Shifting to Hardware-Based EncryptionWhy Saint Barnabas Healthcare System Made the Switch
The drives, which come pre-installed in new laptops from HP, can be fully activated in about an hour, versus up to 18 hours for software-based encryption, Syed says. Plus, unlike software encryption, the new technology has minimal impact on the laptops' performance, he contends. The provider organization is using software from Wave Systems to manage the self-encrypted drives.
So far, Saint Barnabas Healthcare System has implemented 800 new laptops using the technologies, with 400 other laptops yet to be replaced.
In an interview (transcript below), Syed:
- Describes encryption of laptops as one important element of a breach prevention strategy; another is minimizing the amount of patient data stored on the devices.
- Notes that the organization is studying how to apply encryption and other security measures on other mobile devices as well as PCs. He also says it's "only a matter of time" before back-end databases will be encrypted as well.
- Advises other organizations to enable clinicians to test at least three encryption options before making a selection so the impact on performance can be carefully assessed.
Syed has more than 15 years of IT experience, including eight years in security. Before joining Saint Barnabas Healthcare System, he worked as a consulting engineer at the consulting firm Inacom/Vanstar and director of technology infrastructure at ShareMax.com.
HOWARD ANDERSON: For starters, why don't you tell us about the size and scope of your health system.
HUSSEIN SYED: Saint Barnabas is one of the leading healthcare providers in the state of New Jersey. We operate six acute care facilities and one ambulatory care center. ...
ANDERSON: I understand you recently shifted your approach to encryption for laptop devices. You had formerly been using software full disk encryption. Could you explain how that technology worked and why it was no longer meeting your needs?
SYED: As part of our overall strategy to protect mobile media, we had chosen to go with a software-based encryption solution because that's what was available in the market at that time. Drawbacks of software-based encryption are performance overhead and time to provision the system to the end-user. ... It took about 30 to 35 minutes to install the agent on the machine. It took about 12 to 18 hours to encrypt the full drive. ... It made sense to shift from a solution that was agent-based to a self-encrypting drive solution, which has zero overhead on the performance and very quick provisioning times.
New Encryption ApproachANDERSON: Let's talk a little bit more about your use of self-encrypting drives. Explain this new approach, how it differs from the old and why you think it will be better for you.
SYED: The new self-encrypting drives that we are using are in all our new laptops. ... So the laptop gets delivered, our technician just configures it for a user and the encryption is done at a hardware level so there is negligible performance overhead.
The only difference is that a user has to log in twice to their laptop. When the machine boots up, they have to log in with their credentials and then when it comes to Windows logon, they have to authenticate again.
The entire provisioning cycle is now down to about an hour from 18 to 20 hours, which is a very good service level for us. It also has no performance overhead, so users in the field working with larger files, copying data or moving data have no performance issues and no user satisfaction issues. ...
ANDERSON: So what brand of self-encrypting drives are you using and are you using software to manage them?
SYED: They come in our HP laptops. The software that we use that gives us a fairly good bang for the buck is Wave Solutions. ... We have the ability to recover the data or have a recovery password generated from our management system in case the user forgets the password or is no longer with the company and we need to recover the data.
Encrypting All LaptopsANDERSON: So how many laptops at St. Barnabas include health information that needs to be protected, and how long will it take you to shift them to the new form of encryption?
SYED: Our policy is every laptop that is procured has to be encrypted because we cannot guarantee the encryption of the data on the laptop ... we can't guarantee there's not going to be sensitive information on our laptops, so by policy every laptop gets encrypted.
Currently we have about 800 laptops that have self-encrypting hard drives and about 450 on the older software-based encryption, and the process is as we refresh the laptops, they go onto the new solution. We do not install or purchase non-standard devices. Our standard is to buy an encryptable hard drive in a laptop or a tablet.
Preventing BreachesANDERSON: So are you investing in encrypting laptops primarily as a method of preventing breaches?
SYED: That is one of the reasons we are doing it; and the other is as an overall strategy we are starting to minimize exposure of our information. We have been deploying other methodologies where we are actually limiting the amount of data that gets copied onto a laptop or a desktop. But primarily under the HITECH Act regulations and other state law, if a device is encrypted with 128 bit or 256 bit encryption, breach notification is not required if we can demonstrate that there is no exposure or potential exposure of that data.
Role of DLP SoftwareANDERSON: So how are you going about minimizing the amount of patient information stored on laptops? Are you providing some sort of direction to clinicians?
SYED: We are deploying some data loss prevention solutions which will identify what data is on laptops or desktops and then we're educating them about centralized the data on file shares or not keeping it on their laptop longer than it's required -- if they're done using the data deleted or move it back to the repository where it's backed up and has security.
Future Encryption PlansANDERSON: So what about your plans for encrypting other mobile devices and media or PCs and what approach to encryption might you eventually take for those devices?
SYED: We're putting together a full mobile device management policy. Currently we only use Blackberries, but we are actively looking at using iPhones, Androids and other mobile devices, and we're extending our end-point security solutions, which we currently use with our laptops and desktops, to these mobile devices. That includes encryption, remote wipe and other tracking and remediation mechanisms. And we will not issue any other devices other than Blackberries until our policy has been worked out.
ANDERSON: What about desktop PCs? Will you encrypt those?
SYED: Currently we do not. We do have a study under way where we're looking at the kind of data that's stored on these desktops. We may identify some desktops in some areas where we would potentially encrypt them if we identify any type of sensitive information that's needed to be stored on those devices.
ANDERSON: What about encryption on back-end databases is that at all practical eventually?
SYED: It's just a matter of time that that would become practical. What we do is now every time we upgrade or refresh any environment an encryption is an item that gets discussed from security perspective and there are a number of other things that we do employ as well audit controls, methodologies, stronger authentication schemes. But encryption is another item that we do seriously consider.
ANDERSON: Finally what advice would you give to other organizations that are considering their encryption options especially for laptops.
SYED: The best advice I can give is to make sure you evaluate several solutions, bring it down to perhaps three solutions to do a pilot and, based on that, pick your solution. But make sure you involve clinicians. ...