In yet another laptop data breach incident, Riverside County Regional Medical Center in Riverside, California reported that a lost laptop containing Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) for about 7,900 patients went missing in December 2014. According to a letter filed with the California State Attorney General, potentially exposed PII and PHI information may have included Social Security Numbers, demographic information (such as name or date of birth), medical record number, diagnosis, treatment, and other medical information. Ironically, breaches involving laptops are highly preventable with the use of encryption technology.
Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. To read the data, you need to use a key or password to unencrypt the data. Crucially, under the California Breach Notification Law SB 1386, and most other state breach notification laws, the fact that lost data was properly encrypted will avoid the need for public notification.
It’s therefore highly important to confirm that any device in use by an organization is actually encrypted.
Encryption typically operates in the background
On laptops or desktops, installed encryption products typically function in the background. For example, a billing analyst using an encrypted desktop may interact with billing software, Microsoft Excel and email throughout a business day to complete work. This analyst may only encounter encryption while logging in at the beginning of a day and may not realize encryption is present. While some products such as Microsoft BitLocker employ a lock symbol next to a drive icon to indicate the presence of active encryption, most encryption products bury the status of encryption in an operating system menu or within software. Determining whether encryption is present and active are two distinct steps that require knowledge about a computer’s operating system and the ability to search a computer.
BitLocker Enabled in Microsoft Windows
How to Tell Whether Encryption is Present?
Ideally, encryption should be installed so that it protects an entire hard drive—“whole disk encryption” — and not just specific folders or email — “file-level encryption”. In newer computers, encryption is often integrated in the operating system (such as the encryption products built into Apple’s new operating system Yosemite or Microsoft’s Windows 7 and up). Encryption may be set-up for default installation (i.e., a user has to de-select encryption during computer set-up).
1. Determine the version of operating system (“OS”).
- Windows. Right click on the computer icon in a Windows folder view and click on Properties. (The computer icon may be labeled “Computer” or “This PC”.) Locate the Windows edition. See http://windows.microsoft.com/en-us/windows/which-operating-system.
OS Type: Microsoft Windows 8.1
- Apple. Go to the Apple menu in the menu bar and click on About This Mac. The Mac OSX version is under OSX. Refer to http://support.apple.com/en-us/HT201260.
OS Type: Apple OSX Versions
2. If native OS encryption is available, locate built-in encryption and review status.
- Windows. In computers running Microsoft Windows 7 Ultimate and Enterprise (as well as Windows 8 versions), BitLocker encryption is installed and provides whole disk encryption capability. There are caveats to the use of BitLocker (such as configuration with or without hardware-level encryption ), but the presence of BitLocker can be confirmed by searching for BitLocker in the Control Panel. More details are available at http://windows.microsoft.com/en-US/windows7/products/features/bitlocker.
- Apple. In Apple computers, FileVault 2 provides whole disk encryption capability. To determine the status of FileVault 2 whole disk encryption in Apple Yosemite, go to the Security & Privacy pane of System Preferences. For older Apple OSX versions with FileVault, encryption is limited to a user’s home folder rather whole disk encryption. More details are available at http://support.apple.com/en-us/HT4790.
Apple OSX FileVault 2 Menu
3. Look for a third-party application.
There are several third-party software applications that provide whole disk encryption (examples listed below). These applications can be found by searching a computer’s installed applications. To determine whether encryption is active, the application will need to be opened and reviewed. Many encryption applications will use a visual symbol or term such as “active” to indicate that encryption is functioning. (For a comparison of encryption products, review the following discussion: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software.)
|1. Built into Operating System (“OS”)||BitLocker||FileVault 2|
|2. Third-Party Software Products|
|Dell Data Protection Encryption (DDPE)||X||X|
|Check Point Full Disk Encryption Software Blade||X||X|
|Pointsec (Check Point)||X|
- Finding third-party software on a Windows computer.
i. Locate and open the Control Panel by clicking on the Start menu (not available in Windows 8) or using Windows search. (To learn more about the Control Panel, refer to the link http://support.microsoft.com/search?query=control%20panel.)
ii. Navigate to the Programs section of the Control Panel.
Windows Select Programs Section
iii. Click on Programs and Features.
Windows Select Programs and Features
iv. Scroll through the installed software applications to determine whether third-party encryption software is installed.
Windows Review Installed Programs
- Finding third-party software on an Apple computer.
i. Apple computers are configured with Spotlight — an Apple-native search utility that catalogues and organizes content. (See the following URL for information on Spotlight: http://support.apple.com/en-us/HT204014.)
ii. Spotlight can be found by clicking on the magnifying glass symbol in the upper right-hand corner of Apple’s menu bar.
iii. Enter the name of the third-party software into the Spotlight search box and review search results. (See the “quicktime” search example in the screenshot below.)
Apple Spotlight Search
Caution with the Use of Encryption
User Versus IT (Information Technology department) Installation.
In Apple FileVault 2 user guidance, three scenarios are identified for the installation of encryption — IT only, user with IT support or user only. These scenarios apply to the installation of any encryption and software product. While it is less expensive to have end users configure devices, encryption is the type of activity that can render a laptop useless if improperly deployed. As a rule of thumb, IT should direct installation and configuration of encryption to protect corporate assets.
Properly Set Up Users.
When encryption is deployed, there is often a requirement to set up “approved” users for access. If a user is not set up, then access is denied. If IT does not have user-level access, then IT may be locked out.
IT should maintain control of encryption keys. IT should have keys for each device with deployed encryption. Further, all encryption keys should be backed up to a source NOT controlled by IT. With tight control and access over encryption keys, an organization minimizes the chance that encryption will lock an organization out of corporate assets. Providing IT with access to each computer’s encryption keys also prevents a disgruntled employee from locking an organization out of their own computers.
Fully Document IT Encrypting Devices.
If a device is lost or stolen, it may be crucial to prove that the device was encrypted in order to avoid the need for a costly notification of any persons whose PII has been compromised. Make sure that IT has fully documented the encryption process and specific serial numbers of devices so protected.
Don’t Forget Other Sources Such as Cloud Applications.
Document and control cloud data storage of corporate assets. For each computer where cloud-based applications are running (including email), digital assets should be evaluated as to whether encryption is required locally and in the cloud. Many cloud storage applications offer encryption for stored data and data being transmitted.