Administrators in a health care environment are probably aware the Health Insurance Portability and Accountability Act (HIPAA) requires sensitive data to be encrypted. Although this requirement might seem simple enough on the surface, it can be surprisingly difficult to comply with. Even though it is usually relatively easy to support storage encryption, it can be a challenge to verify that encryption is being used properly.
The problem with verifying the use of encryption is that sensitive data can reside in any number of locations. For example, sensitive data could potentially exist in these areas:
- Network file shares, databases, etc.
- Desktop PCs
- Universal Serial Bus (USB) flash drives
- An end user's personal device such as tablets or smartphones
Unfortunately, verifying the use of encryption in all of these locations is borderline impossible. USB storage devices and an end user's personal devices may not be immediately accessible to health IT administrators or could be outside their direct control. Likewise, there is not a single tool you can use to verify the use of encryption on widely varying hardware platforms. So what is an administrator to do?
The key to effectively being able to verify data encryption is to make sure sensitive data resides only in locations that you can control. Ideally this would mean that all data is accessed from a centralized repository (file servers and application servers) and that no data resides on end user devices. In reality however, business needs often require at least some level of data storage on endpoint devices or on removable storage devices.
If you really want to guarantee that any storage device containing sensitive data is encrypted, then the best approach might be to encrypt everything. That way, the data should theoretically be protected regardless of where a user might copy it to. Encryption should be your last line of defense, not your first. Users still need to be educated in the proper handling of data.
The first thing that you should encrypt is the local hard drives on desktop PCs (if your organization has begun using virtual PCs, then the virtual hard disks should be encrypted). This is relatively easy to accomplish assuming that the desktops are running Windows 7 or Windows 8. The solution is to configure a Group Policy to enforce BitLocker encryption of the PCs' disks.
BitLocker-related Group Policy settings can be found in the Group Policy Management Console under Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption. A good TechNet article explains exactly which policy settings need to be enabled.
You will have to use a different method to encrypt tablets than you use to encrypt desktop PCs. Group Policy settings such as the ones described in the previous section can only be applied to Active Directory domain members. Most tablets cannot be domain joined.
If you want to enforce encryption on tablets, then you will have to use either a mobile device management utility or ActiveSync policies (which are configurable through either Exchange Server or Windows InTune).
How to encrypt data to be HIPAA compliant
Template clears up HIPAA audit process
Risk assessment a requirement for HIPAA compliance
HIPAA compliance requires input from all sides
One of the problems with this approach is that not all tablets support hardware-level encryption. Android tablets only support encryption if they are running Ice Cream Sandwich or Honeycomb. And iPads only began offering hardware-level encryption in iOS 4.
Since not all tablets support encryption, the IT department will need to establish policies dictating which tablets are and are not allowed to be used. Some mobile device management software will allow you to place version-specific restrictions on the tablets you can provision. If you are depending on the use of ActiveSync policies, then you won't be able to automatically restrict tablet provisioning by version. The IT department will have to get involved in the provisioning process to make sure that users are using approved tablets.
There are many ways to restrict USB flash drive use. One option is to use a product such as GFI Endpoint Security to block the use of USB storage devices. Another option is to use Group Policy settings to force users to encrypt USB flash drives using BitLocker to Go. To do so, open the Group Policy Management Console and navigate through the console tree to Computer Configuration | Policies | Administrative templates | Windows Components | BitLocker Drive Encryption | Removable Data Drives. Now, simply enable the setting called deny write access to removable drives not protected by BitLocker.
Keep in mind that although this solution is effective, it is not perfect. Group Policies only apply to computers that are domain joined. The problem is that tablets are not usually domain joined, and there are some Windows and Android tablets that are equipped with USB ports. That being the case, it is a good idea to see if your mobile device management software includes a setting for blocking USB port usage on mobile devices.
What about verification?
As mentioned at the beginning of this article, it is important to be able to verify that storage devices really are encrypted. One of the reasons I chose to discuss the encryption methods that I did is that they lend themselves well to the verification process. Most mobile device management software includes a reporting feature that you can use to audit mobile device security.
A number of third-party tools are designed for Group-Policy-based auditing. Even without a third-party tool, however, you can use the Group Policy Management Console's policy feature to verify that the encryption settings are being actively applied and that the encryption requirements are not being overridden by other Group Policy settings.
At the end of the day, enforcing and verifying storage encryption can be difficult. I highly recommend that health care organizations do not allow sensitive data to be stored on end-user devices if at all possible.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at email@example.com or contact @SearchHealthIT on Twitter.