance process that combines Thales’ Vormetric and SafeNet KeySecure technologies.

It is designed to unify data discovery, classification and risk analysis functions with encryption, access, data masking and key management to provide seamless and comprehensive breach protection.

The CipherTrust data security platform offers a full range of information-centric security capabilities, including discovery and classification, transparent encryption, application data storage and protection, masking and tokenization, access controls, enterprise key management and unified cloud key management from a single management interface.

Its unified, ubiquitous approach across all available IT environments enables multiple business-focused use cases beyond compliance, including reducing data security complexity, accelerating cloud migrations and reducing data exposure risks significantly across entire enterprises.

CipherTrust Data Security Platform: discover, protect and control sensitive data anywhere

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

To handle the complexity of where data is stored, CipherTrust Data Security Platform provides strong capabilities to protect and control access to sensitive data in databases, files, and containers. Specific technologies include:

CipherTrust Transparent Encryption

Encrypts data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious attacks.

CipherTrust Database Protection

It provides transparent column-level encryption of structured and confidential data that resides in databases such as credit card, social security numbers, national identification numbers, passwords, and e-mail addresses.

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

It offers application-level data tokenization services in two convenient solutions that provide customer flexibility – Token without Vault with dynamic policy-based data masking and Tokenization in Vault.

CipherTrust Batch Data Transformation

Provides static data masking services to remove sensitive information from production databases so that compliance and security issues are alleviated when sharing a database with a third party for analysis, testing, or other processing.

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

The portfolio of data protection products that make up the CipherTrust Data Security Platform solution enables organizations to protect data at rest and in motion across the IT ecosystem and ensures that the keys to that information are always secure and only under their control.

It simplifies data security, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

The CipherTrust platform ensures that your data is secure, with a wide range of proven, industry-leading products and solutions for deployment in data centers, either those managed by cloud service providers (CSPs) or managed service providers (MSPs), or as a cloud-based service managed by Thales, a leading security company.

CipherTrust has a portfolio of tools that ensure data protection

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance

CipherTrust data protection products and solutions address the demands of a range of security and privacy requirementsincluding electronic identification, authentication and trust, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Law (GDPR), among other compliance requirements.

Optimizes team and resource efficiency

CipherTrust Data Security Platform offers the broadest support for data security use cases in the industry, with products designed to work together, a single line for global support, a proven track record of protecting against evolving threats, and the industry’s largest ecosystem of data security partnerships.

With a focus on ease of use, APIs for automation and responsive management the CipherTrust Data Security Platform solution ensures your teams can quickly implement, secure and monitor the protection of your business.

In addition, professional services and partners are available for design, implementation and training assistance to ensure fast and reliable implementations with minimal staff time.

Reduces total cost of ownership

The CipherTrust Data Security Platform data protection portfolio offers a broad set of data security products and solutions that can easily scale, expand to new use cases, and have a proven track record of protecting new and traditional technologies.

With CipherTrust Data Security Platform, you can future-proof your investments while reducing operating costs and capital expenditures.

Data protection always on the move

Work anywhere, with anyone culture is on the rise, and no matter where or how people in an organization work, there is always a need to share and synchronize files – both internally and externally.

While enabling collaboration is important, data security should always be the priority. Otherwise, the risk of non-compliance and data breaches becomes a serious and real issue for businesses.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Data Protection

Does LGPD compliance apply in healthcare institutions?

Since the General Data Protection Law – LGPD came into force, the protection of personal data has become more challenging for the health sector. Which means that information must be managed with a more holistic approach.

Healthcare organizations should have procedures in place that can be triggered immediately to address GDPR compliance. Starting with being more cautious with personal data, knowing where it is stored and how it is being processed.

This applies to the public and private sector: hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, stores selling pharmaceuticals and all other companies or organizations that process health-related data.

To avoid any breaches, healthcare organizations should implement GDPR compliance requirements, including contract management as well as policies, procedures, documentation and records of patients, healthcare professionals and business partners.

Therefore, records of data processing activity and retention and deletion periods must also be adequate under data protection law.

LGPD compliance: Processing health data in the digital age

Many systems used in the health sector are now fully digital. With the help of cloud-based technology, systems containing patient data are often ‘shared’ between hospitals, pharmacies and other institutions in order to better serve patients.

But how should this sensitive data be processed and shared while still meeting GDPR compliance?

Considering the fact that health data is assembled on confidential patient information, it should be ensured that the principles of data protection and privacy law are duly complied with before processing or sharing.

Under the LGPD, your organization will need to demonstrate that its processing has met specific requirements, which include implementing appropriate safeguards to ensure the protection of this information.

Given the sensitivity of health-related personal information, it should only be processed by authorized health professionals who are bound by the obligation of medical and data confidentiality.

Individuals should be properly screened and reminded of their confidentiality obligations.

