In the coming months healthcare IT administrators will see many products come to market that claim to solve the compliance issues of safeguarding unsecured protected health information (PHI). A bit of caution and understanding of the issues is required here:
- Whole disk encryption is clearly needed for mobile devices
- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.
- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.
- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.
- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?
So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.
It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.
Tags: encryption, HIPAA, PHI
[...] This post was mentioned on Twitter by Stonebranch, Experior. Experior said: Experior Blog: Disk encryption is not enough for HIPAA HITECH Act Compliance http://ow.ly/16n3bW [...]
I wasn’t aware of all the parameters you mentioned, and they can also easily apply to portable devices. After bad experience with a few brands, I “stick” to a secure USB flash drives that I learned to trust.