Encryption – First line of defense Plamen Martinov Director of Systems and Security

Agenda Encryption basics Importance of encryption Encryption solutions – Laptops/Desktops – USB/CD – /Cloud

What is Encryption? Encryption is a security process that scrambles information. It changes information from a readable form into something that can not be read unless you have the key. This: Rmvtu[yopm dhqht3w 3qtq isem ze mrxephlebl oermzq …so ONLY the person with the decryption key or password can read the information Becomes something like this: Encryption changes data into an unreadable format

Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. – Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted

Why is Encryption Important? Encryption protects confidential information and helps keep it private! Statistics show that as many as one in ten laptops will be stolen or lost from an organization over the lifetime of each computer Laptops and USB devices can be easily lost or stolen

Why is Encryption Important? (Cont’d) HIPAA – Health Insurance Portability and Accountability Act to ensure confidentiality of patient health information Regulatory efforts impose stiffer fees and fines in the event that a breach occurs and steps are not taken to appropriately protect sensitive data Breach Notification Laws - require notification if information was not encrypted Encryption technologies can assist with ensuring the confidentiality of patient health information and also serve as a strong measure of protection against today’s commonly anticipated threats, such as unauthorized access, modification, and disclosure.

HIPAA Fines April, OCR levies $2 million in HIPAA fines for stolen laptops: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of Concentra Health Services facilities. – $250,000 against QCA Health Plan, Inc. of Arkansas after an unencrypted laptop containing personal health information for 148 people was stolen from an employee's car.

High Risk Confidential Information: A person’s name or other identifier, in conjunction with: Personally-identifiable Medical Information Dates (birth date, admission date, discharge date, etc.) Social Security number Driver’s license State ID or Passport number Biometric information Medical Record # (MRN) Health Insurance # Other Confidential Information: Human Subjects information HR Records Credit Card Information Whatever you considers confidential What to Encrypt?

BSD Encryption Solutions TypeEncryption SolutionsCost/ImpactPurpose Apple Filevault 2 $0; native security feature, easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well- documented install guide. Encrypt the contents of your entire drive; Solution will work for personally owned and BSD-owned laptops. CBIS Credant** $60; CBIS installed and managed; CBIS technical staff required to restore system. Solution will only work with BSD-owned laptops. Windows BitLocker* $0; native security feature; AES 128-bit and 256-bit; some hardware dependencies. Encrypt the contents of your entire drive. Solution will work for personally owned and BSD-owned laptops. CBIS Credant** $60; CBIS installed and managed; CBIS technical staff required to restore system. Solution will only work with BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. ** CBIS Credant is a commercial software solution installed and supported by CBIS. There may be licensing and support fees associated with this product. Contact CBIS for more information.

BSD Encryption Solutions (Cont’d) TypeEncryption SolutionsCost/ImpactPurpose Files/Volumes Filevault 2 $0; native for Apple devices; AES 128 encryption for data protection; capable of creating secure disk images and file volumes Creates secure disk images and files for data sharing via , cd or cloud AxCrypt $0; has native versions for both Window and Apple; Uses strong compliant encryption. Creates secure disk images and files for data sharing via , cd or cloud External Storage Aegis Secure USB Key $65; unlocks with onboard PIN pad, 256-bit AES hardware-based encryption; PIN activated 7-15 digits - Alphanumeric keypad Securing transport of data, documents, and presentations Aegis Padlock Fortress $250; Secure PIN Access; Real-time 256-bit Military Grade AES-XTS Hardware Encryption; Software free design - No admin rights required; Water and Dust Resistant Securing transport of data (500GB +), documents, and presentations.

11 Good Security Standards follow the “90 / 10” Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping control of keys is the 90%. Security – “Isn’t this just an I.T. Problem?”

Resources & References Center for Research Informatics – Cri.uchicago.edu BSD HIPAA Program Office – Hipaa.bsd.uchicago.edu Apple Encryption – FileVault 2 – Windows Encryption - Bitlocker – encryption-overview Files/Volumes Encryption – Axcrypt – External Storage Encryption – Aegis Secure Storage –