Regulatory compliance

How can AxCrypt help with the GDPR?

The EU General Data Protection Regulation (GDPR) is a binding legislative act concerning the protection of personal data and individual rights. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations approach data privacy.

The GDPR requires companies and organizations to implement reasonable ways to protect their data, such as encryption, to protect it against data loss or exposure. This is where AxCrypt can help.

As Recital 83 in the GDPR states: ”In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”

You have to make sure that personal data is stored securely, whether on-premise or cloud-based, in order to prevent costly data breaches. Files that have been encrypted will be rendered useless when breached.

Below are some resources that can further inform you.

Read and download the complete Regulations

EU’s GDPR dedicated website

Summary of the articles

Is AxCrypt HIPAA compliant?

The Health Insurance Portability and Accountability Act protects the privacy and security of health information. Compliance of HIPAA only applies to organizations and processes. It does not apply to software, meaning that an encryption solution such as AxCrypt can’t be HIPAA compliant. Although, AxCrypt may suffice as (part of) a Technical Safeguard.

The appropriate use of encryption and other Technical Safeguards is governed by the HIPAA Security Standards, 45 CFR 160, 162 and 164. The relevant section is 164.312 Technical Safeguards. No recommendations or requirements concerning specific encryption technologies are made there either, it’s specifically pointed out that the regulation is technology-neutral. It’s up to each and every organization to evaluate its position and risks, and then implement required or addressable specifications.

You have to make sure that personal data is stored securely, whether on-premise or cloud-based, in order to prevent costly data breaches. Files that have been encrypted will be rendered useless when breached.

Although the standard in no way refers to it except in comments, the CMS Internet Security Policy, which is the current view of Centers for Medicare & Medicaid Services for their own use, does specify some minimal technology levels for certain cases. AxCrypt meets these requirements for transmission over the Internet – but your organization must independently evaluate if is sufficient to use the same level as the Centers for Medicare & Medicaid Services.

The parts where AxCrypt may (and should) suffice as (part of) a Technical Safeguard are:

  • Access Control/Encryption and Decryption – AES-128/AES-256
  • Integrity/Authentication – HMAC-SHA-512 Transmission
  • Security/Integrity Controls, Encryption AES-128/AES-256/HMAC-SHA-512

The HIPAA Security Standard does allow the use of encryption as the basis for Access Control, that is to say to protect the privacy of data at rest (stored on a hard disk as opposed to traversing the Internet for example). AxCrypt will meet most organizations requirements here too.