Disk Encryption

Many of us are attached to our cell phones and PDAs, which make it easy to conduct business outside of the office. But even with all the new tech tools, many of us find ourselves using the most ubiquitous device to work remotely: the faithful companion, the laptop computer. Whether sitting in front of the TV in the evening answering e-mails or doing work on a flight to a conference, it’s our office away from the office. It’s our filing cabinet and our number cruncher. Unfortunately, sometimes our tried and true fold-up, portable office gets forgotten in the overhead compartment or stolen from your car. That’s when the panic should, and often does, set in. However, if you are panicked only because you think you lost a $1,000 asset, think again. Maybe what you lost is much more valuable than a simple laptop.

Whether you use your laptop for analyzing a selection of patient financial accounts, editing transcription, or typing up referral letters, you and your staff are probably carrying around Protected Health Information (PHI) or other sensitive data, in the form of spreadsheets, word processing documents, or even raw data extracts in some type of flat file format. You might even assume that since you use a password to log into that laptop, that all of this sensitive data is safe from prying eyes. Unfortunately, you have probably assumed wrong.

Did you know that in most common laptop configurations, thieves can simply remove your hard drive, and mount it in another computer as a secondary drive, and browse your files - as easy as flipping through your filing cabinet? In many cases, that is exactly what can and does happen. Often the data on your drive is far more valuable than the laptop itself. If you were a thief, what would you rather have: a laptop you might sell illegally for $200 or enough information about 4,000 patients to apply for plenty of credit cards in their names?

Protect yourself

As a result of concern surrounding this and similar types of data theft, a new technology has arisen in the shopping aisles of computer technology: disk encryption. Disk encryption is already a common conversation topic within organizations such as the Department of Defense, where groups are already requiring various types of disk encryption for data used in their activities.

The complexities of disk encryption technology are too complex for this forum, but as end users, we simply need to understand that using disk encryption software protects our data from the prying eyes of even the smartest and most tech savvy would-be thieves.

While disk encryption security software varies somewhat from vendor to vendor, the fundamental concept remains the same. By using such software, the data on your drive is encrypted (that wasn’t obvious, was it?) in such a way that if your hard drive finds its way into someone else’s hands, even the best geeky thief won’t be peeling off your data for their own, devious use. The disk encryption system eliminates a thief’s ability to physically remove your drive and read its contents using another computer. Most current disk encryption software even allows the option to completely hide the disk’s basic layout from the thief’s computer, further thwarting their ability to compromise your system security and steal your sensitive data, as the disk partitions will appear blank to the unathorized viewer.

If you are not hearing about disk encryption software while having lunch with your trusted IT advisor, don’t be surprised. Although the technology is available, many industry communities are still unaware of the risk, not to mention the solution of disk encryption to avoid the risk. Furthermore, some IT staffers may be wary of such disk encryption tools, for fear that when the time comes for them to save your data that your forgot to back up, the disk encryption security could hinder such efforts. While the latter is somewhat true in some cases, the risk of data theft far outweighs that concern.

A range of solutions

Disk encryption is coming onto the market quickly, and making huge strides in functionality. Some very functional software is available, both commercially and as open source (no cost). Simply using your favorite search engine, you can do a little shopping yourself, by searching a phrase such as “disk encryption plausible deniability.” The latter half of that search string addresses a specific functionality of many disk encryption software applications, which hides disk volumes from prying eyes, and is the most significant feature you might want to look for when reviewing applications. You will find solutions ranging in price from free (open source solutions) to a couple hundred dollars per PC.

Once you and your technology advisor have chosen a disk encryption solution from the freeware or commercial marketplace, you can simply install the solution, and rest much easier in your prudent paranoia.

It is worth noting that even when using disk encryption software, you should still maintain other security safeguards, such as password protecting spreadsheets and never sending PHI in plain text e-mail. Adding these additional layers of security can only further strengthen the safety and integrity of your sensitive data.

Although you may not think your organization will ever need disk encryption, consider the last theft you heard about. Theft catches people off guard, and is (obviously) unexpected. When your laptop is stolen, will you be sweating thinking about what sensitive data might have been on that hard drive, or will you rest easy, knowing you were using disk encryption, and that your data is not in the wrong hands, wherever it might be? If you’ve also been diligent in maintaining good backups, you’ll be able to keep working, without missing a beat. Choose to be ahead of the technology curve, and explore disk encryption for your organization. It’s easy and affordable, and using it might save you more than you think.

Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via physicianspractice@cmpmedica.com.

This article originally appeared in the November 2009 issue of Physicians Practice.