UCSD Health Sciences -- Compliance / Privacy Program Privacy / Security Bulletin Issue: December 2008 Basic Encryption Tutorial For Protecting Sensitive Electronic Data Stored on Portable Media Principles: Electronic data should not be placed onto portable media unless there is a UC business purpose. Employees are expected to implement appropriate administrative, technical and physical safeguards to protect sensitive data entrusted to them from access, use, disclosure or unauthorized viewing. such as personally identified information (PII) and protected health information (PHI) (medical information, medical billing). Identified data stored on portable media should either be de-identified or encrypted (128+ or stronger). What is personally identified information (PII)? Sensitive data includes an individual’s name (first name or first initial and last name) combined with one of the following identifiers: SSN, drivers license number, credit card / financial account numbers, medical record number, medical information, and health insurance information. PII also includes the 18 HIPAA protected health information (PHI) identifiers. Why encrypt data? Electronic information is vulnerable to exposure in the event of the theft of the computer or flash drive or if the data is transmitted in clear text across a public network. Even if the computer requires a password to start up, a thief could access the contents of the hard drive simply by connecting it to another computer. The only way to ensure the safety of sensitive data on your computers (laptops) and USB flash drives is to encrypt it. Tutorial Instructions: Select an encryption method from the list below. Practice encrypting test files. Be sure to choose a password that you will never forget. Passwords are case sensitive. The UCSD Medical Center Help Desk cannot reset passwords. Forgotten passwords will result in lost data! ENCRYPTION TUTORIAL 1 2 Methods Encrypted Flash Drives (USBs) TrueCrypt (free shareware) 3 Microsoft files: Word Excel Power point 533563209 Description Lexar Secure-II USB. Lexar software calls encrypted folders “vaults”. To encrypt a file, you must first create a vault. The first option, Encrypted Vault needs to be clicked on. That opens an area that has information about the vaults you have on the Lexar JumpDrive Secure II flash drive. - To create a vault, you just need to click on create and prompts will take you through the steps of selecting the size for the vault and what you want the password to be. - Once a vault is created, you can drag and drop files into that will be encrypted. - When you are done saving files to the vault, you must click on “unmount” to close the vault and encrypt the files using 256 bit AES encryption. - You can create more than one vault on the flash drive. When you want to access files in a vault, you need to select the vault from the list and then click on mount. After the vault is mounted, you can then open the files saved in it, add more, or delete them. - Tip: Make the entire USB one encrypted vault. Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux Main Features: (1) Creates a virtual encrypted disk within a file and mounts it as a real disk. (2) Encrypts an entire partition or storage device such as USB flash drive or hard drive. (3) Encrypts a partition or drive where Windows is installed (pre-boot authentication). (4) Encryption is automatic, real-time (on-the-fly) and transparent. Encryption algorithms: - AES-256, Serpent, and Twofish. - Mode of operation: XTS. Further information regarding features of the software may be found in the documentation. www.truecrypt.org - TrueCrypt 6.1 (released October 31, 2008) Open the desired file in a Microsoft application (Word, Excel, Power point). 1. Choose: File, save as, advanced 2. Choose encryption type: RC4 + AES and 128 bit 3. Enter a password or passphrase OR Page 1 of 2 UCSD Health Sciences -- Compliance / Privacy Program Privacy / Security Bulletin Issue: December 2008 Methods Description 1. Choose: Tools, options, security, advanced 2. Choose encryption type: RC4 + AES and 128 bit 3. Enter a password or passphrase WinZip 4 WinZip version 9 (or higher) includes AES encryption. Prior to version 9, WinZip’s Version 9 encryption algorithm was weak and prone to attack. With Winzip 9 or better, you can or higher safely encrypt individual files, or entire directories, for transit over e-mail or other means, without fear that anyone else will be able to read the protected data. This, however, is predicated on two important facts: - You need to use a strong password when encrypting the archive. Use a password or pass phrase with at least 8, or more ideally, 10, characters. - The file names within the archive will be visible, therefore if your archive contains sensitive file names, you can “double Zip” your archive to protect the sensitive data. http://www.winzip.com Adobe 5 1. Open Adobe, select “document”. Acrobat 2. Go down to the security option near the bottom in the "Document" drop down menu Version 6 or and select the "Restrict opening & Editing" option. higher 3. A new window should pop-up on your screen with the title "Password Security Settings". You will be able to choose the compatibility settings (meaning which versions of acrobat can access the pdf file. Choose Adobe acrobat 5.0 and higher. 4. Next you will click on the box next to "Require password to open the document". You will now be able to enter your personal password for the pdf file. 5. Once you have created your password click on "Ok" at the bottom. Adobe acrobat will now prompt you to confirm the password by typing it again. 6. Now that you confirmed your password, you will need to save your document for the (not Adobe password settings to initialize. reader) 7. Go to the menu bar under "File" and select the save option of simply hit Ctrl & S. 8. After saving close the pdf file and open it again adobe should prompt you for a password. The PDF file is now secure. ADVANCED ENCRYPTION METHODS 6 File / Folder File system-level encryption, often called file or folder encryption, is a form of disk Encryption encryption where individual files or directories are encrypted by the file system itself. This …for NT File is in contrast to full disk encryption where the entire partition or disk, in which the file Systems system resides, is encrypted. You can encrypt your files or folders only if your hard drive is formatted as an NTFS (NT File System) drive. The encryption is transparent: You can access the files just as you normally would. The files are decrypted as you open them and encrypted when you close them. So, they’re saved on your hard drive in a scrambled state. 1. Right-click the file or folder to encrypt. A small pop-up menu appears. 2. Choose Properties. The Properties menu appears. 3. Click the Advanced button on the General tab. You’ll find the General tab at the top of the window; among the tabs that look like hanging folders. 4. In the Advanced Attributes box, select the Encrypt Contents to Secure Data check box. Encrypting your files makes sure that no one who intrudes on your files (or your wireless network) can read them. 5. Click OK to close the Advanced Attributes box, and then click OK to close the file or folder’s Properties dialog box. An Encryption warning may appear. When you want only the file, and not the entire folder, encrypted, choose the Encrypt the File Only option and click OK. The file shows up with green text in its name, which is your only real clue that it’s encrypted. Other encryption solutions: Full disk encryption (FDE), e.g., PointSec, Credant Technologies, TrueCrypt Virtual Private Network (VPN), e.g., IPSec for gateway to gateway security Consult with your department’s information technology staff for assistance. 533563209 Page 2 of 2