A CISO working in the healthcare industry is responsible for protecting private data. Greg Machler explains why this points to the need for a root key for the national healthcare database What are CISOs working in healthcare concerned about when it comes to protecting medical data in the future? There are a variety of concerns associated with who should and shouldnt be able to access your individual medical record. This is both a policy issue and a technology issue for the CISO.[iPad security: How a hospital treated trouble]If the United States moves to a national healthcare database, medical information will need to be accessed by hospitals, medical clinics, mental health clinics, pharmacies, medical researchers, government health care organizations and other medical institutions. The real question is: Who will decide what information should be accessed? Once the policy decision is made, how will the CISO enforce it?There are some technological complications related to protecting the data. If the government opts to let the user manage who has access to data, how is that process enabled via technology? Would there be a national health care portal that allows an individual to define who can access certain portions of their data or would the national, state, and/or health care institution negotiate that access?[Digitized medical records are easy prey]Data protection of the medical information requires use of encryption and a key or keys. All encryption that is used to protect data requires a root key. In the financial-services industry, many banks have their own root key so there is no national financial services root key. But a national database of individual medical data would require a root at the national level and potentially even globally. The root has the ability to access all information, thus giving the institution that owns the root great power. A national database of medical data requires policy decisions and then technology the enable that policy. It will be difficult to determine who has access to different portions of health care data. Once the health care data access policies are complete, access rules will be created to enforce who has access to the data and encryption will be used to protect the data. But, because encryption with certificates requires a root key, the institution owning the key will have great power.Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe