On Wed, May 22, 2013 at 03:44:38PM PDT, Steven Kurylo spake thusly: > There are more articles than these ones, but for example: > http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
This one seems to be concerned with breach notification. If you lose an encrypted laptop containing PHI you don't have to notify. If someone accesses your server with full disk encryption and the encrypted volumes are mounted so that someone with root can read the data you have to notify and your encryption has bought you nothing. > http://blog.pchealthstop.com/?p=8 This refers to NIST SP-800-111 which is about end user devices aka laptops. Same scenario as above. > http://www.scmagazine.com/hipaa-encryption-meeting-todays-regulations/article/173661/ This also refers to NIST SP-800-111. > It looks more like if your data at rest is encrypted (ie server hard > drives), you're better protected under the law from penalties. But it's > not mandatory yet. But it sounds like I would want to encrypt my > servers, unless the process is too onerous. You are assuming they mean server hard drives. They don't. Now don't get me wrong, I'm not saying don't encrypt your servers. I'm just saying that operationally speaking it is a PITA and won't protect you from the most likely threat: Someone gets access to the server while it is in operation when it will necessarily have the encrypted volume open. -- Tracy Reed, RHCE Digital signature attached for your safety. Copilotco PCI/HIPAA/SOX Compliant Secure Hosting 866-MY-COPILOT x101 http://copilotco.com
pgpwq7qbE1bmo.pgp
Description: PGP signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
