You may ask yourself, why does Compliancy Group require Full Disk Encryption on all devices that connect to, or store ePHI? Why is it a requirement and how will it protect me? What is HIPAA encryption at rest? Below, I will be happy to explain why Full Disk Encryption is so important.
We require Full Disk Encryption on all devices that connect to or store ePHI (including servers, desktops, laptops, smartphones, etc.) because in 2019, the fourth largest HIPAA fine ever, was levied for a stolen laptop that lacked said encryption. As a result, upon gaining access to the laptop, folks with malintent were able to see every bit of PHI data contained on that computer.
This was the catalyst for the fine. In essence, they did not have the proper safeguards in place. Had the hard drive been encrypted, there would have been no fine levied because any ePHI present would have been rendered entirely unreadable. The problem could have been remedied with a figurative flip of the switch.
To avoid the same circumstances befalling our beloved customers, we have since made Full Disk Encryption a requirement to receive the HIPAA Seal of Compliance™. It is our job, as your third-party auditing group, to ensure that we have built a defensible argument for you, should we ever need to defend you in the case of a technical governmental audit. Full Disk Encryption in this sense is your get out of jail free card. Do not underestimate HIPAA encryption at rest’s ability to help you maintain your compliance and protect you in general.
Simply put, it is not worth the risk. If you can do it, do it. I say this because if a breach occurs and an auditor says, “Well, why didn’t you do this?” You don’t want to be left out in the cold with no reasonable explanation.
