Purpose. This chapter establishes the policy and procedure for protecting sensitive information managed by the Indian Health Service (IHS) and by contractors and other entities acting on behalf of the IHS. Encryption of sensitive information, including personally identifiable information, must be accomplished expeditiously.
Background. Encryption is important for protecting privacy and retaining the public?s trust. While encryption is preferred for protecting of sensitive information on all desktop computers, physical security controls and other management controls may suffice. The use of ?Encryption Standard for Mobile Devices and Portable Media,? Department of Health and Human Services (HHS), to address the protection requirements associated with all government-furnished and nongovernment-furnished desktops used on behalf of the government that store sensitive information.
U.S. Department of Health and Human Services Memorandum, ?Mandatory Protection of Sensitive Information on Computers, Mobile Devices and Portable Media,? May 19, 2008.
U.S. Department of Health and Human Services Standard 2008-0007.001S ?Standards for Encryption,? December 23, 2008.
National Institute of Standards and Technology, Special Publication (SP) 800-88, Guidelines for Media Sanitization, September 2006.
Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.
Office of Management and Budget Memorandum M-07-16, ?Safeguarding Against and Responding to the Breach of Personally Identifiable Information,? May 2007.
Indian Health Service Memorandum, ?Mandatory Protection of Sensitive Information on Computers, Mobile Devises, and Portable Media,? May 30, 2008.
Scope. Covered devices include desktops; laptops; BlackBerry® smartphones; personal digital assistants (PDA); and portable media e.g., universal serial bus (USB) thumb drives, external hard drives, compact discs (CD), digital video discs (DVD), and smartphones.
Policy. It is IHS policy on protecting sensitive information that:
Under no circumstances shall sensitive IHS data be stored on a user?s nonencrypted or non-issued device (e.g., desktop or laptop).
Sensitive information shall not be sent electronically via e-mail unless a FIPS 140-2 product is used i.e., an IHS-issued personal identity verification (PIV) card.
All sensitive information shall be stored on a physically secured network storage device where access is limited to authorized personnel, reducing the risk of theft or data loss. Area Offices shall ensure they have adequate network storage capacity to accommodate user requirements.
Device encryption is NOT required when connecting to IHS/HHS Webmail as long as sensitive information is not stored locally.
Personally Identifiable Information. Personally identifiable information (PII) is any piece of information that can be used to identify, contact, or locate a person or can be used with other sources to identify an individual. Personally identifiable information refers to information that can be used to distinguish or trace an individual?s identity, such as his or her name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother?s maiden name, etc.
Protected Health Information. Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in electronic media; or transmitted or maintained in any form (e.g., electronically).
Mobile Device. Any portable apparatus that stores and processes data. Examples include computers, iPods, BlackBerry® smartphones, Palm Treos, Palm Pilots, and other PDAs.
Portable Media. Any portable device that stores data electronically, such as portable hard drives, USB drives, DVDs, and CD-ROMs.
At-Risk Desktops. Poorly secured desktops that store PII, PHI, or other sensitive data e.g., desktops in remote locations or in common areas accessible by the general public.
Indian Health Service Employees and Contractors. All IHS employees and contractors will:
take mandatory annual security awareness training;
annually review and sign the IHS Rules of Behavior;
immediately report any suspected or actual computer security incidents to designated personnel i.e., help-desk support, facility or Area Information Systems Security Officers, the IHS Chief Information Security Officer (CISO), IHS Incident Response Team; and
cooperate with their information technology (IT) service providers to ensure all IHS laptop computers, mobile devices, and portable media containing sensitive information are encrypted with a FIPS 140-2 certified product such as Check Point.
Director, Office of Information Technology, and Area Directors. The Director, Office of Information Technology (OIT), and Area Directors (or their designees), are responsible for:
ensuring full disk encryption on at risk desktops.
ensuring sensitive information is secure and limited to authorized personnel.
Laptop Encryption Software. The IHS requires full disk encryption and portable media protection to be installed on all laptops. Check Point software and licensing is provided through OIT. If no sensitive information is stored on the laptop, individuals may request a waiver to not install the program on the laptop in support of a legitimate business requirement. The waiver request form may be obtained at: http://home.ihs.gov/ITSC-CIO/oit_tfs/documents/forms/F06-11i_IS_PolicyWaiver.pdf.
If designated as ?at risk? by the Area Director (or his or her designee) all desktops shall utilize full disk encryption.
All desktops must use portable media encryption, which is available through an automated installation for desktop computers.
A waiver for protection of portable media may be requested in support of a legitimate business requirement providing no sensitive information is stored on the desktop.
Personal Digital Assistants. The IHS-approved handheld device or PDA is the BlackBerry® smartphone. A list of Check Point Mobile supported PDAs may be found at http://checkpoint.com/supportedhandhelds/index.html.
Area Offices may choose to purchase and use other FIPS 140-2 encryption products if a PDA is not supported by Check Point Mobile.
Personal digital assistant devices, other than a BlackBerry® smartphone, are not authorized to be connected to the IHS network unless they are encrypted with a FIPS 140-2 certified product such as Check Point Mobile which is provided through OIT.
Macintosh Laptop Encryption. While Check Point?s full disk encryption operates on newer Macintosh systems running under the Intel chipset, the software does not operate on Macintosh systems utilizing the legacy IBM chipset (i.e., PowerPC chip). Because no FIPS 140-2 compliant encryption solution is currently available for these older models, Macintosh PowerPC laptops must be replaced by June 30, 2009. If you are using a Macintosh computer and wish to verify which type of processor is being utilized:
Choose ?About This Mac? from the Apple icon menu.
Look at the ?Processor? line to see which kind of processor is in use.
Macintosh Mobile Device Encryption. Check Point portable media encryption, which provides encryption for mobile devices will not operate on any Macintosh system at this time. In lieu of utilizing Check Point portable media encryption on desktops or laptops, Area Offices may choose to purchase FIPS 140-2 compliant encrypted thumb drives. One provider under GSA contract GS-35F-0142S is MXI Security, a vendor of encrypted thumb drives.