Recommended encryption tools for handling ePHI at IU
Following is information about tools UITS recommends for encrypting electronic protected health information (ePHI) and other sensitive data regulated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
On this page:
Encrypting data at rest
On the IU research systems
On the Indiana University research computing systems (Big Red II, Quarry, and Mason), to encrypt at-rest ePHI and other HIPAA-regulated data, use GNU Privacy Guard (GPG, also GnuPG). For instructions, see What is GPG, and how do I use it to encrypt files on Quarry and Mason at IU?
Important: Although you can store ePHI and other HIPAA-regulated data on IU research systems, you (and/or your project's principal investigator) are responsible for maintaining the privacy and security of that data in compliance with applicable federal and state regulations and university policies. For more, see Can I store electronic protected health information (ePHI) on IU's research supercomputers?
On personal workstations
On Windows and OS X workstations, to encrypt at-rest ePHI and other
sensitive data, use PGP Whole Disk Encryption (WDE). IU
faculty, students, and staff, can download PGP WDE at no cost from the
Security section of IUware. For more, see:
- Encrypting your Windows computer with PGP Whole Disk Encryption
- Encrypting your Mac OS X computer with PGP Whole Disk Encryption
Important: Storing ePHI on laptops or other portable devices is highly discouraged. The HIPAA Security Rule mandates that ePHI data should not be stored on laptops, flash drives, external hard drives, or mobile devices, unless the data are anonymized or strongly encrypted.
Encrypting data transfers
To transfer ePHI and other HIPAA-regulated sensitive data between networked computers, use a Secure FTP (SFTP) client. SFTP clients encrypt commands and data to prevent sensitive information from being transmitted in the clear over a network.
You can use
sftp from the command line on the IU
research computing systems (and via the OS X Terminal
application). Graphical SFTP clients also are available; for IU
students, faculty, and staff, two graphical SFTP clients, CyberDuck
(for OS X) and WinSCP (for Windows), are available for free download
On the IU research systems, you also can use the
command to securely transfer data between remote hosts. SCP encrypts
the files and any passwords exchanged over the network.
Slashtmp (Critical version)
To share HIPAA-regulated data via a web interface, IU graduate students, faculty, and staff can use the Critical version of IU's Slashtmp service.
Important: When using Slashtmp to store data subject to HIPAA regulations, or other information classified as critical at IU (e.g., Social Security numbers, credit card numbers, or bank account numbers), you must choose the "Critical" version from the Slashtmp home page before proceeding with your upload.
Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.
For IU researchers needing help securely processing, storing, and sharing HIPAA-regulated data, the Advanced Biomedical IT Core (ABITC) provides personal consulting and online support. See HIPAA & ABITC, or contact the ABITC.
Last modified on November 18, 2013.