Symmetric Encryption and Asymmetric Encryption

Institute of Research: Different Types of Encryption Keeping data secure is of particular concern for healthcare organizations committed to patient research. Patients are often concerned about being forthcoming about their information because they fear it may be used against them when making occupationally-related decisions or setting health insurance premiums. Organizations must not simply be vigilant in ensuring that such information is protected; they must avoid the appearance of being careless.

The creators of the ABC security system must be diligent in ensuring that there are a series of impenetrable controls to ensure that only authorized personnel have access to sensitive information. The most commonly-used method to protect electronic data is that of encryption. "Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish" (Behrens 2015).

Two techniques are available to protect data for the ABC Institute and its collaborator XYZ, that of "symmetric encryption (also called secret key encryption) and asymmetric encryption (also called public key encryption)" (Czagan 2013). This paper will provide a review of the strengths and weaknesses of both methods and suggest that while both have their issues, using a two-step process of symmetric and asymmetric encryption is likely to be preferable in this particular situation.

Symmetric encryption uses a "secret key, which can be a number, a word, or just a string of random letters" which is then "applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key" ("Description," 2015).

Symmetric encryption is the oldest form of the technique and has the advantage of being relatively fast and simple. The obvious advantage for ABC is that when dealing with large amounts of information, this method would be preferred in the interest of expediency. Changing the key is often used on a session-by-session basis to ensure that a hacker cannot figure out the code (Czagan 2013). However, the disadvantage of symmetric encryption is that it is not always secure. "Anyone who knows the secret key can decrypt the message" ("Description," 2015).

Storage is critical: those that need the information must have access to the key but the key must be protected from those that do not require it. "If you have to store the key on a disk or a device (e.g. In an app), or if you transmit it unprotected over a network, then once an attacker gains access to that key, your encryption is useless" (Behrens 2015).

Since symmetric encryption is a one-step process, if the first and only layer of security is penetrated, information can be easily accessible to a hacker. Symmetric encryption is only really safe if there is a foolproof method to exchange the key in a manner that cannot be accessed by an outside party. With asymmetric encryption, there is a two-step process to ensure additional levels of security. With asymmetric encryption, there are two keys: "A public key is made freely available to anyone who might want to send you a message.

A second, private key is kept secret, so that only you know it" ("Description," 2015). The method is slower and takes more processing power but "any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key" ("Description," 2015).

Encryption is often likened to protecting property through the use of a lock and key, meaning that only individuals that have the key can enter; asymmetric encryption might be viewed as ensuring that there is an additional 'deadbolt' to the locked door, or an additional layer of security even though one of the keys is public. Another method is to use both symmetric and asymmetric encryption.

Symmetric encryption can be used to conceal the actual message but the session-specific key (which changes every time) is distributed through the two-step process of asymmetric encryption. Using this method "confidentiality can be achieved by using symmetric encryption. The key used for symmetric encryption (the session key) needs to be securely sent…Asymmetric encryption is used for the purpose of secure key distribution" (Czagan 2013). This ensures there is an additional level of control while still preserving the speed of one-step symmetric encryption.

It should be noted that not all healthcare organizations use encryption. While the Health Insurance Portability and Accountability Act (HIPAA) incentivizes encryption for healthcare organizations, it does not require it (Alonso-Zaldivar 2015). However, particularly for a research-based organization, where the patients are effectively providing their data to further the goals of others as well as preserve their own health, the responsibility owed to them is even greater than might be the case under normal.