Drexel University College of Medicine is committed to the protection of sensitive information, including protected health information (PHI). A simple password on your computer is not sufficient to meet the HIPAA/HITECH security standards. If you have any sensitive information, including but not limited to: patient photographs, spreadsheets, documents summarizing patient information, or emails with patient information on your laptop or USB drive, you have PHI, which must be encrypted.

Encryption FAQ (What You Need to Do)

  1. If your laptop has or could have PHI, your laptop must be encrypted. This applies to any laptop used while conducting College of Medicine business, whether work-provided or personal.

    1. The laptop must require each person to log in as themselves using a unique login.

    2. When the laptop is first turned on, or returns from sleep or hibernation mode, it must be configured to ask for your password.

    3. The password used must be at least eight characters, and strengthened by using non-alphanumeric characters, and upper- and lower-case letters.

    4. A password protected screen saver must be set to activate after 15 minutes.

  2. If you use a USB thumb drive (or other USB storage device) it must be encrypted.

  3. Do not transport confidential information on your portable electronic devices.

Note: Many applications, such as Outlook, Word or Excel cache files on the laptop's local hard drive. This may result in confidential information being stored on the laptop without the user’s knowledge.

USB Encryption
If you use a USB drive to transport PHI or other confidential information, the USB must be encrypted. Keep in mind if you open confidential files from a USB drive, do so on a secure computer; the cached file on the computer you use is not encrypted.

USB devices must provide at least 128 bit AES encryption and lock or wipe the USB drive after a certain number of incorrect password attempts.  The following devices have been tested are recommended. If you choose another model, you are responsible for ensuring that the device meets the minimum encryption requirements.

  • IronKey - https://store.ironkey.com/personal – Any of the "Personal" (password) series devices; storage sizes range from 1–16GByte; Approved for HIPAA-regulated data storage (FIPS required): $79.00–$299.00  
  • McAfee USB 320GB FIPS hard-drive – fingerprint biometric Mfg#MFL-USB-HDDK-320GBFG; Approved for HIPAA regulated data storage (FIPS required): $498  
  • McAfee USB Zero Footprint BIO USB 4GB – fingerprint biometric Mfg#MCL-USB-BIOM-4GBFA; Approved for HIPAA regulated data storage (FIPS required): $222

Contact College of Medicine Information Technology at 215-762-1999 with any questions.