Educause Security Discussion mailing list archives
Re: A "default stance" question for my esteemed Educause colleagues....
From: David D Grisham <DGrisham () SALUD UNM EDU>
Date: Wed, 11 Apr 2018 16:45:59 +0000
So if you're coming from a healthcare or Health Science Center environment you have HIPAA HITECH reporting to deal with should a desktop or laptop walk away. The rule puts the burden of proof on the organization "that there was no ePHI on the device". That is a very high standard and difficult to prove if the device is gone and by default the device is missing and you don't have a way to prove that it doesn't have ePHI. So HIPAA HITECH has allowed a "safe harbor" allowance: If you encrypt the hard drive of any device that walks away, it is not a reportable event and you don't have to prove there was or wasn't ePHI. For non-healthcare environments the standard is much different. So encrypting devices in healthcare and health science systems is a needed layer of security. Cheers.-grish David Grisham David Grisham, PhD, CISM, CRISC Manager, Cybersecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu> DO NOT provide your username, password, or any personal information in any email. UNMH WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Schalip Sent: Wednesday, April 11, 2018 10:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] A "default stance" question for my esteemed Educause colleagues.... Hi Folks, Looking for some wisdom from the masses.... We currently use full disk encryption on (in theory) all laptops. However - there is a proposal on the table to establish a requirement to encrypt the hard drives on all *desktop* computers as well. I've been down this path before (in a couple of previous work environments), so I'm keenly aware of the pros/cons of adopting this kind of default stance. However - we're wondering what the rest of the academic world is doing.... In short - operating under the assumption that encrypting most (if not all) laptops is a good idea - what do the rest of you do when it comes to encrypting your desktop computers? Do you: * Encrypt any of them? * Encrypt ALL of them? * Encrypt only faculty/staff computers? * Encrypt only certain ones?.....which ones? What's the criteria? * Make encryption an option left up to the department or user? Looking forward to the collective responses.... Thanks, Michael
Current thread:
- A "default stance" question for my esteemed Educause colleagues.... Michael Schalip (Apr 11)
- Re: A "default stance" question for my esteemed Educause colleagues.... Davis, Chris (Apr 11)
- Re: A "default stance" question for my esteemed Educause colleagues.... David D Grisham (Apr 11)
- Re: A "default stance" question for my esteemed Educause colleagues.... Minh Nguyen (Apr 11)
- Re: A "default stance" question for my esteemed Educause colleagues.... Gregg, Christopher S. (Apr 11)
- <Possible follow-ups>
- Re: A "default stance" question for my esteemed Educause colleagues.... Joel Garmon (Apr 12)