Software HDD Encryption: Poll

Dashrender

@scottalanmiller said:

@Dashrender said:

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?

Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.

So you're proponent of encrypting the data only. You're right you have little to no risk if the data is encrypted on top of the FDE, but I don't think that most people go that route. They probably choose one or the other, not both.

A Former User

@g.jacobse said:

Kentucky House Bill #5

(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.

(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.

We are also governed by Department of Local Governments -

That only address mostly the WHO should be able to access it and that it should be protected in some manner. Not the HOW.

scottalanmiller

@Dashrender said:

So you're proponent of encrypting the data only. You're right you have little to no risk if the data is encrypted on top of the FDE, but I don't think that most people go that route. They probably choose one or the other, not both.

Performance would just get worse and worse.

scottalanmiller

@thecreativeone91 said:

@g.jacobse said:

Kentucky House Bill #5

(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.

(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.

We are also governed by Department of Local Governments -

That only address mostly the WHO should be able to access it and that it should be protected in some manner. Not the HOW.

I agree, that didn't tell me anything new. It leaves us with "why is FDE" seen as needed. If anything it supports not using FDE.

scottalanmiller

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Dashrender

@thecreativeone91 said:

BIOS passwords are trivial to remove.

Sure, but HDD passwords aren't, which is what my point was. If you reset the HDD password you loose the key and might as well just format the drive and start over.

Dashrender

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

If I was to try to do this in my environment I'd have to start by building either RDS servers or VDI.

A Former User

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

It's the least expensive option.

Dashrender

@thecreativeone91 said:

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

It's the least expensive option.

How would you build your least expensive option?

gjacobse

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

As part of our contract with the State, we are required to.

At this time we do not have another solution.

A Former User

@Dashrender said:

@thecreativeone91 said:

BIOS passwords are trivial to remove.

Sure, but HDD passwords aren't, which is what my point was. If you reset the HDD password you loose the key and might as well just format the drive and start over.

The same goes for HDD Passwords.. Very Very easy. http://www.hddunlock.com/download/ and http://hddguru.com/software/2005.10.02-MHDD/ both will

MattSpeller

@thecreativeone91 oh wow - I will be testing both of those

Dashrender

@thecreativeone91 said:

@Dashrender said:

@thecreativeone91 said:

BIOS passwords are trivial to remove.

Sure, but HDD passwords aren't, which is what my point was. If you reset the HDD password you loose the key and might as well just format the drive and start over.

The same goes for HDD Passwords.. Very Very easy. http://www.hddunlock.com/download/ and http://hddguru.com/software/2005.10.02-MHDD/ both will

Interesting.. If this applies to the FDE module on drives, then you've just shown that FDE is completely pointless and total waste of money!

If that's not what you're saying, I guess you SAM'ing me and using my specific words to try to make me look foolish when the point I'm trying to make is that you can't reset the chip that houses the FDE encryption key without loosing said key and therefore loosing access to the data.

A Former User

@Dashrender said:

@thecreativeone91 said:

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

It's the least expensive option.

How would you build your least expensive option?

What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

If I was to try to do this in my environment I'd have to start by building either RDS servers or VDI.

Pretty basic first steps if security matters, though. If data is going on our laptops, security isn't a very high focus. You do RDS or VDI or just remote into desktops long, long before you talk encryption of laptops.

scottalanmiller

@thecreativeone91 said:

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

It's the least expensive option.

Is it?

scottalanmiller

@g.jacobse said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

As part of our contract with the State, we are required to.

At this time we do not have another solution.

You are contractually obligated to store sensitive data in risky places? Why would a contract mandate that?

coliver

@thecreativeone91 said:

@Dashrender said:

@thecreativeone91 said:

@Dashrender said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

It's the least expensive option.

How would you build your least expensive option?

What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.

That would be the least expensive, which is what was asked... but what stops them from copying files to disk?

Dashrender

@thecreativeone91 said:

What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.

I'll admit that I hadn't considered forcing uses to only save to network share. But this only works on the assumption that users can't use person devices to access the data in the first place.

With most EHRs today being web based this is simply impossible/impractical.

All of my doctors require access to the EHR from any computer they are at. The best we can hope that they are using a 'trusted' computer, but that can't be promised.

So to completely lock this down we'd have to prevent access from all web computers except the VDI/RDS ones, then have the users have a portal into our VDI/RDS solution that is web based. Then we could prevent them from downloading en masse data to whatever device they are on.

If we don't lock the EHR servers to only the VDI/RDS ones and allow them access from any machine, then they can grab whatever reports are generate able to their local machine.

A Former User

@Dashrender said:

@thecreativeone91 said:

What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.

But this only works on the assumption that users can't use person devices to access the data in the first place.

Letting HIPAA data be stored on personal devices is a even bigger issue. It shouldn't be done. IMO BYOD and PHI do not go together.