Chat with us, powered by LiveChat

6 Laptop Security Basics

reddragonscreenshot

If you work in IT and HIPAA compliance you understand that laptop security is a leading threat in the rising number of HIPAA breaches. Many of us watched the “Girl with the Dragon Tattoo” and walked away concerned about our decision to use Microsoft’s “free” BitLocker solution with Windows 10! Despite the “Hollywood spin” of spies stealing laptops and leveraging Firewire drives to gain the decryption keys, these threats are very real in the world of health care IT today.

We work with Hospitals, Clinics, Health Plans, Health Information Exchanges, Business Associates.  Most recently we helped a HIPAA Security Officer at an IT company encrypt all their laptops.  They have no Active Directory Domain, users are working from home in all corners of the country, and they don’t want to spend $70 per laptop to encrypt them.

BitLocker-Drive-Encryption

We upgraded their Windows 7 Professional laptops to Windows 10 and employed BitLocker on all laptops using TPM and PINs.

They are encrypted, and now we are compliant with HIPAA, right?  Not quite so fast.  Upon verification, we found out their IT company used only TPM to encrypt their laptops.

TPM stands for Trusted Platform Module – which essentially is a microprocessor that off-loads encryption/decryption loads when reading and writing to the hard drive and integrates the decryption key with the hardware.  It is a feature in most all laptops nowadays and is required when using most encryption products.  The key needed for decryption can be stored on USB, or network file share and is temporarily stored in the system’s memory while the laptop is turned on and the user is logged-in.  The key is needed to use the laptop (by decrypting the information on the hard drive so it can be used in the device’s memory and CPU processes).

Using the OCR’s Audit Protocol as our HIPAA  checklist, here are some basics we recommend for HIPAA-compliance efforts and best practices (be sure to use SSD to help with encrypted laptop performance):

In summary laptops need, at a minimum:

  1. Patch Management & supported OS 164.308(a)(5)(ii)(B)
  2. Malware Protection (ideally from centralized console) 164.308(a)(5)(ii)(B)
  3. Even though they call this one “addressable, IMO full-disk encryption is a must 164.312(a)(2)(iv) – We recommend AD/Azure with BitLocker full-disk encryption*, Symantec Endpoint Encryption (PGP), or McAfee Encryption.
  4. Session Idle timers set to lock or logoff 15-30 minutes (depending on your org’s workflows) 164.312(a)(2)(iii)
  5. Disposal and reuse procedures (secure wipe before reuse or destruction for disposal) 164.310(d)(2)(ii)
  6. Device and Media Controls (tracking and remote wipe/lock management if lost or stolen) 164.310(d)(2)(iii)

*Per Microsoft’s article on BitLocker’s “vulnerability” , “Some configurations of BitLocker can reduce the risk of this kind of attack. The TPM+PIN, TPM+USB, and TPM+PIN+USB protectors reduce the effect of DMA attacks when computers do not use sleep mode (suspend to RAM). If your organization allows for TPM-only protectors or supports computers in sleep mode, we recommend that you block the Windows SBP-2 driver and all Thunderbolt controllers to reduce the risk of DMA attacks. ”

So don’t let this article sway you from using BitLocker.  It is still a valid solution.  And just like any other tool needs a few additional configuration settings (TPM + PIN or TPM + USB) to ensure you don’t fall into a situation where you must notify your patients a breach happened.

So if you are a clinic, hospital, health plan or business associate, and become a targeted victim of laptop theft, you can smile all the way to the IT Helpdesk knowing a ePHI breach to Health and Human Services is not reportable, and your shiny new laptop will be on its way!

To cover these 8, and the other 72 HIPAA Citations, contact us or see our HIPAA One® Solution page for the simple, automated and affordable way to meet complex compliance requirements while reducing your organization’s risk handling PHI.

Comments

  1. http://Jdashn says

    Looking at this article regarding securing laptops with windows 10 for HIPAA compliance, I am wondering how you addressed the automatic sending of data to Microsoft and 3rd party advertisers noted in their EULA when using windows 10, regardless if you use bitlocker or not. I am particularly concerned about the ‘Keylogging’, Calendar and Email scanning, WIFi-Sense, and of course the other ‘Features’ that report other information back to Microsoft and Third parties.

    Do you have any resources for locking down these and any other ‘features’ that may compromise my HIPAA compliance?

    Thanks!

  2. http://Aaron says

    The “keylogging” that is much ballyhooed has to do with the Cortana service. If the service is disabled, the OS does not send keystrokes to Microsoft. Much like Siri and Google Now, Cortana offloads the processing and search work to the servers of its owner (in this case Microsoft). Also like Apple and Google, Microsoft takes the data it gets, after stripping it of unique identifiers*, to refine and improve their services. While it is highly unlikely someone might use ePHI with Cortana, it is a concern that any healthcare organization will want to consider addressing before they roll out the Windows 10 OS. Cortana can be disabled via GPO, but it also disables the ability to search for applications, she’s “all or nothing.” Perhaps future iterations will allow a more granular control?

    *supposedly, we only have their honest word that they are doing that.

Speak Your Mind

*