You may ask yourself, why does Compliancy Group require Full Disk Encryption on all devices that connect to, or store ePHI? Why is it a requirement and how will it protect me? What is HIPAA encryption at rest? Below, I will be happy to explain why Full Disk Encryption is so important.
We require Full Disk Encryption on all devices that connect to or store ePHI (including servers, desktops, laptops, smartphones, etc.) because in 2019, the fourth largest HIPAA fine ever, was levied for a stolen laptop that lacked said encryption. As a result, upon gaining access to the laptop, folks with mal-intent were able to see every bit of PHI data contained on that computer. This was the catalyst for the fine. In essence, they did not have the proper safeguards in place. Had the hard disk been encrypted, there would have been no fine levied because any ePHI present would have been rendered entirely unreadable. The problem could have been remedied with a figurative flip of the switch.
To avoid the same circumstances befalling our beloved customers, we have since made Full Disk Encryption a requirement to receive the HIPAA Seal of Compliance ®. It is our job, as your third party auditing group, to ensure that we have built a defensible argument for you, should we ever need to defend you in the case of a technical governmental audit. Full Disk Encryption in this sense is your get out of jail free card. Do not underestimate HIPAA encryption at rest’s ability to help you maintain your compliance and protect you in general.
Let me provide an example of how a hacker can access your system, in the IT space there’s a bot hackers can use in order to penetrate your system called an ICMP Ping request (among a litany of other potential threats). What an ICMP Ping request does is utilize a bot to literally ping your system, waiting for a moment when the hard disk is exposed. It will ping the system over, and over, and over again until it finds its chance to weasel into your network. It typically pings upon startup, when the hard disk is most exposed. Full Disk Encryption will solve this vulnerability by, ensuring any information obtained will be read as jargon.
Simply put, it is not worth the risk. If you can do it, do it. I say this because if a breach occurs and an auditor says, “Well, why didn’t you do this?” You don’t want to be left out in the cold with no reasonable explanation.