Massachusetts Data Protection regulations require that data on portable devices be encrypted. As I've written about previously, we have encrypted all our laptops with McAfee Safeboot/Endpoint
However, it's commonplace for folks to backup their data on removable USB drives. How can we ensure portable drives are protected?
The answer is hardware encryption. I tested the Maxtor BlackArmor 160GB Encrypted Portable Drive and it's my cool technology of the week.
Here are the specs:
» Hardware-Based Full-Disc Encryption: Prohibits access without a password, no exceptions-not even a professional data recovery service can access the data without the password.
» KeyErase™: Permanent removal of encryption key allows secure redeployment of the drive.
» USB Powered: Powers your drive and ensures fast data transfer-
» 5400RPM, 8MB Cache Buffer: For fast drive performance and fast access to your files.
» Backup Software: Maxtor Manager software lets you easily set your automated backup schedule, sync to multiple computers, and restore files.
» Capacity (Model #): 160GB (STM901603BAA1E1-RK)
» RPM: 5400
» Cache Buffer: 8MB
» Interface: USB 2.0
» Bus Transfer Rate: USB 2.0 480MB/sec
» Dimensions: 5.17" H x 3.32" W x 0.67" L [131.2 mm x 84.2 mm x 16.9 mm]
» Weight: 7.20 oz [204.12 g]
» Warranty: 5 years
The software provided autostarts upon USB connection and sets the drive password. It only runs on Windows, so I had to test the device on one of our clinical subnotebooks - a Dell laptop running XP.
The drive mounted without a problem, queried for a password, and enabled me to place data on the device without error. Each time I reconnect the device it queries for my password. Without the password, the data is completely unreadable - I cannot even see the file names.
A portable, inexpensive, removable, hardware encrypted data store that complies with all current federal and state data protection regulations.
Friday, May 22, 2009
Cool Technology of the Week
Posted by John Halamka at 3:00 AM
Subscribe to: Post Comments (Atom)
That is indeed a cool technology. We're going to see more and more requirements for our "data at rest" as the years go on. And it's just good practice. We encrypt our data when they go over the wire, so we should do it at their endpoints, too.
When not in a corporate environment, I encrypt most of my machines with http://www.truecrypt.org , an open-source crypt that works on the big three platforms (win, linux, mac). It's not the world's easiest thing to set-up, but it works and its free. If you're comfortable setting up Linux on your own, this should be a piece of cake. Vegan cake, of course, Doctor.
Encrypting data at rest, while cool, needs other things to be fully useful and compliant in healthcare.
It still needs standardization, e.g., it should conform with well-tested standard encryption algorithms. We now lack standards around key strength rules, as any encrypted store can only be as good as how difficult it is to guess the keys. We need to couple it with a robust stanardized key escrow regime, in case a key needs to be made known to others.
A confidentiality scheme such as an encrypted device should include policy variables. The data may be subject to a person's disclosure preferences. This includes permissions for emergency access or disclosure by/to a designated representative. It also can include prohibitions of disclosure of selected data or to specific people. And, of course, federal and state law may mandate some disclosures despite a person's preferences.
Encryption is important...
We also use Computrace from Absolute Software for remote data deletion and theft protection. Has some great tracking and monitoring features too.
*(have a happy birthday this weekend John :-)*
There is the other end to this whole data at rest issue. As longs as the desktops and laptops allow any kind of a USB or bluetooth device, the data is not truly secure. There has to be a standard by which any device that connects with the laptop does a handshake ensuring that the device is protected. Then alone should the two devices be allowed to talk.
What about data and e-mails we have on our smartphones/PDAs?
Most of us carry today a smartphone that is sync'ed with our e-mail but also can text or save data to SDcards/USB.
I think that is is clear that data security and privacy regulations mandate the protection of data, no matter where it is stored. Furthermore, it is easier to misplace/lose a cellphone than a laptop.
Glen says it best, I think. It's an end to end thing. When implementing security, you do it for the business and the entire workflow. If data needs to be encrypted/audited across its whole chain, then the data needs
PKI/Escrow and centralized Authn/Authz are core components for an Enterprise Security system. Once implemented, it is possible to have end-to-end encryption on just about every nook and cranny on networks and mobile devices. Of course the key to that is "once implemented".
Post a Comment