Recommended encryption tools for handling ePHI at IU
Following is information about tools UITS recommends for encrypting electronic protected health information (ePHI) and other sensitive data regulated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Important: Although you can store ePHI and other HIPAA-regulated data on IU research systems, you (and/or your project's principal investigator) are responsible for maintaining the privacy and security of that data in compliance with applicable federal and state regulations and university policies. For more, see At IU, what types of sensitive data are appropriate for the research computing systems?
On this page:
Encrypting data at rest
On the IU research systems
On the Indiana University research computing systems (Big Red II, Quarry, and Mason), to encrypt at-rest ePHI and other HIPAA-regulated data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see What is GPG, and how do I use it to encrypt files on Quarry and Mason at IU?
Important: Although the Research File System (RFS) is HIPAA-aligned, RFS does not encrypt stored data, so you must encrypt electronic protected health information (ePHI) before storing it on RFS. If your files are stored locally on an encrypted hard drive (e.g., using PGP Whole Disk Encryption), you still must encrypt the files individually (using an application such as AESCrypt) before transferring them to RFS.
On personal workstations
On Windows and OS X workstations, to encrypt at-rest ePHI and other
sensitive data, use PGP Whole Disk Encryption (WDE). IU
faculty, students, and staff, can download PGP WDE at no cost from the
Security section of IUware. For more, see:
- Encrypting your Windows computer with PGP Whole Disk Encryption
- Encrypting your Mac OS X computer with PGP Whole Disk Encryption
Important: Storing ePHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that ePHI data should not be stored on laptops, flash drives, external hard drives, or mobile devices, unless the data are anonymized or strongly encrypted.
Encrypting data transfers
To transfer ePHI and other HIPAA-regulated sensitive data between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.
You can use
sftp from the command line on the IU
research computing systems (and via the OS X Terminal
application). Graphical SFTP clients also are available; for IU
students, faculty, and staff, two graphical SFTP clients, CyberDuck
(for OS X) and WinSCP (for Windows), are available for free download
On the IU research systems, you also can use the
command to securely transfer data between remote hosts. SCP
encrypts the files and any passwords exchanged over the network.
Slashtmp (Critical version)
To share HIPAA-regulated data via a web interface, IU graduate students, faculty, and staff can use the Critical version of IU's Slashtmp service.
Important: When using Slashtmp to store data subject to HIPAA regulations, or other information classified as critical at IU (e.g., Social Security numbers, credit card numbers, or bank account numbers), you must choose the "Critical" version from the Slashtmp home page before proceeding with your upload.
Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.
The UITS Advanced Biomedical IT Core (ABITC) provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing ePHI research data. If you need help or have questions about managing HIPAA-regulated data at IU, contact the ABITC. For additional details about HIPAA compliance at IU, see HIPAA & ABITC and the Office of Vice President and General Counsel (OVPGC) HIPAA Privacy & Security page.
Last modified on April 09, 2014.