Encryption Project


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Encryption Project

  1. 1. Encryption Project <br /> Rhona Snyman, <br />Assistant Director, Project Management office, ISU<br />Sept 9th 2009<br />Why Encryption is so important and why does it have to be been done now?<br />I know we all realize the information security and privacy of our patients, employees and partners is of the highest importance.  Along with the increasing use of computers to retain this information, there has been an increase in the loss of computer assets as well as increased regulation.<br />The privacy office has supplied us with the following de-identified information on recent losses <br />Recent Losses (January 09 – March 09)<br />1ST Incident - Timely reported, encryption verified, no action needed<br />2nd Incident - Unencrypted, patients notified (331); potential penalty $250K+<br />3rd Incident - Timely reported, identifying IT owner took 4-6 hours; No reported sensitive data on hard drive, no encryption, unable to verify or audit data<br />To ensure continued compliance with Federal and State laws, as well as further protect the good name of UCSF and its employees. Urology is working with the School of Medicine Information Services Unit (SOM ISU) to encrypt all University-owned laptops and high-risk desktops by June 30, 2010.  This was a decision made and endorsed by the Dean, Vice Deans and Chairs in May 2009.  These are all laptops that were purchased with university funds and desktops that have sensitive information on the hard drive.<br />Some of these laws include:<br />HIPAA (Health Insurance Portability and Accountability Act of August 1996) <br />California Assembly Bill 211 (AB-211) <br />California Senate Bill 541 (SB-541) <br />California Senate Bill 1386 (SB-1386) <br />FERPA (Family Educational Rights Privacy Act) <br />How can ISU be sure the Encryption software will not affect performance?<br />Previous ISU encryption solutions (Microsoft EFS for PC’s, Apple FileVault for Macs) do not support UCSF’s standard of full disk encryption.   EFS and File Vault encrypt the user’s home profile only and leave the rest of the hard drive unencrypted.  As for other full disk encryption products, most do not scale well in an enterprise environment and do not support a centralized management system where encryption status can be verified in a log file.  In addition, some products do not meet all of our encryption needs (for example, TrueCrypt does not support full disk encryption on Macintosh boot volumes).  The Check Point full disk encryption product meets all of our needs.<br />Independent Test Results<br />In independent tests, Check Point Full Disk Encryption performs best overall when compared to full-disk encryption products from SafeBoot, Utimaco, PGP, Guardian Edge and Microsoft. All tests were performed using publicly available products from PassMark™ Software. The results are summarized below:<br />PassMark Composite <br />DiskMark Test <br />Performance Degradation <br />File Copy Test <br />PassMark Composite Rating Comparison (Performance)<br />PassMark Composite Rating<br />ProductCheck PointUltimacoBitLockerPGPGESafeBootRating93.488.5587.2580.977.5551.8<br />Check Point has been successfully implemented at UCSF Medical Center and OAAIS. Adopting this campus best practice will ensure interoperability between SOM and the rest of UCSF; it meets HIPAA security requirements, and it provides our customers with a supportable, maintainable, and well-documented encryption solution. It is reasonably efficient, easily scalable, and interacts well with SOM ISU supported applications.<br />Med Center: - Total devices encrypted:  600<br /><ul><li>Number of password-related incidents (lockouts and resets):  30
  2. 2. Number of hard drive recoveries performed:  7 (all successful)</li></ul>ISU: - Total devices encrypted:  14<br /><ul><li>Number of password-related incidents (lockouts and resets):  0
  3. 3. Number of hard drive recoveries performed:  1 </li></ul>Anesthesia: - Total laptops encrypted:  38 Macs<br /><ul><li>Number of password-related incidents (lockouts and resets):  0
  4. 4. Number of hard drive recoveries performed:  1 </li></ul>OASIS: - Total laptops encrypted:  140<br /><ul><li>Number of password-related incidents (lockouts and resets):  approx 10
  5. 5. Number of hard drive recoveries performed:  2 (both were successful)</li></ul>How will laptop owners be impacted – walk through the process of how it will happen.<br />ISU will work with the Dept Manager and MSO’s to identify dates and locations that would work best for your department, but exceptions to these dates can be made once agreed upon by the MSO. [Example the Urology Dept Chair will be away during Oct 2nd – 5th so an exception will be made] <br />In order to minimize your time away from your laptop, we have scheduled the Encryption work to be done over the weekend of Oct 2nd -5th.<br />We will arrange to have a room at multiple locations available for lap top drop off from 9am – 12pm on Friday Oct 2nd.<br />Please plan on dropping off your laptop during these designated times and location.  <br />When you drop off your laptop and power cord (please no laptop bags), you will receive a receipt. It is important that you NOT lose the receipt, as you will need it for picking up your equipment. You can pick up your laptop in the same location from the 8am – 12pm on Monday Oct 5th.<br />Examples of Primary Times and Location<br />DROP OFF Example: ____Friday, October 2nd, 9am - 12 pm: HSW-1464B, Parnassus campus <br />PICK UP Example: ____Monday, October 5th 8am -12.pm p.m. HSW 1464B, Parnassus campus<br />ISU will conduct user data backup procedures prior to installation and hold the data for a 2 week period.<br />ISU is performing an inventory analysis of all laptops owned by Urology, Only the faculty who own laptops that meet the minimum requirements will be asked to surrender their laptop at this time. The other devices which need to replaced or upgraded will be dealt with at a later time. <br />Each laptop needs a minimum of 100MB of free space to perform the Encryption. Please make sure to make this space available. This will also be checked at the time of drop off.<br />An email will be sent out to you closer to the time with the exact drop off detail [dates, times & Locations]<br />A reminder email will sent to follow up on pickup dates and procedures [Dates, times, Locations, receipt]<br />A support email will be sent to help you get support if needed.<br />How Encryption will be performed on each device<br /><ul><li>Device pickup
  6. 6. Defragment hard disk (arranges files on HD)
  7. 7. ChkDsk/Disk repair on hard disk (checks and repairs file structure of disk)
  8. 8. Remove any current encryption (e.g., EFS or FileVault)
  9. 9. User profile backup
  10. 10. Image hard drive (where applicable)
  11. 11. Install Check Point
  12. 12. Wait until 100% of hard disk is encrypted
  13. 13. Archive the backup data
  14. 14. Device drop off </li></ul>How device owners will be supported afterwards.<br />Support Hours: <br />ISU will provide encryption support (e.g., password resets, hard drive decryption) during our normal business hours (7:00am – 6:00pm). To request encryption support, contact the ISU Help Desk at 502-1919 or email via isurequest@medsch.ucsf.edu <br />ISU will offer 2 weeks of after-hours on-call support (6:00pm – 10:00pm) to assist with password resets. The two-week period will begin when ISU completes the encryption project for each department.<br />After the 2 weeks, ISU will only provide Encryption support (e.g., password resets, hard drive decryption) during our normal business hours (7:00am – 6:00pm). <br />Response Times:<br />Incident response times may be reviewed on our website: Http://medschool.ucsf.edu/isu/Policies/sla.aspx#resp_res_times <br />