Several businesses have a policy to give a subset of users local admin rights on their laptops or desktops. In some cases, this might be a requirement pushed down by a software or application vendor, requiring that power users have local admin rights.
However, this poses a challenge for HIPAA compliance – HIPAA requires that all laptops, desktops and servers that store or transact e-PHI or PII be encrypted as per section § 164.312(a)(2)(iv) of the HIPAA Security Standards Technical Safeguards. However, a local admin (which can literally be any employee with their own computer) can uninstall encryption from their laptops and desktops, after it was installed by IT, making it very difficult for security personnel or compliance staff to monitor encryption of data at rest. Furthermore, the operation itself is rendered non-compliant as security measures are not met, despite the fact that encryption is primarily deployed for compliance with government mandates.
There are ways to enforce encryption and prevent decryption of laptops and desktops. As an example, Symantec’s PGP encryption server has the ability to block users, including local admins from decrypting the drive once encrypted. Secondly, the encryption program cannot be removed unless the drive is first decrypted. This effectively acts as a failsafe, preventing local admins from uninstalling encryption on laptops and desktops. Thus helping maintain an audit trail and proving HIPAA compliance, unlike the previously described methods of encryption.
This enforcement of encryption by PGP is only possible when encryption is deployed from a centrally managed Symantec PGP key server or a hosted key management service like hosted disk encryption. You cannot enforce endpoint policies, unless the encrypted laptops and desktops are centrally deployed and managed, so this does not apply to stand alone installs of PGP. Lastly, Symantec’s PGP Encryption Server will also maintain an audit log of all policy changes. This built-in change log can help us track down unauthorized policy modifications.
Get into contact with us;
*By Filling Out the Form Below
[contact-form-7 id=”3812″ title=”Blog Lead”]