This strategy comprehensively addresses the healthcare provider's requirements. SSL/TLS is the industry-standard protocol for encrypting data in transit, protecting it from eavesdropping as it travels to the cloud. Server-side encryption ensures the data is encrypted before being stored on disk, fulfilling the data-at-rest requirement. Critically, using customer-managed keys (CMK) via a service like a Key Management Service (KMS) gives the healthcare provider exclusive control over the cryptographic keys. This control is essential for demonstrating compliance with regulations like HIPAA, as it allows the provider to manage key lifecycle, set access policies, and audit key usage, thereby maintaining sovereignty over their sensitive patient data.

A. Tokenization substitutes data rather than encrypting it, which may not meet HIPAA's encryption safe harbor provisions. SSH is not the standard for application-level cloud service communication.

B. Storing a static key in application code is a critical security flaw, as a code compromise would expose the key and all protected data.

C. Asymmetric encryption is too computationally intensive and slow for encrypting large volumes of data at rest; symmetric encryption is the appropriate choice for this task.

1. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations.

SC-8 (Transmission Confidentiality and Integrity): Recommends cryptographic mechanisms like TLS to protect the confidentiality and integrity of transmitted information. This supports the use of SSL/TLS for data in transit.

SC-12 (Cryptographic Key Establishment and Management): Emphasizes the need for secure key management policies and mechanisms

which aligns with the use of customer-managed keys to maintain control.

SC-28 (Protection of Information at Rest): Mandates the protection of data at rest

with encryption being a primary method.

2. Cloud Security Alliance (CSA)

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.

Domain 4: Application Security

Page 68: "All communication between the application components and between the application and its users should be encrypted using industry best practices (e.g.

TLS)."

Domain 5: Operations

Page 83: Discusses data-at-rest encryption and key management

stating

"The customer may want to manage their own keys... This is often referred to as Customer Managed Keys (CMK)... This model is often used in regulated industries..."

3. Amazon Web Services (AWS)

Architecting for HIPAA Security and Compliance on Amazon Web Services

July 2023.

Page 11

"Encrypting PHI in transit": "AWS recommends that customers encrypt PHI in transit by using Transport Layer Security (TLS)..."

Page 12

"Encrypting PHI at rest": "Amazon S3 offers server-side encryption (SSE)... Customers can use customer master keys (CMKs) that they manage within AWS KMS. This gives customers more control over their keys..." This directly validates the components of the correct answer.