.
VANDERBILT UNIVERSITY MEDICAL CENTER

Information Privacy and Security

Encryption Deployment Update - Items of interest (5/28/09)

  • Check Point Full Disk & Media (for USB drives) Encryption products for Windows, Mac and Linux will be available to begin installation June 1, 2009
  • Purchase and installation may be initiated in June for FY09 or initiated after July 1 for FY10
  • For LMS supported devices, please contact your LAN manager prior to attempting to purchase
  • Department local technical support staff and other individuals may purchase the product through the ITS Software Store as of June 1
  • Informatics has secured a lower price for the Check Point products than the original price of $54.50 per device.  Now - $38.25 plus first year maintenance $10.63 = total $48.88 
    (Note: ITS Software Store credit card purchase price will need to include card processing fee of $2.34 = total $51.22)

VUMC Data Encryption History / Summary: 

Data loss via a stolen or accidentally lost laptop is real for any organization today.  With the growing use of electronic information and how technology has eased the ability to work on portable / mobile devices, the Information Privacy and Security Executive Committee (IPSEC) requested Informatics formalize a workgroup to evaluate and recommend possible encryption solutions to help mitigate the risk associated with VUMC confidential data on these devices. (This group initially produced a whitepaper – available at this link
 
During this process it was suggested to follow the data to learn the places where protection is necessary. While this has value, the team quickly learned virtually any machine connected to the VUMC network / systems may contain Confidential Information. Data protection for PHI is an addressable element in the HIPAA regulations.  It is the accidental loss of a computer that causes organizations to spend resources to mitigate and correct these errors.  Knowing what other organizations have experienced and evaluating the risk associated if one machine with Confidential Information was missed; then comparing the effort involved to follow PHI / RHI - the work group realized encrypting all end user devices is best.  Is encryption the complete solution for protecting the informational assets of VUMC? No, but it is a significant step on our journey  toward unwanted disclosures and overall data loss prevention.  

Encrypting end user devices is more involved than one simple task. This will take several segments of work in the coming months. One segment may include an approach and/or solution independent or not applicable to another segment.  In addition, progression through a segment may produce experiences to influence adjustments to the other segments. This is the web site where any adjustments will be documented for all to utilize, and it will serve as a resource to find FAQ’s, updates, and informational links. VUMC Data Encryption Summary: 

High points of activities thus far:   

  • Two VUMC policies were developed – one for protection of PHI and one for protection of RHI
  • Evaluation of several encryption solutions 
  • Check Point Full Disk Encryption (FDE) was selected as product of choice for VUMC owned devices 
  • Key reasons for Check Point FDE fits VUMC best:

Windows, Mac, and Linux platforms supported
Domain membership and non-domain membership supported (Windows environment)
Centralized Key Management
Successful large installations as references
Provides detailed logging 

  • Freeware encryption solutions evaluated for Non-VUMC owned devices  (more details below)
  • An Implementation work group has been formed 
  • Our work group recognizes the importance of communication - this site is the central point  

The Encryption Implementation "Journey" for VUMC

Segment A –  Using Check Point Full Disk Encryption, encrypt VUMC owned end user electronic devices (excluding smart phones and servers physically inside a data center)

1.     Clinical Workstations (CWS) will be encrypted first – although pilot testing has been done; nothing is better than actual real experiences. Therefore, what is learned through the CWS implementation will be contributed to the following segments
2.     LMS administrative workstations - these machines are supported through the LAN Management Services within Network Computing Services (NCS). During this portion of the implementation, the LMS support staff will install on their workstations first – learn for better service to the LMS supported customers.
3.      VUMC owned but supported through department / service independent of LAN managers - detailed installation instructions will be shared from the Network Security group; who is in charge of the centralized key management software.
 
Segment B – IRB application and annual renewal processes that contain RHI / PHI must be encrypted. 
 
*  If the device is owned by VUMC = Check Point Full Disk Encryption will be required as the encryption solution
 
*  If the device is not owned by VUMC, there will be a manual review to confirm an encryption solution is installed
 
*  There will be an option to purchase Check Point Full Disk Encryption – details of how this will work are being finalized and will be published here and provided in the IRB processes in the near future
  
*  There will be an option for freeware encryption – the recommended and preferred free solution is TrueCrypt. Link for download and “highly suggested” installation process is here. (Using TrueCrypt at VUMC)  

Segment C, D, & E – these segments will have consideration and decisions for items like: Smart phones, remote access, devices not owned by VUMC, improvements in technologies, monitoring for policy compliance.   As the team develops more details, this information will be communicated

 
 
 
Published Date: 1/25/09
 
 

This page was last updated December 9, 2010 and is maintained by Linda Campbell