Everyday business at Emory puts many employees in contact with sensitive information like patient records, social security numbers and credit card numbers. It's everyone's responsibility to protect the sensitive information they work with and Emory has a disk encryption policy (http://policies.emory.edu/5.12) that requires computers storing certain types of information to be encrypted to protect that information in the event the computer is lost or stolen. Because laptop computers are more likely to be lost or stolen, the encryption requirements for those computers are stricter.
If you’re an Emory Healthcare employee, or are working with Emory Healthcare data, there are additional items to be aware of. To learn more, please visit www.ourehc.org/informationsecurity and click on “Encryption” in the left-hand navigation menu.
Review the definition of restricted information in the Emory Disk Encryption Policy, which includes patient health information, social security numbers, credit card numbers, bank account numbers and more. Think about the types of files on your computer. Do you keep copies of patient, employee or student files that might contain this information? What about human subject research files? Take a look through your documents for old, forgotten files that might have this type of information. Laptop computers storing any restricted information, as well as desktop computers storing at least 500 records of restricted information, must have their disk encrypted.
If you have information on your computer that is sensitive and meets the encryption requirements in the Emory disk encryption policy, make sure your local IT support staff are aware of the data. Talk with them about disk encryption for your computer and, if it is needed, work with them to ensure the drive in your computer is encrypted.
Some USB thumbdrives are specifically designed to address the concerns of storing sensitive information by using built-in hardware encryption. These drives are more expensive, but much cheaper than dealing with the repercussions of losing sensitive information. For situations where it is necessary to store sensitive information on a thumbdrive, Emory's Office of Information Technology has approved both IronKey Personal USB thumbdrives and Kingston Data Traveler Vault - Privacy Edition thumbdrives for this purpose. These drives use hardware-based encryption, ensuring that all data stored on the drive is encrypted. This removes any doubt as to whether encryption software was installed and configured correctly, and if a particular drive was encrypted when it was lost. No other thumbdrives are approved for storing sensitive Emory data. For more information about thumbdrive security, as well as pricing information for secure thumbdrives, please visit http://it.emory.edu/security/security_awareness/thumbdrives.html