Workstation Encryption

HSC is deploying mandatory full disk and USB storage device encryption. Use the directions below to learn more about this process.

About the HSC Bitlocker Encryption

HSC is deploying mandatory full disk and USB storage device encryption. This will be applied automatically on HSC Windows devices by Microsoft Bitlocker and on OSX by Filevault. HSC IT will be pushing the encryption policy for windows devices remotely.

OSX devices will encrypt as they are deployed. If your device is already encrypted, this process will not affect your device.USB devices on Windows workstations will require encryption to be written to. You will be automatically prompted to take these actions when you connect the device. You will be prompted to enter a password to use with the device on the first encryption.

To start this process, you MUST be connected to the HSC network. Ether directly (Ethernet or HSC Secure) or VPN. These devices will be readable on any windows device using this password.

 

HSC Encryption Policy

How to Request an Exception

To request exclusion from the encryption policy, you must submit a Help.HSC ticket, with your business requirement for being excluded. Include exact device names, and type of encryption exclusion, USB or Disk.

The Health Sciences CIO or the UNM Hospitals Chief Information Officer (CIO) may approve exceptions to encryption-at-rest requirements.  Requests shall be written, shall specify what compensatory measures will provide protection of information equivalent to encryption, and be based on at least one of these criteria:

  • The system or device does not support encryption, or the addition of encryption is cost prohibitive.  Request shall include a plan for replacement of the system by a specific date.
  • A medical device with a demonstrated risk that encryption would affect the reliability and/or performance of the device, impacting patient care.
  • A medical device in which support and/or warranty are voided by modification of the software, including the addition of encryption.

IT will contact you for next steps if any are required.

What You May See & What to Ignore

You may safely ignore all messages related to the beginning of Encryption or Decryption. Any errors related to encryption may safely be ignored if they only occur once. 

If the errors continue to occur, please contact your IT Service Desk.

Basic Troubleshooting

If you should see a message requesting a BitLocker Recovery Key upon reboot, please reboot the device.  If the message should persist upon multiple reboots, please contact your IT Service Desk.

HSC is deploying mandatory USB storage device encryption. When attaching a USB device to your bitlockered computer, you will be required to encrypt it to store data. You can Read data from any non-encrypted external storage media, but the external storage media must be encrypted in order to Write/Save data.

When saving data to a USB storage device, the USB storage media must be encrypted prior to use.  Upon connecting the external storage media to an HSC device, you will receive a prompt to encrypt the storage media.  When encrypting the external media for the first time, a prompt will appear requesting password creation.  It’s important to note that the device to which the external media is connected must be on-domain for the encryption to work. 

For the device to be on-domain, you must be connected to the Health domain via Ethernet, HSC_Secure (Wireless), or by VPN.  External media encrypted using this methodology will only be readable on Windows devices using the above referenced password.

BitLocker encrypted storage media can still be read on Windows devices using the password that was set at the time of the storage media encryption.

When you plug in a USB device on an HSC device, you will be prompted to encrypt:

usb-1.png

If you do not encrypt, you can only READ data from the device. If you do encrypt, you will be prompted to enter a password to finish the process:

usb-2.png

This password will be used to access the USB device, where ever you read from it. 

If you forget this password, or if the device becomes corrupt. HSC IT has a stored recovery key to attempt recovery of the device, please contact your IT Service Desk to get this access key if required.