Encryption can be intidating. The technology is filled with technical security jargon like encryption keys, hash, key length, etc. In most organizations the least common denominators are often devices  used the most – laptops, tablet PCs, and desktop computers. These devices are used to work with patient data and store information that is the most vulnerable to theft, misuse, and unauthorized access. These devices are often serviced and replaced. How many times have you replaced a broken hard drive? How many computers have you replaced in the last 3 years?

Fortunately, the most vulnerable devices are the easiest secure. If you have serveral computers you would like to secure, or if you have a tablet or laptop that you use when you travel, installing Whole Disk Encryption (WDE) software such as PGP Whole Disk Encryption is an easy way to get started.

..

WDE simply encrypts your entire hard drive. After installing the software you can encrypt your entire hard drive. The software operates in the background while you work and does not affect your computer’s performance. It may take several hours for your hard drive be become encrypted. After completion, you will need to enter a password every time your computer boots. If your computer is stolen the thief will not be able to access your computer because the password will not be known to him/her. More importantly, your hard drive will not be able to be analyzed by forensic or other hard drive reading software. All your data will essentially become “scrambled” to anyone trying to view the contents of your hard drive.

..

It’s important that you understand technologies that WILL NOT protect your information:

..

- File deletion – deleting files on your hard drive does not erase them permanently. When you “delete” a file on your computer you are simply removing the pointer to the data in the hard drive’s directory. Until your data is overwritten by new data the old data remains on the hard drive and is able to be retrieved by even the most rudimentary tools on the Internet.

..

- Password protecting files – Using password protection features in Microsoft Word, Excel, and even Quickbooks does not protect your information. It simply forces you to enter a password before viewing the data. There are many tools that are available that can easily recover these passwords. In addition, passwords don’t encrypt data. They are a method of very basic access control. If you password protect your document it can easily be recovered by data recovery and simple forensics applications.

..

- Screen saver passwords – Although these should be used and activated when you’re away from your powered-on computer, they do not protect your data. A simple restart of the computer will bypass screen saver passwords.

..

- Computer passwords – Computer passwords should be set so that you are prompted to enter a password when you start up your computer. However, these can easily be recovered by many programs found on the Internet. They also don’t encrypt the contents of your hard drive.

..

- BIOS passwords – Most PCs have an option to set BIOS passwords. BIOS is a small program in every computer that runs very briefly when you turn your computer on. BIOS tells the computer the most basic information about your computer such as the amount of memory in your computer, size of hard drive, number of hard drivers, etc. This information is used to load your operating system (Microsoft Windows, Apple MAC OS, etc). A setting in BIOS could be made to require a BIOS password before your computer even loads Windows. Although it may be deterent to the casual unauthorized user, such as a snooping co-worker, BIOS passwords are easily reset by anyone with rudimentary technical skills. Sometimes it may require that the computer be opened and certain buttons are pressed inside the computer. But it can easily be defeated. And BIOS passwords do not encrypt data.

..

- Apple FileVault, Windows EFS – These are useful options for encrypting data. In both cases (Apple

and Windows) these are only file-level encryption technologies. Apple’s FileVault is superior because it encrypts your entire user profile. Windows EFS is complex to maintain and restore in case you switch computers. However, these technologies encrypt only certain files or directories. If you accidentally move information out of the encrypted directories that information will not be encrypted. These also don’t prevent basic access to the operating system of the computer. For example, if your Mac is stolen and you enable FileVault the thief can still access your computer.

..

Although installing whole disk encryption on a few computers is acceptable, deploying individual encryption applications on many computers is not efficient or recommended.  Installing software like PGP Whole Disk Encryption on many computers without a central management system could present administrative challenges of manually maintaining encryption keys and leaves open the possibility of not being able to access encrypted computers after an employee leaves. Vendors like PGP offer a management console that can take away the administrative burden  of maintaining many computers. Before deploying WDE refer to an expert that can set up your environment so you can properly manage your encrypted computers centrally.