Our medical practice is faced with becoming compliant with the latest HIPAA, HITECH, and Meaningful Use regulations and one part we're struggling with is how to protect "data at rest", ie data on the hard disks of our file servers (we know laptops are a whole different story). Our file servers are all located in a server room that is locked at all times. What we aren't sure of is if that physical security negates the "need" to have all drives containing patient data encrypted as the enclosed article suggests. Some of our data already resides on self-encrypting drives but much of it isn't, including our EMR database and its "to disk" backups. Our EMR vendor replied back to our inquiry by saying, in sum and summary, we don't have an official answer yet but we also don't know of any of our clients who have implemented encryption on their databases due to cost (either of self-encrypting HDDs or SQL Enterprise Transparent Database Encryption) and performance concerns. If anybody is familiar with HIPAA or what HIPAA auditors are currently looking for when it comes to data at rest in a server room / datacenter, your advice is much appreciated!
↧