Encryption can be implemented in many ways. It is possible to encrypt an individual file that contains sensitive information or to encrypt all data stored on a computer. The appropriate level of encryption depends on the type of information you want to store, the amount of information to be stored, and the different machines or devices on which the information will be stored.
For example, if you are encrypting ePHI or financial information, consider using the strongest encryption option (AES 256-bit). If you are encrypting personal information such as photos, a lesser strength option may be appropriate.
Following is an explanation of three types of storage encryption. Keep in mind that, even if encryption is used, it is important to maintain backups of all information.
Full disk encryption
Full disk encryption, or whole disk encryption, is a process by which all the data on the hard drive of a computer is encrypted. Full disk encryption is generally only used on laptop or desktop computers, not tablets or smart phones. Access to data on the computer is allowed only after successful authentication using a password or PIN. When users go to turn on this computer, they will be prompted to authenticate themselves. With successful authentication, the computer will start or “boot up.” An unauthorized person who attempts to turn on the computer without the key will not be able to access any information.
It is important to note that this type of encryption may not protect your computer against malware. Malware, short for malicious software, is software that can be used to gain unauthorized access to private computer systems or gather sensitive information. A common example is a computer virus. (It is possible to accidentally download a virus while you are searching the internet and click on a link, or when you open an email attachment. Do not click suspicious looking links in emails or open any attachments that come from someone you do not know.)
Full disk encryption may not be able to protect against malware attacks because it can only protect the data in encrypted form while the computer is not running. Once it is booted up the entire disc becomes decrypted and the malware can gain access to the information. This type of encryption may be best suited for protecting all the data on your device from loss or theft when the computer is not running. If you use full disk encryption, it is particularly important to set your computer to go into locked mode if it is not used for a few minutes to protect encrypted information from theft.
Virtual disk encryption
Virtual disk encryption is the process of encrypting a file, called a container, on your computer, which can hold many files and folders. This type of encryption allows for some flexibility in how your computer is set up and encrypted. It is possible to set up two containers on your computer system—with all client and business files within one container, and personal information in another. Access to a container is only allowed after proper authentication.
This type of encryption can be used on all types of electronics: computers/laptops, smart phones, tablets, flash drives, and external hard drives. The files in virtual disk encryption are portable, meaning they can be copied from one medium to another with the encryption intact.
Virtual disk encryption offers better protection against threats posed by malware. Because this type of system requires a second authentication, separate from logging on to your computer, those files will be safe from any potential malware threats until the encrypted files are opened.
Whereas full disk encryption can encrypt your whole computer, virtual disk encryption only encrypts portions of the data that you choose. Virtual disk encryption allows for greater protection of PHI in the advent that malware is accidentally downloaded into your computer. With virtual disk encryption, you are allowed time to discover and alleviate any malware issues before opening the “containers;” whereas with full disk encryption you are opening your computer up to a security threat when you log in because there is no second wall of protection.
File/folder encryption is the process of encrypting individual files or folders within your computer. Each individual file or folder would be accessible after successful authentication by an authorized user. As with virtual disk encryption, this type of encryption is portable and can be used on all types of storage for computers, smart phones, tablets, etc. This type of encryption is also better protected against malware threats as explained above.
While virtual disk encryption and file/folder encryption sound similar, there is one major difference. The container used in virtual disk encryption is a single, opaque file. No one can see what files are inside that container until it is decrypted.
File/folder encryption is transparent, so anyone with access to the file system may be able to view the names for encrypted files and folders (but not the information within those files). Accordingly, practitioners generally should avoid putting patient names on encrypted files/folders. For example, you could assign a number or other code to each patient and not even identify them as patients so that an unauthorized user would only see that the device contained files 1 and 2 instead of patient files for James Jones and Mary Smith.
In summary, virtual disk encryption may offer the best option for many practitioners. While file/folder encryption may be suitable for some users, the need to save multiple single files or folders generally makes it a less efficient choice than virtual disk encryption. Sometimes a combination of storage encryption options is appropriate.