Is anyone having to roll out full hard drive encryption yet? Our clinic is in the process. How can we encrypt the hard drive (to stay in compliance) yet not have a pre-boot authorization password requirement when the computer powers up?
The reasoning for this is because employees and providers already have so many passwords to remember. They don't care for yet another, especially the doctors. And especially if you forget that password, you will never again access that operating system.
Curious as to why you're going all the way to the local machine HD? What did you read/hear to make you go this far or what kind of setup do you have running Centricity?
We are using thick clients. Although CPS doesn't appear to keep any data on the hard drives, our docs do look at CT scans, MRIs and X-Rays which are locally cached (not under my control). To comply with MU Stage II, Core Measure 9 of 17, I am being told (via a 3rd party audit) that it is necessary, especially since we rent our office space from a local Hospital and they have their own cleaning crew and the offices really aren't that secure
http://www.cms.gov/Regulations.....thInfo.pdf
on page 2...
Paragraph (d)(7)(i) or (ii) of this section must be met to satisfy this certification criterion.
(i) EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops. (A) Electronic health information that is stored must be encrypted
Mike Zavolas
Tallahassee Neurological Clinic
We just had someone come in to do a meaningful use security audit for us and told us the same thing that if we got audited by a 3rd party we would be fined. It was an eye opener as to what we thought we were in compliance for that we were not. Things like our nurses have their own little shread bins which they empty into a large locked one but if a auditer had seen that one it is $1500.00 a piece of paper fine if it has any patient info on it. He told us one company was fined out of business.
Was this a part of your annual Risk Assessment or a separate event? How did you find your 3rd party auditors and would you share their contact information via PM?
Let me also ask what encryption solution you went with and how many devices you encrypted, if you don't mind.
We have a contract with Purdue who did our security assessment for our annual risk assessment and he was here this week. He is the one who told us about our deficiency's. We have not started our processes yet.
Sam said:
Was this a part of your annual Risk Assessment or a separate event? How did you find your 3rd party auditors and would you share their contact information via PM?
Let me also ask what encryption solution you went with and how many devices you encrypted, if you don't mind.
This was our annual (but first) risk assessment. Like I read in another response, our eyes were opened to many things so we have some work to do.
Sam said:
Was this a part of your annual Risk Assessment or a separate event? How did you find your 3rd party auditors and would you share their contact information via PM?
Let me also ask what encryption solution you went with and how many devices you encrypted, if you don't mind.
I forgot to answer your question about which encryption technology we went with. Nothing yet but here is what we have evaluated thus far.
I am getting some resistance to the requirement of having to type a password when you boot a computer so I have been looking for alternatives to having to do that. That additional password requirement would effectively kill my nightly scripting jobs so I don't like it either.
1. McAfee Endpoint. This software has a way to cache the password/key on the hard drive but we were able to crack into it pretty easily with a linux based boot disk and some crude utilities (and we are not hackers). I think this solution would be cheaper but I would recommend a password. The password length is dictated by the bitrate so if you want 256bit encryption I think the password would need to be twice as long a password for 128bit. Kon-boot took less than a minute to give us admin access to the machine. I forget how much this costs but they did force me to buy 10 licenses just to do an evaluation which doesn't sit well with me
2. Free/Open Source (It would be great to not add another licensing scheme to manage). Trucrypt fits teh bill but requires a password. This is almost a no-brainer if we are OK with users needing to type a password
3. Windows 7 Enterprise with bitlocker. If you can get over the price this would be the way to go. It is $278 per machine (About $40,000 for us), because you can not buy a computer with Win7Enterprise on it. You have to buy Windows 8 Pro through eopen licensing with Software Assurance (SA) and then you are allowed to install Win7Enterprise as a downgrade. So basically I am buying Windows twice, unless I can find a dell/hp with no hard drive or something like that and do my own after purchase. The way the encryption works is the computer boots up on a domain and makes a connection to verify that someone didn't disconnect it from the network. That effectively negates the need for a password. But...$40K??? Ouch.
So that is my quandry. We will be making a decision soon (probably not my decision, as we ran into lots of resistance about passwords). So unless the owners want to pony up $40K, they will be typing an extra password. We did consult an attorney to see if they thought we really needed to do this and she said yes.
