HIPAA Compliant External Devices
There are a variety of Open Source applications that can be used to securely encrypt external storage devices in keeping with HIPAA Standards(hard disk drives, USB drives, etc.) but it is important to understand the guidelines set forth by the National Institute of Standards and Technology (NIST) first. Specifically the Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. HIPAA compliant encryption can easily be added to any external storage device.
Full Disk Encryption
For a computer that is not booted, all the information encrypted by FDE is protected, assuming that pre-boot authentication is required. When the device is booted, then FDE provides no protection; once the OS is loaded, the OS becomes fully responsible for protecting the unencrypted information. The exception to this is when the device is in a hibernation mode; most FDE products can encrypt the hibernation file.
Virtual Disk and Volume Encryption
When virtual disk encryption is employed, the contents of containers are protected until the user is authenticated for the containers. If single sign-on is being used for authentication to the solution, this usually means that the containers are protected until the user logs onto the device. If single sign-on is not being used, then protection is typically provided until the user explicitly authenticates to a container. Virtual disk encryption does not provide any protection for data outside the container, including swap and hibernation files that could contain the contents of unencrypted files that were being held in memory. Volume encryption provides the same protection as virtual disk encryption, but for a volume instead of a container.
File/Folder Encryption.
File/folder encryption protects the contents of encrypted files (including files in encrypted folders) until the user is authenticated for the files or folders. If single sign-on is being used, this usually means that the files are only protected until the user logs onto the device. If single sign-on is not being used, then protection is typically provided until the user explicitly authenticates to a file or folder. File/folder encryption does not provide any protection for data outside the protected files or folders, including swap and hibernation files that could contain the contents of unencrypted files that were being held in memory. File/folder encryption software also cannot protect the confidentiality of filenames and other file metadata, which itself could provide valuable information to attackers (for examples, files that are named by Social Security number).
Encryption for purposes of HIPAA is simply to the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such process or key has not been breached. The guidance identifies two encryption processes recognized by the National Institute of Standards and Technology (NIST) as rendering protected health information unusable, unreadable or indecipherable. For data at rest, the acceptable processes are those that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion are those that comply with Federal Information Processing Standards 140-2.
Covered entities and business associates must remember that rendering PHI unusable, unreadable or indecipherable to unauthorized individuals as defined in the guidance is not a substitute for compliance with HIPAA’s privacy and security regulations or other federal or state health information privacy and security laws.