Full Disk Encryption for HIPAA Protected Computers

UPDATE: Based on the comments, it seems like TrueCrypt is a nice free open source option for encryption. Some others were mentioned as well.

In all of the various HIPAA violations I’ve read about, they almost always blame some lack of encryption on the violation. In most of those cases it’s a laptop or other mobile device that should have had disk encryption that didn’t.

The problem I have with disk encryption is that I’m not familiar with any really easy to implement, but effective solutions for doing full disk encryption on a device.

I’m not talking about enterprise encryption. I’m talking about encryption that can work in the small or even solo medical practice. Not to mention at the small clinic price point too.

If you know of a solution, I’d love to hear about it.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

18 Comments

  • Truecrypt. Open Source. Free. don’t need full disk encryption, just encrypt the portion that stores the data. Easy to set up and maintain.

  • Someone beat me to the punch. If you’re not looking for enterprise management features (key escrow, etc), TrueCrypt cannot be beat. It is open source with years of auditing and review, supports AES/Blowfish/any cipher you might want to use, and has no noticeable system performance hit on most PCs. The product is owned by a non-profit foundation, much like Mozilla.

    You have the option to set up a virtual encrypted disk drive container, but Truecrypt also supports full disk encryption (at least in Windows) seamlessly and beautifully.

    It’s free, and it beats the pants off every commercial encryption solution I’ve used.

    truecrypt.org

    Lifehacker readers very recently gave it a glowing endorsement: http://lifehacker.com/5679777/best-file-encryption-tool-truecrypt

  • I second truecrypt. Users of Windows Vista or Windows 7 Ultimate and Enterpise versions also have the Bitlocker option available to them.

  • Yup. TrueCrypt. Takes maybe five minutes to get it started and you can continue to use your computer, even shut down and resume. There are dozens of YouTube video’s that show you how if you want to see what is involved before committing to it. We use it on all our systems, including servers and USB drives, but I can’t imagine using a portable computer without it, even if you don’t have PHI stored on the device.

  • I don’t think there is one solution that fits every need, but let me suggest one I often recommend. The produce is called the Apricorn Aegis Padlock with AES 256 bit encryption.
    This is a portable USB hard drive that has a keypad built it. In order to access the drive you just enter your PIN on the keypad. Disconnecting the drive re-locks it. There is no software to install and so no software to hack. Trying multiple incorrect PIN numbers causes the drive to encrypt the data with a random PIN rendering it useless.
    This is not a networked solution but is ideal for people who must work offsite. It is especially useful with those EMR applications that allow you to “package” a group of charts with a viewer and thereby save everything to this encrypted portable drive.

  • A commercial option is PGP Whole Disk Encryption. It’s a standalone product for Mac/Windows/Linux, $149. It used to be included in PHP Desktop Home (along with email and instant message, and file encryption, which they’re best known for), but may at least be purchased as part of PGP Desktop Pro. (PGP was recently acquired by Symantec.)

    I’ve used the PGP Desktop product on the Mac for email and file encryption and found it first rate. I wish my doctor used it.

  • This thread is a great example of why I love blogging. Thanks for letting me know about TrueCrypt. I love open source and this looks about as easy as it should be. Unfortunately, it looks like I might have to give up my nerd card for not knowing about it earlier though. At least I have the power of blogging to help me out when needed.

    Thanks everyone!

  • iPads automatically encrypted?

    Be careful what you say, I don’t believe that is correct.

    You can set an iPad to auto delete after X failed logins, but there is no encryption.

    Whole disk is the only correct answer.

  • “All data” on an iPad is encrypted by the hardware, as stated by Apple’s security overview PDF (to see it Google “ipad business security”). However, there are reports that the encryption key (which is necessarily stored in the hardware) can be obtained, and the data decrypted, by jailbreaking the device. I can’t immediately find confirmation of that either way. Also, I’m not certain whether images and sound files are automatically encrypted. Certainly its a lot better than no encryption, but whether it’s good enough for a particular use I wouldn’t presume to say.

    I wouldn’t assume that whole-disk is the only way to go for devices; it depends on what software you use, and how.

  • You wouldn’t assume whole-disk is the only way to go, yet you assume iPads are encrypted…at least initially.

    When reporting a lost or stolen mobile device that had PHI on it, the best answer is, “Yes, the whole drive is encrypted.”

    As one who is paid to be paranoid about these things, I tell offices:
    1) Don’t store PHI on portable devices.
    2) If you absolutely must, encrypt the entire device.

    If you only encrypt 1 folder you leave open the opportunity to accidentally save to an un-encrypted folder.

    Why allow for this possibility?

  • The disadvantage of TrueCrypt is that TrueCrypt cannot encrypt the entire boot volume (from the drive from which you run your operatinig system)

    They don’t support key escrow, and offers no back doors for password recovery. If a users forgets his or her passphrase, the encrypted information will be permanently and irretrievably lost.

    You could sync only whole truecrypt file instead files in the truecrypt. Therefore, you could not use the same files in two computers in the same time.

  • If you are running Vista or better, you most certainly can encrypt the entire system drive with TrueCrypt. I don’t really understand Angela’s comment about two computers at the same time. Every drive on our file servers is encrypted with TrueCrypt and the shared folders on those drives are used simultaneously by multiple people on multiple computers. Once mounted, the volume appears and is used just like any other drive. Also, the whole point of disk encryption is that there are NO back doors. Such recovery options would quickly be cracked.

  • You can enable whole disc encryption on Macs in the system settings. It encrypts and un-encrypts on the fly so it slows your machine down very slightly, but most won’t notice.

  • Re Zenfire’s comment – No, Macs do NOT support whole disk encryption. FileVault only encrypts the user folder. Just Google for “filevault whole disk encryption” to see many discussions on this limitation.

Click here to post a comment
   

Categories