Personal Health Records (PHR) security is the new ladder that many security technologies are trying to climb. One of the reasons that healthcare providers are working towards this is that they are willing to secure their and patients’ data. The other reason is that is a requirement imposed by the legislations such as HIPAA, HITECH, etc. which are to be obliged to, to avoid penalties. Tokenization and encryption are two of the technologies used to safeguard information. Both of these are critical to an organization to avoid breaches. Even then the dilemma of encryption versus tokenization does exist.
In simple words, encryption is masking of critical information. At one end, the data is encrypted, like a code, and then sent over to the other end. Only the user at this end has the key to decrypt the already encrypted data, and no other party can decode it. This key can be given to more than one end user to facilitate broadcast of information to authorized group of people. This process helps in avoiding interference of any third party and reduces the risk of data theft or unwanted data modification.
In tokenization, the data is protected using tokens. Small chunks of data are assigned particular tokens, which point to the location where this data is stored. Giving the tokens to selective users allow them to access data with ease and security. Once intercepted, these tokens are rendered useless and cannot help in accessing the real information. The benefit of tokens over encryption keys is that the tokens are easy to handle, they are one time generated codes and hence, do not compromise real data.
Forms of Encryption
The mathematically encoded data using encryption is called ‘Cipher’ and the key used to decode the cipher is called as ‘secret key’ There are two types of encryption keys: symmetrical and asymmetrical. In symmetrical process, same key is used to lock and unlock the data, while in asymmetrical these two keys are different. This helps to reduce the radius of data vulnerability. Additionally, key rotation can be used. Regular key rotation limits the amount of data that can be encrypted using a single key. Therefore, in case of interception, only a small amount of data is vulnerable.
Vault-based and Vault-less Tokenization
In the process of tokenization, all the tokens are stored in a token vault alongside data and in the same size at data, eliminating to need to modify the storage space. Referencing the token vault is the only way to access data. The vault-based tokenization needs expensive synchronization methodologies as well as it is too complex to store large amount of data. Recently, vault-less tokenization was developed to tackle the challenges in vault-based one. In this, the sensitive data is replaced with a fake data that looks exactly alike. It provides high security while maintaining the usability of data.
The Dilemma
Although both, encryption and tokenization are forms of cryptography, they are very different and not interchangeable. Each of them has its own set of benefits as well as disadvantages. There remains a conflict between which of them is best, the solution to which depends on the organization’s requirements.
Edward Snowden, an American computer professional, said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on”. Encryption, today, is commonly used by millions of people to encrypt the data on their phones and computers to remain secure in case of accidental loss of sensitive data. Also, it is used by government and corporates to thwart sensitive data, surveillance, and so on, as it is possible to encrypt and decrypt large amount of data with just one key. Although it brings in many effective solutions, it also has few drawbacks. Encryption breaks application functionality; there is always a trade-off between the strength of encryption and application functionality. Moreover, if the key is compromised, the thief or hacker can unlock all the data the key was used to protect.
In tokenization, these intricacies are eliminated. As the token is a random code and not actually data in the encrypted form, when and if compromised, no data is breached. Also, as tokens only map the actual data, the problem of application functionality is solved. But, with tokenization, the user’s database increases in size as it has to store the tokens separately. This makes it harder to scale and maintain the database. Exchange of data is also difficult as the exact token is needed to unlock it.
The Ever-Growing Need
With the digital revolution, the landscape of business world has turned upside down. It has created entirely new industries and enterprises. But, it has made the organizations vulnerable to various destructive and new threats. Some of the industries, including healthcare, rely on large amount of data that is sensitive in nature. As the volume of this data grows, so does the risk of cyber-attacks. Cyber criminals trade in personal and sensitive information; it is literally the currency for them. The stolen or hacked data is further sold to various buyers who sell it further for even more money. To safeguard against these threats, businesses and individuals should take immediate steps in this direction and comply to several regulations like HIPAA, GDPR, etc.
Use Cases of the Two
Tokenization is commonly used to protect payment card data. It is also used to safeguard other types of data, sensitive in nature, like telephone numbers, account numbers, email addresses, security numbers, and the data needed in back-end systems. Encryption, on the other hand, is better suited for unstructured data including long text paragraphs or complete documents. It is also ideal for exchange of data with the third party, helping to validate its identity online. Both these technologies are being widely used now-a-days to protect the data stored in applications or cloud services.
The question that remains is- which one of them is better? But the ideal solution depends upon the circumstance under which it is used. Although tokenization is often seen to more efficient, as there is no link between the original data and the tokens, encryption can be considered the best choice in case of unstructured data. Organizations can leverage the benefits of either encryption or tokenization, or even both, according to the difficulty at hand.