Mike Zavolas
Tallahassee Neurological Clinic
Thank you for the details and further insight Mike--much appreciated.
tnc said:
We are using thick clients. Although CPS doesn't appear to keep any data on the hard drives, our docs do look at CT scans, MRIs and X-Rays which are locally cached (not under my control). To comply with MU Stage II, Core Measure 9 of 17, I am being told (via a 3rd party audit) that it is necessary, especially since we rent our office space from a local Hospital and they have their own cleaning crew and the offices really aren't that secure
http://www.cms.gov/Regulations.....thInfo.pdf
on page 2...
Paragraph (d)(7)(i) or (ii) of this section must be met to satisfy this certification criterion.
(i) EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops. (A) Electronic health information that is stored must be encrypted
Mike Zavolas
Tallahassee Neurological Clinic
Are those images attached to the patients chart? If so they wouldn't be cached locally...at least in our environment when we view images like that they are linked / stored on our app server.
Very interesting too about the shred bins. We have those as well and have had (2) 3rd party security risk assesments and none have said a word about them.
chrishuff1 said:
Are those images attached to the patients chart? If so they wouldn't be cached locally...at least in our environment when we view images like that they are linked / stored on our app server.
No, but the name of the patient appears on the images and sit on the hard drive for a time as a temp cached file
Very interesting too about the shred bins. We have those as well and have had (2) 3rd party security risk assesments and none have said a word about them.
I think you can have 10 3rd party risk assessments done by 10 different companies and get 15 different opinions. It would seem that you should not be able to do worse than 10 differing opinions but we argued with our 3rd party company and they did see our point but the end result is what really matters when a Government wonk's opinion is when (s)he is administering the **** exam.
I came from banking which required multiple different types of IT Audits/Assessments/Vulnerability tests etc per year. Even if you fixed every item on an auditors report to 100% satisfaction, the next year they would find more items to report on even though those things existed previously.
Hard drive encryption technology is very annoying to manage from an IT standpoint. Since the computer has not booted when the user was prompted, you can not gain access to the machine to troubleshoot problems remotely. Users constantly were forgetting their password to the hard drive encryption and getting themselves locked out. We used Checkpoint Pointsec for our devices and it synced with the windows password. The user would login to pointsec at the preboot screen and then when windows booted, it would automatically use that same password to log them in to windows so it did not add an extra password layer. The problem was when the user changed their windows password, pointsec would not always catch it. It would also have no way of knowing if they changed their password while on a desktop PC so passwords would get out of sync.
I use truecrypt on my personal laptop and it works well, but you can not have multiple passwords to unlock the device. This means that if the user forgets their password, IT can not reset it and you would have to wipe the hard drive. If you decided to use a standard password for all laptops this would probably work well.
Bitlocker would be ideal (It was not available when I was rolling it out initially) because the way I understand it is that it completely hooks into AD.
Windows 8 Pro has bit locker integrated natively.
Windows 7 has bit locker in Windows 7 Enterprise or Ultimate.
Those are the two ways to run windows and have no pre-boot password.
You will need to buy your stations without an OS and install a custom image for your group to get Win7 M$ integrated encryption. Windows 7 Enterprise available through Volume Licensing (eopen) not really available to normal users retail users.
chews on straws said:
Windows 8 Pro has bit locker integrated natively.
Windows 7 has bit locker in Windows 7 Enterprise or Ultimate.
Those are the two ways to run windows and have no pre-boot password.
You will need to buy your stations without an OS and install a custom image for your group to get Win7 M$ integrated encryption. Windows 7 Enterprise available through Volume Licensing (eopen) not really available to normal users retail users.
Unless you build your own machines I do not see either Dell or HP offering a "no-OS" option, or even a linux option which can then be overwritten by Windows 7 pro. These days I would say buying with Win 8 then upgrading to Windows 7 pro may be the best investment but it is a huge cost.
Windows 8 no good, I would not subject people to that.
CDW will do a custom factory install for you. Dell will as well, the project with Dell is called CFI (custom factory image), I have done this successfully. Just upload a ghost image.
I do not buy HP direct, but CDW has an imaging program. I suggest those guys.