Encrypting Sensitive Data

Protecting sensitive information

Everyday business at Emory puts many employees in contact with sensitive information like patient records, social security numbers and credit card numbers. It's everyone's responsibility to protect the sensitive information they work with and Emory has a disk encryption policy (http://policies.emory.edu/5.12) that requires all laptop computers to be encrypted, as well as computers storing certain types of information in the event the computer is lost or stolen. 

If you’re an Emory Healthcare employee, or are working with Emory Healthcare data, there are additional items to be aware of. To learn more, please visit www.ourehc.org/informationsecurity and click on “Encryption” in the left-hand navigation menu.

Be aware of what types of information are on your computer

Review the definition of restricted information in the Emory Disk Encryption Policy, which includes patient health information, social security numbers, credit card numbers, bank account numbers and more. Think about the types of files on your computer. Do you keep copies of patient, employee or student files that might contain this information? What about human subject research files? Take a look through your documents for old, forgotten files that might have this type of information. Laptop computers must always be encrypted, as well as desktops storing at least 500 records of restricted information.

Talk to your IT local support about disk encryption

If you have information on your computer that is sensitive and meets the encryption requirements in the Emory disk encryption policy, make sure your local IT support staff are aware of the data. Talk with them about disk encryption for your computer and, if it is needed, work with them to ensure the drive in your computer is encrypted. You may also view Emory's Disk Encryption website at http://it.emory.edu/security/disk_encryption.html

What if it is necessary to combine sensitive and portable?

Some USB thumbdrives are specifically designed to address the concerns of storing sensitive information by using built-in hardware encryption.  These drives are more expensive, but much cheaper than dealing with the repercussions of losing sensitive information.  For situations where it is necessary to store sensitive information on a thumbdrive, Emory's Office of Information Technology has approved both IronKey Personal USB thumbdrives and Kingston Data Traveler Vault - Privacy Edition thumbdrives for this purpose.  These drives use hardware-based encryption, ensuring that all data stored on the drive is encrypted.  This removes any doubt as to whether encryption software was installed and configured correctly, and if a particular drive was encrypted when it was lost.  No other thumbdrives are approved for storing sensitive Emory data. For more information about thumbdrive security, as well as pricing information for secure thumbdrives, please visit http://it.emory.edu/security/security_awareness/thumbdrives.html