encrypted at rest - one drive for business / Google Apps for business
- 
 @scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business: HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement. Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible? 
- 
 @DustinB3403 said in encrypted at rest - one drive for business / Google Apps for business: So use Bitlocker or DiskCryptor or VeraCrypt (I though VC was dropped because of BL) anyways encrypt the files and send them off. Microsoft had BL long, long before they started helping with VC. 
- 
 @Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business: @scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business: HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement. Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible? You can do Bitlocker (Full disk encryption) or you can use something like Veracrypt to do file encryption. Either one would work. If you're doing FDE then you should have a backup mechanism to recover files. It's much easier to just re-image the disk then fight with an encrypted OS. 
- 
 @Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business: @scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business: HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement. Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible? You SHOULD do that, absolutely. But you should never let patient records go to laptops at all, IMHO. Why do they need to be carrying around sensitive data of that nature? ANd while it's smart, it's not a HIPAA requirement. Would you get in HIPAA trouble for not having it? Yes, but only because you are violating basic industry security, not because HIPAA requires data encrypted at rest. If you fixed having patient data sent to volatile, mobile laptops you'd fix the issue more. If an encrypted laptop was stolen loaded with patient data, you could still be in the same HIPAA predicament depending on the judge and expert witness. 
- 
 @coliver said in encrypted at rest - one drive for business / Google Apps for business: @Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business: @scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business: HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement. Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible? You can do Bitlocker (Full disk encryption) or you can use something like Veracrypt to do file encryption. Either one would work. If you're doing FDE then you should have a backup mechanism to recover files. It's much easier to just re-image the disk then fight with an encrypted OS. OneDrive would presumably be that mechanism. 
- 
 Let's back up. Security is good, but the best security comes from good design. Back up... why is data being sent out for people to take home? 
- 
 They are taking laptops to schools (where they work on site) and occasionally home visits where they don't have good enough wifi to get a stable VPN connection. I have thought about portable hot spots, but there are some locations where those don't work either. 
- 
 @Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business: They are taking laptops to schools (where they work on site) and occasionally home visits where they don't have good enough wifi to get a stable VPN connection. I have thought about portable hot spots, but there are some locations where those don't work either. So they are forced to have the data local because there is no means of accessing the data on the servers at the time of use? That's really crappy. 
- 
 Assuming Windows, I'd probably just use bitlocker then and really lock down the machines. The issue is laptop theft in this case, and that works pretty well. Set the laptop to burn if someone tries to break in, no critical data there. 
- 
 You have two basic security vectors to deal with. Someone stealing the laptop and someone stealing the hard drive out of it. If you stop someone from logging in effectively, that protects that vector. If you encrypt the whole hard drive that stops the other. BL should work fine and be transparent to the end user. 
- 
 FYI, if you're using Bitlocker, you must disable sleep/hibernation for it to truly be doing it's job. Otherwise the boottime ask for the password is bypassed because it's stored in memory. This means a full power on and power off when moving around. Just and FYI. 
- 
 @scottalanmiller said If an encrypted laptop was stolen loaded with patient data, you could still be in the same HIPAA predicament depending on the judge and expert witness. I am under the impression that OCR considers FDE as a non offense. I mean, the breach happened, but there would be no penalty as the data is potentially inaccessible. 