In addition, it is especially vital that healthcare institutions carry out data protection impact assessments and put in place specific security measures, such as authentication procedures, use of digital certificates and signatures, and access controls to a patient’s personal data.

In practice, by complying with the LGPD, the patient and persons related to the Hospital and doctors have the following rights:

  • Have the right to confirmation of the existence of treatment, treatment is understood as any operation carried out with personal data such as: collection, production, reception, use, reproduction, transmission, distribution, processing, archiving, modification, communication, transfer, dissemination, among others;
  • Have the right to access and correct your stored data;
  • Anonymization (anonymized data is data relating to the data subject who cannot be identified);
  • Portability;
  • Deletion of data after the end of processing;
  • Information regarding data sharing;
  • Possibility to receive information about not providing consent and its consequences;
  • Revocation of consent;

If access control is not adequate, it can easily lead to a data breach and according to data protection law to fines and sanctions that can jeopardize the reputation and financial health of any healthcare institution, regardless of its size.

What are the fines and penalties in the LGPD that can be applied to health institutions?

The LGPD provides for six penalties or fines. They are:

  1. Warning. This warning will come with a deadline for the company to comply with the legislation. Failure to correct by the deadline will result in a penalty;
  2. Simple fine on top of turnover. This fine can be up to 2% of the legal entity’s turnover. The limit is 50 million BRL per infringement
  3. Daily fine. This fine will also be capped at 50 million BRL;
  4. Publicizing the infringement. The infringement will become public and the damage to the company’s image could be enormous;
  5. Blocking personal data. This administrative sanction prevents companies from using the personal data collected until the situation is regularized;
  6. Deletion of personal data. The sixth penalty provided for in the LGPD obliges the company to completely eliminate the data collected in its services, causing damage to the company’s operation.

The limit of fines in the LGPD is 50 million. But some of the penalties can be even worse, depending on the organization. For example, publicly assuming the leakage of personal data of thousands of customers can bring down even solid companies, totally undermining the credibility of a hospital, for example.

What steps healthcare institutions can take to ensure compliance and reduce the risk of a breach of personal patient information

After going through the most important aspects of the General Data Protection Law in relation to healthcare institutions, let’s briefly go through three tangible steps that medical organizations should take to protect the personal data processed by them.

1. Ensure awareness
  • Among patients

A crucial first step in meeting the requirements under data protection law is that all data subjects, such as patients, must be informed of the details of third parties with whom their information will be shared in order to comply with the transparency requirements set out by the LGPD.

In addition, the data sharing agreement should clearly define the purpose, the legal bases and the information to be shared, together with the necessary details on the treatment of data subjects’ rights and the agreed shared security standards.

All this information should be communicated in a clear and easy to understand way.

  • Between Staff

Regular staff training on data protection is advised in order to reduce the risks of human error and therefore internal data breaches.

Meanwhile, in practice, staff must be bound by medical confidentiality, as mistakes and accidents can happen. Therefore, making all employees aware of the importance of data protection, the safeguards that need to be implemented and which typical problematic aspects should be avoided can have a significant positive impact on an institution’s compliance efforts.

In addition, all employees should also be aware of how to recognize a data breach, what steps will be taken in the event of a security incident and which stakeholders should be involved in the process.

2. Process and share only the personal data necessary for the purpose of your work

It is also important that necessary health data is processed minimally and shared only if necessary.

Unauthorized disclosure can have a serious impact on a patient’s life, so it should be ensured that data sharing is done on the basis of any of the lawful bases of processing, with appropriate agreements in place to hold a relevant party accountable.

To add to this, such data should not be shared unless, for example:

  • The data subject has given explicit consent;
  • If the patient himself makes the data public;
  • When it is a life or death situation where patients cannot give consent and it is in the patient’s vital interest;
  • For preventive or occupational medicine;
  • Assessment of your working capacity;
  • For medical diagnosis
  • For the provision of health or social care or treatment or the management of health or social care systems and services

Please note that in the case of sharing, health institutions should have safeguards in place to ensure that data is secure.

3. Set strict access controls

Given the shared nature of cloud-based systems often used in the healthcare sector, it is critical to ensure that only those needed have access to patient data.

Implementing measures such as two-factor authentication or single sign-on, as well as the use of digital signatures and certificates can also help provide further measures for data protection when it comes to accessing patient files.

GDPR compliance: a worthwhile investment

With the digital transformation of the healthcare segment, the way information is processed and accessed also needs to be adjusted. This brought several new aspects regarding data protection, requiring healthcare institutions to make data privacy their top priority.

While GDPR compliance requires healthcare institutions to invest time and resources, at the end of the day, it is in the interest of patients and the institution itself.

Complying with the obligation will not only decrease the possibility of a potential data breach, protecting your organization from a hefty fine and reputational damage, but also plays a significant role in gaining patient trust and improving the overall efficiency of how patients are treated.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.