Mobile and Desktop Device Encryption FAQs

General Encryption Inquiries

Question Answer
 1. What is laptop/desktop encryption?

Laptop and Desktop Encryption makes the hard drive of your laptop unreadable without proper authentication.

When you encrypt your laptop or desktop's hard drive, the entire contents of your computer becomes unreadable to anyone who lacks the proper credentials to log on to your system.

2. Why is laptop encryption necessary?

New federal and state data protection laws mandate that all portable devices that access or allow access to Protected Health Information (PHI) or Personal Identifiable Information (PII) be encrypted. It is essential that Mass General Brigham safeguard its privileged information against this kind of loss.

Mass General Brigham’s policies mandate that all laptops, that access the Mass General Brigham network and internet-based resources or store Mass General Brigham Confidential Data, be encrypted.

3. Are laptops the only computers that must be encrypted?

No - Tablets, Smartphones and Netbooks* must be encrypted. Also, it is recommended to encrypt desktops.

4. How do I know if I need to encrypt my laptop or desktop?

If laptops, Tablets, Smartphones and Netbooks* access Mass General Brigham resources or store Mass General Brigham Confidential Data, they must be encrypted. Examples of access to resources include:

  • Mass General Brigham VPN
  • Email via Outlook Web Access
  • Patient Gateway
  • Access to LMR Over the Internet (LOTI)
  • GoToMyPC
  • Workspace apps like Epic and UKG Dimensions
  • Any other Mass General Brigham applications or internet-based resources.

Users may not connect unencrypted devices to the Mass General Brigham network except for the following purposes:

  • Accessing Peoplesoft to view an individual’s personal information
  • Accessing HealthStream for training purposes
  • Using My Profile for the individuals’ own password self-service needs
5. Do I need to encrypt my laptop if I don't access PHI or PII?

Yes, Mass General Brigham’s policies require all laptops that connect to Mass General Brigham resources to have their entire hard drives encrypted with approved encryption software.

All employees, contractors, or vendors who have laptops, which connect to Mass General Brigham resources regardless of the data maintained on the device, must have hard drive encryption installed.

6. Do I need to encrypt my personal laptop?

If you use your personal laptop to store Mass General Brigham Confidential Data or to access Mass General Brigham resources, you must encrypt it.

7. Do I need to encrypt my non-laptop, home computer?

At this time, Mass General Brigham does not require you to encrypt your non-laptop home computer if it is used to access Mass General Brigham resources.

8. Are there laptops that are excluded from encryption?

Mass General Brigham clinical workstation builds are presently exempt from the laptop encryption requirement.

An Mass General Brigham clinical workstation is a desktop or laptop located in clinical areas of the hospitals. They are highly restrictive builds that run a subset of approved applications.

These workstations are used by multiple individuals and have fast log on and log off procedures.

9) Can multiple users share a device that has been encrypted?

Mass General Brigham laptop: Yes, multiple users accounts can share an encrypted device. Example: If two colleagues share a Mass General Brigham laptop, each user must have their own McAfee encryption and Mass General Brigham accounts. Please call your IS Service Desk for assistance with configuring the device for multiple users.

Personal laptop: No, you may not share a personal laptop with non-employees if the device has been encrypted and is used to connect to Mass General Brigham resources. Sharing your encryption password with anyone is prohibited by law. Example: You have a personal laptop that you use to check email with Outlook Web Access. This laptop must be encrypted and cannot be shared with non-employees.

10. What operating systems support laptop/desktop encryption?

Encryption is supported on the following operating systems.

 

*Chromebooks do not support Mass General Brigham encryption standards. 

Mass General Brigham does not currently offer encryption software for Linux laptops. Employees with Linux (or derivatives) laptops should secure their devices with the encryption product of their choice.

11. What software does Mass General Brigham use for laptop/desktop encryption?

For managed Mass General Brigham Computers running Windows, we are using built-in Bitlocker.

For non-standard Windows Computers, including personal laptops we are using McAfee Endpoint Encryption*. People may choose to activate Personal Bitlocker on Windows Professional systems.

For MacOS Computers, we are using built-in FileVault 2.

12. Can I use a different brand of encryption software?

Bitlocker, McAfee Endpoint Encryption®, and FileVault 2 are the only supported encryption programs.

13. What are the encryption software minimum requirements?
  • 256-bit key strength;
  • Use of the Advanced Encryption Standard (AES) or other FIPS 140-2 validated algorithm;
  • Full disk encryption for all files (the entire disk must be a private partition); and
  • Support for strong password enforcement
14. What does "Full Disk Encryption" mean?

Full disk encryption means that the entire content of the hard drive is encrypted. This includes the operating system itself, program files, swap space, and temporary files.

Full disk encryption is considerably more secure than file encryption solutions since it ensures that all data is encrypted, not just the files you remember to encrypt.

15. Are vendors required to encrypt laptops if they access Mass General Brigham resources?

Yes. Mass General Brigham's vendors and contractors that access protected health information (PHI) and/or personal identifiable information (PII) on portable devices are required to use encryption.

