0

I'm wondering what other people do for this.

I have a client who needs to meet HIPAA Security Compliance. I have two things I'm wondering about.

  1. I need to encrypt all laptops that leave this office. Some of the users swap laptops occasionally, making the Encryption Password hard to implement. Do you think it would be wise to make all laptops use the same encryption password, or maybe just an increment of the password? Like Device-1 = PassA, Device-2 = PassB?

  2. The Doctors have Home PCs they use that VPN into the office. From my point of view, this should also be encrypted in-case they were to get stolen. We use a software though that does not store any user data locally. Do you think I should still encrypt?

Thanks for the help!

EEAA
  • 109,363
  • 18
  • 175
  • 245
Douglas Lawson
  • 57
  • 6
  • 2
    1) No, shared passwords are always bad. 2) Don't let your users access data via VPN. Instead, let them connect to an RDP farm and access their applications there. In general, though, you really need to hire a HIPAA consultant to help you through the process. There are *many* ways to shoot yourself in the foot with HIPAA, and making a mistake will likely bankrupt you and your client. – EEAA Jul 28 '15 at 17:52
  • What OS, for the laptops? – MadHatter Jul 28 '15 at 17:52
  • Thanks for the info. They're a small Family Practice, I was considering convincing them to invest in a Terminal Server for just such access. Or require it be accessed only via their encrypted work laptops. They are primarily running Windows 7 with a few Windows 8.1 devices. – Douglas Lawson Jul 28 '15 at 19:02
  • I agree that shared passwords is a bad idea. The VPN should be near impossible to secure. What about Citrix? That would be a nice and secure way to connect to the internal network and then connect to what ever they need to use. I could be practically anything. That might be to expensive... – kongekrabben Jul 28 '15 at 19:43
  • Yeah I think Citrix would be a bit too expensive... I'm thinking either Encryption + Non-shared Password VPN... Or just Terminal Services. I have a feeling home PCs might be a bit too difficult to control. – Douglas Lawson Jul 28 '15 at 19:49

1 Answers1

0

  1. Don't share passwords, and don't make the passwords "predictable" based on the machine. Every decent disk encryption system should allow the use of multiple passphrases to unlock the disk -- the key that actually encrypts the disk isn't based on the passphrase entered, it's stored on disk and encrypted with the password. One of the passphrases should be the "admin override" passphrase, and others can be set for each of the people who need to use the machine.

  2. If the doctors can't download sensitive data out of the application, the client machine doesn't need to be encrypted, however that is a huge "if". Better to encrypt and be safe rather than sorry. You'll want to put solid two-factor auth and endpoint security measures onto the VPN, so it's at least a reasonable roadbump in the way of an attacker who wants to compromise the VPN.

And finally, consult an expert. I don't say it often, but this stuff is a mess and it's hard to get right and people's medical records aren't cool on the Internet.

womble
  • 96,255
  • 29
  • 175
  • 230