Computer Hard Drive Encryption


WHAT DO YOU NEED TO DO: Nothing immediately — we don’t want you to risk losing your data.  Please read the information on this page, then contact us at wsehelp@jhu.edu or your local IT support person to get assistance.

Introduction

Sensitive information stored on lost or stolen computers is a major concern inside Johns Hopkins.  Loss of information, even if that information will likely never be accessed, is damaging to the reputation and finances of the institution and will likely have direct impact on you as well. Disk encryption protects the information — an encrypted disk will be unusable by anyone who might end up with the machine.

The Short Version of Why You Want to Encrypt

There are multiple state and federal laws requiring the disclosure that computer data is missing.  Reporting lost information is embarrassing and costly, and is especially annoying since almost no lost data will ever be misused.  If a lost machine is encrypted there is no need to review what was on it or to make any disclosure — beyond protecting the data entrusted to you, it saves you and the University a LOT of time and money.

 

Lost Drive, Not Encrypted Lost Drive, Encrypted
  • Hopkins is legally obligated to report certain types of lost information, including student information and healthcare information.  The presumption is that everyone will have some sensitive data until demonstrated otherwise, if only because you’ve read your email on the machine.
  • Some funding agencies now have requirements about data security, and disclosure through loss or theft would violate their terms.
  • You need to worry about damage to personal reputation, plus the reputation of your departments, centers, and the University.
  • You will need to review the lost data with the WSE IT and IT@JH security teams and probably with University counsel.
  • You may worry about identity theft.
  • You may worry about personal financial records, photos, and other sensitive documents.
  • You may worry about saved passwords and how they could be used for access to sensitive systems.
  • You do nothing. The data is useless to anyone who comes across it and there is no need for disclosure or any steps to protect your identity or reputation.
  • If you work with WSE IT or your local IT support staff they will have records to attest to your encryption status, should it come into question.

What information needs to be protected?

There is a common misconception that lost data is all about social security numbers and patient records, but the disclosure requirements around healthcare information and student record information go much deeper than that.  It’s possible, even likely, that you have information on your machine that would require disclosure without realizing it.

For example, consider your email — it will contain information to, from, or about students that is part of the student record. There may be admissions data extracted from websites or discussions about grades.  Many people will have employment information with performance reviews, and there often will be financial information for yourself and for the University.

Also, consider older files.  While current standards limit the distribution of sensitive data, most people never review old files and will migrate them from machine to machine.  Older student files, admissions files, and HR files might contain information that newer versions do not.

Finally, consider that information which in isolation is not incredibly sensitive can be dangerous in combination.  An email address OR street address OR phone number might not be sensitive, but together they could be used for identity theft and might require disclosure.

If you have any affiliation with Johns Hopkins Medicine, there is a presumption that your device must be encrypted because it is likely to have some restricted healthcare information.

If you are only affiliated with Johns Hopkins University, there is a presumption that your device will have student information on it.

For more detail, the university outlines how information is classified on this page.

What equipment needs to be protected?

The provost has stated that all university equipment with sensitive data must be protected.  The initial emphasis is on laptops, because they are the machines most commonly lost or stolen.  Personal devices like phones and tablets also need to be considered — they have your email, and increasingly are used for more general tasks — though most of them already use encryption.

The risk of backups

Backups are critical to protecting the data that lets people do their jobs.  We encourage people to store their data on protected servers, and if they can’t to make backups of data that is used on disconnected portable machines.  However, backups of unencrypted machines increase the likelihood that a disclosure event will occur.

In nearly all cases there is more sensitive data is on machines than people expect.  A recent disclosure event was triggered by examining a restored backup from a lost machine and finding that it had a ten-year-old file with sensitive data. The user had no idea the file still existed, but it had been migrated with the rest of the user’s files from machine to machine over the history of the file.

If the machine had been encrypted there would have been no disclosure required.

But I hate disk encryption!

If you had a bad experience in the past, there’s no longer any reason to dislike disk encryption.  After the device has gone through its initial encryption, the impact to performance on modern hardware is minimal.  The tools we use for encryption do not change the way you interact with your machine.  To protect data we only deploy encryption to machines that have their files backed up, and we deploy the tools in such a way that the decryption keys are backed up to a server.

What should I do?

Because the point of encryption is to make your disk unreadable without the proper credentials, there is potential here for data loss. Talk to WSE IT (wsehelp@jhu.edu) or to your local IT support person in your department or center to ensure proper care is taken with your data, such as backing up your files and encryption keys.

Resources