• E-mail
• Print
• RSS

Should I consider encrypting the hard drives of all my systems to ensure the safety of electronic PHI everywhere it may reside?

HIPAA Weekly Advisor, August 15, 2005

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

It would certainly be ideal to have such strong security everywhere electronic PHI (ePHI) is stored, but it's simply not realistic. If you've established that your systems are vulnerable (and I've yet to find any that aren't), go for your highest-payoff systems first. This is likely laptop computers and file and database servers that have limited physical security. Encrypting the drive of every single computer is probably not necessary, especially if you have reasonable and layered building security.

If you're going to encrypt drives, buy enterprise-level software such as that offered by PGP Corporation (www.pgp.com) that's easier to deploy, instead of using the less-scalable data-encryption solutions built into current operating systems. Keep in mind that commercial-grade drive encryption software costs money and requires some administration, but it can save serious effort and money in the long run.

This is especially true for software that encrypts the entire hard drive. Time and time again, I see users storing ePHI any place on a drive other than folders encrypted for ePHI storage. Sometimes this is intentional for the sake of convenience (such as storing files on the desktop), but other times it's unintentional, since many operating systems and applications store software in temporary directories and other default locations about which you may not be aware.

Editor's note: Kevin Beaver of Principle Logic answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive