When it comes to security breaches, few industries are under attack more than the healthcare industry (see the infographic below). This prevalence is one of the many reasons why the Health Insurance Portability and Accountability Act (HIPAA) was developed in the United States. As healthcare IT organizations work to become compliant with the regulation, several key processes must come into consideration. One of the key processes is implementing full disk encryption (FDE). Let’s look at how to enforce FDE to achieve HIPAA compliance.
Why do healthcare IT organizations need to be worried about FDE for HIPAA? Well, for starters, HIPAA Security Rule §164.312(a)(2)(iv) states that organizations must “implement a mechanism to encrypt and decrypt electronic protected health information” (ePHI). But, beyond simply becoming HIPAA compliant, history has shown that healthcare companies simply need FDE to protect themselves.
When it comes to security breaches in healthcare, one of the most frequent sources of a breach are stolen laptops. We could spend days detailing each and every time a healthcare company has lost thousands of patients’ data. Instead, to save you time, let’s just touch on a few key examples that we can learn from.
Laptop Theft in Healthcare
1. Rocky Mountain Health Care Services, Colorado, Sept. ‘17
For the second time in three months at Rocky Mountain Health, an employee’s unencrypted laptop was stolen, compromising at least 909 patients’ ePHI.
2. Coplin Health Systems, West Virginia, Nov. ‘17
A password-protected yet unencrypted laptop was stolen from Coplin premises, potentially affecting the ePHI of 43,000 individuals stored on the computer.
3. Charles River Medical Associates, Massachusetts, Nov. ‘17
An unencrypted external hard drive was nabbed from the MA radiology clinic, exposing the ePHI of 9,387 bone scan patients.
4. FHN Memorial Hospital, Illinois, Nov. ‘18
4,458 patients’ ePHI was lost following the theft of an unencrypted system from a hospital employee’s vehicle in IL.
These are only a selection of healthcare breaches that could have been prevented by the use of FDE in the past three years. To round out this information, just know that in the last year alone, 351 healthcare breaches were reported, compromising 13,020,821 healthcare records (HIPAA Journal). You can approximate that 45% of said breaches were probably due to theft/unencrypted data, meaning that in the ballpark of 5.5 million individuals’ ePHI were affected due to a lack of FDE on systems. For a different perspective, that’s approximately the entire population of Finland.
How to Enforce FDE to Achieve HIPAA Compliance
In order to achieve HIPAA compliance, enforcing FDE across laptops and other systems is a must. With FDE, a computer’s hard drive is locked down when that computer is at rest, making it virtually inaccessible in the case of theft. Unfortunately, for many IT admins, enabling FDE is not as easy as simply flipping a switch and calling it a day.
Finding the Right Tool
First things first, IT organizations need a tool to enable FDE on their systems. This tool will need to be able to be effective for both FileVault™ on Macs® and BitLocker™ for Windows®. There are only a few solutions available on the market that are cross-platform in regards to FDE.
Additionally, IT admins need to be sure that they can securely escrow recovery keys (ideally individual recovery keys for increased security), which are more or less the password used to decrypt an encrypted drive when an employee is locked out of their computer. In the case that a user forgets their password or it expires, an IT admin will need the recovery key to decrypt the drive.
If they have each individual’s recovery key safely stored in a vault, they can access it easily when needed without worrying that it could be compromised in the meantime. Unfortunately, ever fewer of the FDE solutions on the market have this ability, especially when it comes to individual recovery keys, further refining the list of proper tools to enforce FDE for HIPAA.
Finally, IT admins need this tool to be easy to implement and use across their fleets of Mac and Windows systems. Many of today’s FDE solutions require time-intensive set up processes, and also need further maintenance and configuration to use properly. All of these tasks obviously take time, a commodity always in high demand among IT admins. With these clarifications in mind, one FDE tool to consider is JumpCloud® Directory-as-a-Service®.
Enforce FDE at Scale with JumpCloud
JumpCloud Directory-as-a-Service is the world’s first complete directory service available from the cloud. With JumpCloud, IT admins can manage their user base and their access to systems, networks, applications, and more from a single web admin portal.
A major part of JumpCloud’s system management capabilities are Policies. JumpCloud Policies allow IT admins to apply controls across entire system fleets, regardless of their platform (Windows, Mac, Linux®). One such Policy is the JumpCloud FDE Policy, which is capable of enabling FileVault and/or Bitlocker in just a few clicks. Other Policies include disabling Siri/Cortana, external USB ports, controlling screensaver/screen lock times, and more.
Achieve HIPAA Compliance with JumpCloud for Free
With regards to HIPAA compliance, IT admins will find that JumpCloud can be used for much more than just FDE. A crucial portion of the HIPAA Security Rule is access control. Independent auditing firm, CoalFire Systems, examined JumpCloud with regards to the access control sections of the HIPAA Security Rule. You can see their findings in this whitepaper.
If you are interested in using JumpCloud to help you achieve HIPAA compliance, why not try the product for free? A JumpCloud account requires no credit card to activate, and includes ten users on the house to get you up and running. You can also contact us to learn more about HIPAA, FDE, and all things JumpCloud.