Johns Hopkins policy requires device encryption on laptop computers that may store sensitive or restricted information (e.g. SSN and financial information, patient information). For laptops used by faculty, staff, and students in Johns Hopkins Medicine, the presumption is that the device may be used for this purpose and therefore must be encrypted. Users should work with their local IT support professional to backup and encrypt laptops. Deployment of encryption may require technical expertise. Please contact your local IT support professional for assistance with the best method to encrypt your device.
Windows Laptop Encryption
Windows users should work with their local IT support professional to ensure that encryption is deployed. Microsoft Bitlocker encryption generally requires some technical expertise to install. Bitlocker is supported by an enterprise deployment of Microsoft Bitlocker Administration and Monitoring (MBAM), which provides centralized management and reporting for Bitlocker encryption keys. Information about MBAM is available on the MBAM SharePoint site. Please contact firstname.lastname@example.org if you have additional questions.
Macbook users should work with their local IT support professional to ensure that encryption is effectively deployed. In general MacBook encryption is easier for users to deploy than is Bitlocker, although it is still strongly recommended that users deploy with some technical assistance to ensure that keys are managed properly. Mac OS X has a built-in encryption tool in FileVault 2. Apple has provided step-by-step instructions for implementing FileVault 2.
Q: What is device encryption, and what does it do?
A: Encryption is a technology that protects the contents of your device from unauthorized access by converting it into unreadable code. It is a stronger level of protection than other security features, such as user logins. Device encryption encrypts the entire drive and therefore does not require users to encrypt certain folders or files.
Q: Why is device encryption important?
A: The main value of device encryption is in protecting data if the device is lost or stolen. Because laptops are portable and thus more likely to be stolen, we are emphasizing laptop encryption. Several dozen Johns Hopkins laptops are lost or stolen each year, and it is important that any sensitive data on these laptops not be compromised. A simple log-in does not protect the underlying data and it must be encrypted to be secure.
Q: Is device encryption common practice?
A: Johns Hopkins has had an institutional laptop encryption program since 2007. Every academic medical center and most universities have such a program. It is considered a basic requirement for HIPAA compliance and also commonly required for handling other forms of sensitive information.
Q: Must I encrypt my device?
A: All faculty, staff, and students at Johns Hopkins Medicine must encrypt any laptop computer that is to be used as part of Johns Hopkins work. This includes laptops that are personally owned or managed. Laptops often store data in temporary files, email attachments, and downloads, and therefore device encryption is the only way to secure data against loss ort theft. Encryption also helps to protect you if you store, send, or receive any of the following types of confidential data, such as:
· Social Security Numbers
· Financial information, such as credit card and bank account numbers
· Protected Health Information as defined by HIPAA
· Research information
· Other proprietary information
Q: I am a university employee not working in Johns Hopkins Medicine (JHM), must my laptop be encrypted?
A: Our requirement is that laptops likely to store sensitive information must be encrypted. You should check with your divisional or departmental leadership to determine whether encryption is appropriate for you. If you work with financial or HR data, you are likely to be required to encrypt. Your local IT support professional will also be able to guide you.
Q: What type of encryption software does Johns Hopkins use?
A: Johns Hopkins uses Microsoft's BitLocker Drive Encryption for devices running Windows 7 or above and Apple's FileVault 2 for devices running Macintosh OS X. Both of these encryption solutions are native to the respective operating system and offer significant improvement in system performance. Mobile devices, such as tablets and smartphones, are encrypted using native device encryption.
Q: How long does it take to encrypt my hard drive?
A: It takes about 20 minutes to install the encryption software, and can then take several hours to complete the encryption, during which time you can use your computer normally. Once the software installation completes, the encryption process should not disturb you while you work.
Q: Does encryption affect performance?
A: Devices encrypted with BitLocker Drive Encryption and FileVault 2 will not require any additional steps to access your data. Both encryption solutions are native to Windows and OS X, respectively, and require no additional logins. The laptop may take slightly longer for login and shutdown, but these tools have improved dramatically in the past few years and performance issues are negligible.
Q: How do I start the process?
A: You should talk to your IT administrator about your devices and the encryption tools appropriate for your device. For personally owned devices, this may mean installation of these tools or recommendations regarding how such devices can be used securely, including Virtual Desktops. We strongly recommend that device agents be installed along with encryption to best protect the device.
Q: What about my iPhone or Android?
A: All iOs devices (iPhones and iPads) have built-in encryption that is activated by simply having a passcode used to unlock the device. Android devices differ by manufacturer; they have encryption capabilities, but for most devices, encryption is not activated automatically. If you are not sure whether your phone or device is encrypted, please contact your local IT support professional.
Please contact email@example.com if you have additional questions or if you do not have a local IT support professional.