WHAT DO YOU NEED TO DO: Nothing immediately — we don’t want you to risk losing your data. Please read the information on this page, then contact us at [email protected] or your local IT support person to get assistance.
Introduction
Sensitive information stored on lost or stolen computers is a major concern inside Johns Hopkins. Loss of information, even if that information will likely never be accessed, is damaging to the reputation and finances of the institution and will likely have direct impact on you as well. Disk encryption protects the information — an encrypted disk will be unusable by anyone who might end up with the machine.
The Short Version of Why You Want to Encrypt
There are multiple state and federal laws requiring the disclosure that computer data is missing. Reporting lost information is embarrassing and costly, and is especially annoying since almost no lost data will ever be misused. If a lost machine is encrypted there is no need to review what was on it or to make any disclosure — beyond protecting the data entrusted to you, it saves you and the University a LOT of time and money.
| Lost Drive, Not Encrypted | Lost Drive, Encrypted |
|
|
What information needs to be protected?
There is a common misconception that lost data is all about social security numbers and patient records, but the disclosure requirements around healthcare information and student record information go much deeper than that. It’s possible, even likely, that you have information on your machine that would require disclosure without realizing it.
For example, consider your email — it will contain information to, from, or about students that is part of the student record. There may be admissions data extracted from websites or discussions about grades. Many people will have employment information with performance reviews, and there often will be financial information for yourself and for the University.
Also, consider older files. While current standards limit the distribution of sensitive data, most people never review old files and will migrate them from machine to machine. Older student files, admissions files, and HR files might contain information that newer versions do not.
Finally, consider that information which in isolation is not incredibly sensitive can be dangerous in combination. An email address OR street address OR phone number might not be sensitive, but together they could be used for identity theft and might require disclosure.
If you have any affiliation with Johns Hopkins Medicine, there is a presumption that your device must be encrypted because it is likely to have some restricted healthcare information.
If you are only affiliated with Johns Hopkins University, there is a presumption that your device will have student information on it.
For more detail, the university outlines how information is classified on this page.
What equipment needs to be protected?
The provost has stated that all university equipment with sensitive data must be protected. The initial emphasis is on laptops because they are the machines most commonly lost or stolen. Personal devices like phones and tablets also need to be considered — they have your email, and increasingly are used for more general tasks — though most of them already use encryption.
The risk of backups
Backups are critical to protecting the data that lets people do their jobs. We encourage people to store their data on protected servers, and if they can’t to make backups of data that is used on disconnected portable machines. However, backups of unencrypted machines increase the likelihood that a disclosure event will occur.
In nearly all cases there is more sensitive data is on machines than people expect. A recent disclosure event was triggered by examining a restored backup from a lost machine and finding that it had a ten-year-old file with sensitive data. The user had no idea the file still existed, but it had been migrated with the rest of the user’s files from machine to machine over the history of the file.
If the machine had been encrypted there would have been no disclosure required.
But I hate disk encryption!
If you had a bad experience in the past, there’s no longer any reason to dislike disk encryption. After the device has gone through its initial encryption, the impact on performance on modern hardware is minimal. The tools we use for encryption do not change the way you interact with your machine. To protect data we only deploy encryption to machines that have their files backed up, and we deploy the tools in such a way that the decryption keys are backed up to a server.
What should I do?
Because the point of encryption is to make your disk unreadable without the proper credentials, there is potential here for data loss. Talk to WSE IT ([email protected]) or to your local IT support person in your department or center to ensure proper care is taken with your data, such as backing up your files and encryption keys.
Resources