Going forward, Mass General Brigham and entity Business Associate Agreements have been updated to reflect this requirement.

16. Can I use laptop encryption if I don't have a Mass General Brigham user name and password?

Yes. You can set up your own user name and password for Macintosh, Personal Windows Professional using BitLocker, and Linux encrypted laptops. You are not required to use your Mass General Brigham user name and password.

McAfee Endpoint encryption however uses your current and active Mass General Brigham User ID.

17. How do I obtain a laptop encryption account?

MGB managed devices will prompt you for necessary information when you log in using your MGB credentials.

You must contact the IS Service Desk to be added to a personal or lab device's McAfee Endpoint Encryption or  enrolled in PEAS and FileVault.

18. Do I have to provide a cost center to install the laptop encryption software?

No. Laptop encryption software is provided for free to Mass General Brigham employees°.

All Mass General Brigham Standard Desktop and Laptop Windows 10 computers use the built-in encryption called Bitlocker.

° Users with personal or non-standard devices requiring a Windows Professional upgrade will not be compensated by MGB

Back to top

Non-Standard Windows Computers

Question Answer
1. What are the minimum system requirements to install McAfee Endpoint Encryption?

Your system must have 30MB of free disk space. McAfee is supported on the following operating systems:

  • Microsoft Windows 10
2. Is my Windows device compatible with McAfee Encryption?

Please refer to our list of know incompatible laptops: https://rc.partners.org/kb/article/2877

3. How do I encrypt my laptop?

To have a laptop encrypted please see HOWTO: Request Installation of Encryption Software 

4. How do I verify my hard drive is encrypted?

Right click on the McAfee icon in your toolbar and select "show status." You should see C:\Full in green on the right of the window. This means that your hard drive is completely encrypted.

5. What is the password policy for McAfee Endpoint Encryption® and Safeboot?
  • Passwords for laptop encryption must be 8 characters in length and contain at least one letter and one number.
  • The system will remember previously used passwords and prevent them from being used again.
  • You will be required to change your password every 180 days. You will receive a reminder 7 days in advance.
  • After entering an incorrect password 3 times, you will be locked out for 5 minutes.
  • After 10 incorrect attempts at entering a password, you will have to call the IS Service Desk to regain access to your laptop.
6. Can I use my Mass General Brigham password for my McAfee Endpoint password?

You can use your Mass General Brigham logon for your McAfee account, but note that your Mass General Brigham logon will not be in sync with your McAfee account.

If you update your password for your Mass General Brigham logon, your McAfee password will not be affected.

7. What do I do if I forget my password?

On the log in screen select Options/Recovery/ user recovery/ question and answer recovery.
You will be required to answer the security questions that you originally set up when you first logged in to McAfee Endpoint Encryption®

Otherwise, contact the MGB IS Service Desk if you forget your password.

8. What happens if I don't log in to my laptop at least once a year?

Laptops must synchronize with the server once every year. Your laptop needs to be connected to the internet to synchronize with the server.

When a laptop goes more than a year without synchronizing with the server, it will lock down. You will need to call the MGB IS Service Desk to restore access.

9. I am no longer using my computer to access Mass General Brigham resources. How do I uninstall encryption?

Call the MGB IS Service Desk to have Encryption removed from your device.

Back to top

Mac OSX

Question Answer
1. Which operating systems are supported for FileVault 2?

MacOS 12 or greater. NOTE: Mac devices used for business purposes must have macOS 12 or later installed to comply with Mass General Brigham policies.

2. How do I encrypt my laptop/desktop?

You must enroll in PEAS which will automatically enable encryption.

3. How do I back up my data before encrypting my laptop?

Macintosh Computers running OS X 11 or greater can use the Time Machine utility included with their Operating System.

4. How long will the encryption process take?

A 500GB drive can take upwards of 6 hours to encrypt. However, you may continue to use your laptop normally while it encrypts.

5. Can I use my laptop/desktop while it's encrypting?

You will be able to use your Mac normally as it is being encrypted.

6. How do I verify my hard drive is encrypted?

Here are instructions on how to verify your hard drive is encrypted.

7. I am no longer using my computer to access Mass General Brigham resources. How do I uninstall PEAS?

Call the IS Service Desk to have PEAS, Filevault, or PGP Whole Disk Encryption removed from your device.

Back to top

Mobile Devices

Question Answer
1. Why is mobile device encryption necessary?

New federal and state data protection laws mandate that all portable devices that access or allow access to Protected Health Information (PHI) or Personal Identifiable Information (PII) be encrypted. It is essential that Mass General Brigham safeguard its privileged information against this kind of loss.

Mass General Brigham's policies mandate that all mobile devices that access the Mass General Brigham network and internet-based resources or stores Mass General Brigham Confidential Data be encrypted.

2. Where can I find more information about the policy?

Please review the Portable Device Security Policy

NOTE: Mass General Brigham policies can be found at anytime from the Mass General Brigham Policies & Procedures link in the Utilities folder.

Back to top

Go to KB0018781 in the IS Service Desk

Related articles