Presentation on theme: "Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning."— Presentation transcript:
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning
Department of Information Systems 2 Why encrypt laptops? Partners is requiring laptops to be encrypted for multiple reasons including, but not limited to: An ethical obligation to data subjects and individuals whose data is maintained by Partners, including patients, research participants, and employees; Compliance with multiple information security laws and regulations; An increasingly aggressive regulatory posture from governmental entities; and Minimizing organizational financial risk due to the costs associated with a security breach, including the loss of business due to bad public relations, research funding, etc.
Department of Information Systems 3 Legal requirements for compliance Multiple laws and regulations have established encryption as regulatory requirement, including: The Health Insurance and Portability Act (HIPAA) – modifications under ARRAs HITECH provisions that strengthened encryption requirements went into effect 09/23/09. MGL c.93H – Massachusetts law requiring breach notifications when unencrypted devices are lost or stolen. 201 CMR – Massachusetts regulation requiring Partners and BWH to develop an information security program, including mandatory encryption for portable devices storing personal information, wireless encryption, etc. FTCs Red Flags Rules – Federal regulations that require Partners and BWH to establish identity theft protections programs, including the use of encryption (effective 06/01/10). Additionally, encryption is increasingly required by Partners and BWHs business partners and research funding sources as a contractual matter. As an example, the NHLBI requires data recipients to encrypt laptops that maintain individually identifiable data.
Department of Information Systems 4 Who is covered by this requirement? Any individual who connects to the Partners network with a laptop (directly or via VPN), or stores Confidential Data on their laptop. Confidential data is defined as: Confidential Data: includes electronic protected health information, financial records, personal information, intellectual property, non- public research information, and employee information. Confidential Data also includes any other non-public information that would subject Partners/BWH, the data owner, or the data subjects, to harm if the data was lost, stolen, or accessed by unauthorized individuals.
Department of Information Systems 5 What is the risk to the organization and individuals for non-compliance? The risks vary, and typically would be determined during an enforcement action or audit from a governmental entity, or after the loss or theft of an unencrypted laptop. As an example, the loss of individually identifiable data (from patients, research subjects, or employees) that is covered by information security laws regulations could subject Partners and BWH to potential civil monetary liability. Individuals could also face civil and criminal penalties. Loss of individually identifiable data would also require Partners and BWH to notify data subjects and federal and state regulators, and the press/media under breach reporting regulations. Potential civil litigation from data subjects could also result. Loss of intellectual property or certain non-public research data could also harm Partners or BWH and individual researchers. Grantors may rescind funding, competitors may gain access to intellectual property, research projects may encounter unexpected difficulties, and adverse public relations could also result.
Department of Information Systems 6 Laptop Encryption Support Partners offers two solutions for Laptop Encryption: Windows Laptops: SafeBoot® software Mac Laptops: PGP® Whole Disk Encryption software The primary advantage for using Safeboot® or PGP® is that the Help Desk will be able to provide support, including password resets. Individuals using other products will be responsible for providing their own support. For more information on how to install encryption software and FAQs, please see this link: Laptop Depots: Laptop depots started in March, and will run for next 5 – 6 weeks. To register to bring in your laptop, please contact the Helpdesk.