Data Encryption in Drupal for Meeting Compliance Requirements

What Information Do I Need to Encrypt in Drupal? Organizations collecting information from their web site should have this question on the top of their minds. It is a simple question, but can be hard to answer. For Drupal developers, encrypting data to industry standards can be a particular challenge. This article explores PCI DSS, GDPR, HIPAA, FERPA, FISMA, and FFIEC. Read on this article to learn:

  • What data needs to be encrypted
  • Which compliance regulations require encryption (PCI DSS, GDPR, HIPAA, FERPA, FISMA, etc.)
  • How to encrypt data and manage encryption keys in Drupal

Data Encryption in Drupal for Meeting Compliance Requirements

Content Summary

What Information Do I Need to Protect with Strong Encryption?
Federal/State Laws and Personally Identifiable Information (PII)
Educational Information Covered by FERPA
Federal Agencies and FISMA
Medical Information for Covered Entities and HIPAA / HITECH
Payment Card Data Security Standard (PCI DSS)
Financial Data for FFIEC Compliance
Encrypting Data in Drupal

What Information Do I Need to Protect with Strong Encryption?

Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.

Federal/State Laws and Personally Identifiable Information (PII)

Federal and State laws vary in terms of what they consider Personally Identifiable Information (PII), but there is a lot of commonality between them. PII is any information which either alone or when combined with other information, which can identify an individual person. Start with this list of data items:

  • Social security number
  • Credit card number
  • Bank account number
  • First name
  • Last name
  • Address
  • Zip code
  • Email address
  • Birth date
  • Password or passphrase
  • Military ID
  • Passport
  • Drivers license number
  • Vehicle license number
  • Phone and Fax numbers

Educational Information Covered by FERPA

Educational institutions who fall under the FERPA regulations must protect Personally Identifiable Information (see above) as well as the following information:

  • Student name
  • Student ID number
  • Family member names
  • Place of birth
  • Mother’s maiden name
  • Student educational records
  • Immunization records
  • Health records
  • Individuals with Disabilities (IDEA) records
  • Attendance

Federal Agencies and FISMA

Federal agencies must evaluate their systems for the presence of sensitive data and provide mechanisms to insure the confidentiality, integrity and availability of the information. Sensitive information is broadly defined, and includes Personally Identifiable Information (see above), as well as other information classified as sensitive by the Federal agency. Sensitive information might be defined in the following categories:

  • Medical
  • Financial
  • Proprietary
  • Contractor sensitive
  • Security management
  • And other information identified by executive order, specific law, directive, policy or regulation

Medical Information for Covered Entities and HIPAA / HITECH

The HIPAA / HITECH Act defines Protected Health Information to include Personally Identifying Information (see above) in addition to the following Protected Health Information (PHI):

  • Patient diagnostic information (past, present, future physical or mental health)
  • Patient treatment information
  • Patient payment information
  • Medical record numbers
  • Name
  • Street address
  • City
  • Zip code
  • County
  • Health plan beneficiary numbers
  • Fingerprints and other biometric identifiers
  • Full facial photographs and images
  • Device identifiers and serial numbers
  • IP address numbers and web URLs
  • Any other individual identifiable information

Payment Card Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) require that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches.

If you accept or process credit card or other payment cards, you must encrypt the following data:

  • Primary Account Number (PAN)

You must also NOT store, even in encrypted format:

  • Track 1 and Track 2 data
  • Security codes (CVV, CVV2, etc.)

Financial Data for FFIEC Compliance

Banks, credit unions, and other financial institutions must protect Non-public Personal Information (NPI) which includes personally identifying financial information (see above). In addition to Personally Identifying Information above, you should protect:

  • Income
  • Credit score
  • Collection history
  • Family member PII and NPI

Encrypting Data in Drupal

Townsend Security is helping the Drupal community encrypt sensitive data and properly manage encryption keys. Developers who need to protect sensitive data know that storing their encryption keys within the content management system (CMS) puts their data at risk for a breach. With Key Connection for Drupal and Alliance Key Manager, administrators are now able to keep their encryption keys secure by storing them remotely and only accessing them when the encryption/decryption happens.

The Key Connection for Drupal module is a plugin for the Encrypt project that allows you to easily encrypt sensitive data with NIST-validated AES encryption and securely retrieve and manage encryption keys from Townsend Security’s FIPS 140-2 compliant Alliance Key Manager. With an easy to use interface and certifications to meet compliance requirements, you can rest assured knowing your data is secure.

Source: Townsend Security