If you work in IT and HIPAA compliance you understand that laptop security is a leading threat in the rising number of HIPAA breaches. Many of us watched the “Girl with the Dragon Tattoo” and walked away concerned about our decision to use Microsoft’s “free” BitLocker solution with Windows 10! Despite the “Hollywood spin” of spies stealing laptops and leveraging Firewire drives to gain the decryption keys, these threats are very real in the world of health care IT today.
We work with Hospitals, Clinics, Health Plans, Health Information Exchanges, Business Associates. Most recently we helped a HIPAA Security Officer at an IT company encrypt all their laptops. They have no Active Directory Domain, users are working from home in all corners of the country, and they don’t want to spend $70 per laptop to encrypt them.
We upgraded their Windows 7 Professional laptops to Windows 10 and employed BitLocker on all laptops using TPM and PINs.
They are encrypted, and now we are compliant with HIPAA, right? Not quite so fast. Upon verification, we found out their IT company used only TPM to encrypt their laptops.
TPM stands for Trusted Platform Module – which essentially is a microprocessor that off-loads encryption/decryption loads when reading and writing to the hard drive and integrates the decryption key with the hardware. It is a feature in most all laptops nowadays and is required when using most encryption products. The key needed for decryption can be stored on USB, or network file share and is temporarily stored in the system’s memory while the laptop is turned on and the user is logged-in. The key is needed to use the laptop (by decrypting the information on the hard drive so it can be used in the device’s memory and CPU processes).
Using the OCR’s Audit Protocol as our HIPAA checklist, here are some basics we recommend for HIPAA-compliance efforts and best practices (be sure to use SSD to help with encrypted laptop performance):
In summary laptops need, at a minimum:
- Patch Management & supported OS 164.308(a)(5)(ii)(B)
- Malware Protection (ideally from centralized console) 164.308(a)(5)(ii)(B)
- Even though they call this one “addressable, IMO full-disk encryption is a must 164.312(a)(2)(iv) – We recommend AD/Azure with BitLocker full-disk encryption*, Symantec Endpoint Encryption (PGP), or McAfee Encryption.
- Session Idle timers set to lock or logoff 15-30 minutes (depending on your org’s workflows) 164.312(a)(2)(iii)
- Disposal and reuse procedures (secure wipe before reuse or destruction for disposal) 164.310(d)(2)(ii)
- Device and Media Controls (tracking and remote wipe/lock management if lost or stolen) 164.310(d)(2)(iii)
*Per Microsoft’s article on BitLocker’s “vulnerability” , “Some configurations of BitLocker can reduce the risk of this kind of attack. The TPM+PIN, TPM+USB, and TPM+PIN+USB protectors reduce the effect of DMA attacks when computers do not use sleep mode (suspend to RAM). If your organization allows for TPM-only protectors or supports computers in sleep mode, we recommend that you block the Windows SBP-2 driver and all Thunderbolt controllers to reduce the risk of DMA attacks. ”
So don’t let this article sway you from using BitLocker. It is still a valid solution. And just like any other tool needs a few additional configuration settings (TPM + PIN or TPM + USB) to ensure you don’t fall into a situation where you must notify your patients a breach happened.
So if you are a clinic, hospital, health plan or business associate, and become a targeted victim of laptop theft, you can smile all the way to the IT Helpdesk knowing a ePHI breach to Health and Human Services is not reportable, and your shiny new laptop will be on its way!
To cover these 8, and the other 72 HIPAA Citations, contact us or see our HIPAA One® Solution page for the simple, automated and affordable way to meet complex compliance requirements while reducing your organization’s risk handling PHI.