This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

PHIPA Encryption Checklist

The factsheet published by the Information and Privacy Commissioner of Ontario (May 2007), contains a checklist on the use of encryption for health information, as a well a detailed explanation of the different types of encryption that can be used to secure data.

I thought I'd go over the checklist, and make some comments (you know, from a data security perspective.  What can I say?  It get kind of slow towards the end of the year).

Encryption Checklist According To Ontario Information and Privacy Commissioner's Fact Sheet

  • I have minimized the amount of PHI that I have on portable devices (preferably none in identifiable form).

    Always recommended, even if you end up using encryption on your data or computer.  Why?  Well, there's always the chance that the username and password for accessing the contents protected contents are on display stuck to the bottom of the laptop.  (Happens more often than you think.)

    In such a case, having the information redacted would prevent a data breach.  The problem, though, is that unless you're into clinical research, you probably need to tie any medical conditions and histories to some kind of identifier.  I mean, technically, if you had the information redacted so there's no sensitive information, there would be no need for encryption software.

  • I delete PHI from all portable devices as soon as I have finished working with it.

    Same reasons as the above.  You can't have a breach of something that's not there.

  • I know what PHI is stored on each of my portable devices.

    Most people have a pretty good idea, but they're never certain.  The general theory is to encrypt only those machines that contain sensitive data (in this case, patient health information), and to make sure that everyone makes sure sensitive data doesn't find its way into unencrypted machines.

    Theory diverges with reality in life, and the truth is that it's impossible to tell what type of data is on what type of machine.  In this day and age, it just makes sense to encrypt any portable devices, assuming it's technically feasible, regardless of whether you "know" whether PHI is stored or not.

    This way, the ramifications of losing a device are pretty much nixed.

  • I have enabled my operating system encryption.

    Say, what?  What's an operating system encryption?  The factsheet seems to be referring to built-in encryption.  For example, under Windows XP, you can encrypt the contents of a folder/directory.  That would be helpful, except for the fact that, as the factsheet has pointed out:
    But while these options are easy to use, because they rely on the user’s login password, they provide only limited protection and are insufficient, in and of themselves, for the safeguarding of PHI. They are vulnerable in that if a person gains access to the user’s password, they will then have access to the data.
    Also, depending on what version of the software you're using--be it the operating system or an application with built-in encryption--it may be the case that the encryption offered is not up to snuff.  Some will say it's better than nothing.  But, the same argument could be made as someone hands you a stick when facing a rabid grizzly bear. (You'd probably feel better with some real protection.)

  • I have purchased a system with whole disk encryption. OR I have purchased software to implement whole disk or virtual disk encryption on my laptop or PDA.

    No comment on this one.  Well, except, perhaps, that it's not enough that you've purchased the encryption package.  You also have to use it--something that I can tell you from experience that it doesn't always happen.  That's right, folks: there are companies out there that will get themselves an encryption license and not use it.

  • If I use portable storage devices like USB keys, I buy them with encryption installed, or install encryption on them before I use them to store PHI.

    Same as the above point, except they've included the caveat that you've got to install it.  (Does the Privacy Commissioner view USB keys as more critical breach sources than laptops?)

    You can encrypt information that's already saved to a USB device; however, that's like setting up a bank and collecting deposits first, and having a bank vault delivered for installation afterwards.

  • If I use a password to access encrypted data, it is a strong password AND it is different than the password that I use to login to my computer.

    Ah, strong passwords.  I've covered some issues on this post.  Basically, the need for strong passwords lies in the fact that, since encryption itself is very strong, the weak link lies upon passwords: even with the best encryption in the world, if the password for accessing that encrypted content happens to be "iloveyou"...well, let me tell you that hackers will be all over that data.

    Generally, you want different passwords for everything.

  • I never write my password down.

    Not always a bad idea to write down passwords.  There is a school of thought out there that you can write down passwords--just don't keep them close to where you use them.  For example, if you write down the password for accessing an encrypted laptop, don't keep that password anywhere near your desk (and definitely not stuck to the laptop).

    This is especially true of systems that are seldom used so a person doesn't have the chance to memorize a password due to constant use.

    I know, the recommendation is to make something long and complex that can be easily memorized.  But, if it can be easily memorized, it's probably not long and complex enough....  You just can't win!

  • I do not share my password with anyone.

    Self-explanatory.  However, quite often not followed.

  • If I don’t use whole disk encryption, I can identify where ALL of the PHI on my system is stored.

    No you can't....  I guess the point is, well, if you're not going to use whole disk encryption, then you should at least keep track of PHI and make sure it doesn't end up on unsecured devices.  This, to me, is just another way of saying use disk encryption: It's virtually impossible to keep track of where sensitive data ends up in this modern age of ours.

    Will some people be able to follow the above?  Sure; think of general practitioners who see maybe five patients a year and keep everything in a spiral notebook.  But in modern practices, keeping track of all information (and note how the capitalized ALL) is just not possible.

  • I only store PHI on the encrypted disk.

    Self-explanatory.  However, you must remember that encryption is not a magic bullet.  For example, even if PHI always stored on encrypted disks--possibly because only encrypted disks are used--if passwords are shared or written down and taped to the specific devices, encryption is not going to provide any data security.

  • I regularly verify or audit that my encryption policies are, in fact, being implemented and followed.

    If you've read all of my comments above, you'll see why this is probably the most important item in the checklist.

Related Articles and Sites:

<Previous Next>

Data Security: PSU Alerts 30,000 Of Data Breach

Data Encryption Software: RockYou Sued After Data Breach


No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.