Perelman School of Medicine at the University of Pennsylvania

Security

PGP Data Encryption and Computrace for Clinical Practices of the University of Pennsylvania

Introduction

The purpose of this page is to provide information on Penn Medicine's ongoing efforts to protect Penn Medicine's assets and to comply with federal regulations and standards to protect the privacy, confidentiality, and integrity of institutional data. To achieve this, Penn Medicine utilizes two applications: PGP Encryption and Computrace.

PGP Encryption

The Health Insurance Portability and Accountability Act ("HIPAA") established a set of national standards and guidelines for the security of electronic personal health information ("ePHI"). These ePHI guidelines require certain precautions be taken to ensure that ePHI data is securely stored on computers. Subsequently, it is Penn Medicine's policy that all portable computers with ePHI data stored on them be protected by data encryption.
Violations of HIPAA can result in penalties for both the institution and individual person. The penalties for the individual can be as high as $1.5 million. With so much as risk, UPHS IS, Perelman School of Medicine IS, and the Clinical Practices at the University of Pennsylvania are launching a joint initiative to ensure that you, your patients, and Penn Medicine are protected against ePHI data loss and theft.

Computrace

Regardless of whether laptops have ePHI data on them or not, Penn Medicine's policy requires the installation of the anti-theft software on all laptops purchased with institutional funds or personal laptops that have ePHI data. Computrace, enables law enforcement officials to track and potentially retrieve lost and/or stolen laptops.

Who Should Be Asking the Research Computing Help Desk for PGP Data Encryption and Computrace?

If you are currently working for the Clinical Practices at the University of Pennsylvania and have a new, non-Lenovo brand portable computer, you should contact the Research Computing HelpDesk to get PGP encryption and Computrace installed on your portable computer.

How Do You Get PGP Encryption and Computrace Installed?

To start the process, please contact the UPHS HelpDesk at 215-662-7474. The UPHS HelpDesk will route your request to Research Computing. To ensure this happens at efficiently as possible, please be sure to identify yourself as a member of CPUP who needs data encryption on a non-Lenovo brand portable computer.

What Are the End User Responsibilities After PGP Encryption Is Installed?

The following are the PGP encryption end user's responsibility:

  • Data Backup
    Data backup is always important but encryption makes it even more crucial. Data lost due to hard drive failure or human error will not be recoverable via standard data recovery methods. It is strongly recommended that you backup your data prior to the installation of PGP encryption software and also have some form of automated backup solution set up for use afterwards.
  • Use Strong Passwords
    It is very important to use strong passwords for both your PGP encryption password as well as the password you use to logon to your computer (i.e., system password). Once the PGP encryption password is entered, the computer is no longer encrypted. If the computer is locked or goes to sleep, only the system password will be required to obtain access to the computer and data stored on its hard drive will be accessible. A strong system password will therefore provide additional protection for your data. Additionally, your computer should be turned off when traveling or during times when you'll be away from the computer for an extended period of time to ensure your data is in an encrypted state.
  • Forgotten Passwords
    If you forget your PGP encryption password, you will need to call the UPHS Helpdesk at 215-662-7474 for assistance. To ensure your call is properly routed, please reference "CPUP", "PGP encryption", and "forgot password".
  • Travel Restrictions
    Users intending to travel to Cuba, Libya, North Korea, Syria, Sudan, Iran or Iraq must contact the Office of Services at 215-573-2290 for assistance in determining whether an export license is required for computers with PGP encryption installed, and, if so, assistance in applying for an export license.
  • Export Controls
    Any release of the PGP encryption technology or source code to a foreign national from Cuba, Libya, North Korea, Syria, Sudan, Iran or Iraq, or an individual on the denied parties list even while in the United States, may be prohibited under the “deemed export” rules. Again, you are responsible for contacting Penn’s Office of Research Services for assistance.
  • Other Restrictions
    PGP encryption products may not be used directly or indirectly in the design, development, fabrication, or use of nuclear, chemical, or biological weapons or missile technology without US government authorization. Contact the Office of Research Service at 215-573-2290 for more information.

What Are the End User Responsibilities After Computrace Is Installed?

The following are the Computrace end user's responsibility:

  • Connect to the Internet at Least Once Every 30 Days
    To maintain the recovery guarantee, it is the responsibility of the laptop owner to ensure their device is connected to the Internet at least once every 30 days. If this requirement is not upheld and the device is stolen, attempts to recover the device will be made, but replacement monies will not be paid out if the device is not recovered.
  • Store Laptop Serial Number and Emergency Contact Information in a Safe Location
    It is vital that the laptop owner stores their laptop serial number and emergency contact information in a safe location separate from the laptop. This information will be given to you on wallet-sized card following the installation.
  • Initiate Theft-Recovery Process if your Laptop is Lost or Stolen
    If your computer is lost or stolen, it is your responsibility to:
    • Immediately report the incident to local or University police
    • Immediately report the incident to the UPHS HelpDesk (reference "CPUP" and "lost/stolen laptop"
    • Determine what type(s) of sensitive data was stored on the laptop, if any
    • Finalize police report and follow up with Research Computing

FAQ: PGP Encryption

Q: What is PGP Encryption?
PGP encryption is a product from Symantec that is designed to protect data from unauthorized access. Once installed, PGP encrypts all of the data on a computer's hard drive. An authorized user of the computer will be able to work on the computer as normal after entering their PGP encryption passphrase to unlock the computer. If a person gains access to the data through theft or other means, they data will remain encrypted and subsequently be unreadable. Without PGP encryption, a technically skilled person would be able to bypass the computer's built-in security and access the data with relative ease. PGP encryption prevents that from happening by converting the data into an unreadable code and keeping in that state until a PGP password is entered.

Q: Is PGP Encryption free?
Yes and no. A license for PGP encryption costs $36 per installation per year but this cost will be covered by Penn Medicine. Subsequently, PGP is being made available to you at no cost.

Q: How will my computer function after PGP is installed?
Your computer will work as it always has after PGP is installed. The most significant change will be the need to enter your PGP passphrase to log into your computer.

Q: What if I forget my PGP password? Do I lose my data?
If you forget your PGP password and cannot log into your computer, you have not lost your data! In the event you forget your password, please call the UPHS HelpDesk at 215-662-7474 and reference "CPUP", "PGP", and "forget password". Your request will be routed to the Research Computing who will be able to assist you in gaining access to your data again.

Q: What happens to the data on a protected laptop in the event that something happens to its owner?
In the event that the only person authorized to log onto laptop protected by PGP is unavailable, Penn Medicine support providers will be able to decrypt the laptop using their own account. This measure is in place to ensure that your data can be recovered even if you are not available to do so yourself.

Q: Why can't I use the encryption software of my choosing?
Our PGP installation is a managed system which will ensure that you, your patients, and Penn Medicine have the required level of protection in place. It will also enable us to assist you should experience technical issues with PGP such forgetting your password, etc.

Q: Can PGP Encryption be installed on a computing running multiple operating systems?
No, PGP does not yet support multiple operating systems. If you have a dual- or multiple-boot environment set up on your computer, PGP will not function.

FAQ: Computrace

Q: What is installed on my computer?
Computrace is a small, software client that resides on the host computer.

Q: Exactly what is Computrace designed to do?
Computrace is designed to create both a deterrent for theft, which exposes the privacy and confidentiality of electronic Protected Health Information (ePHI) to outside parties, and to assist in the recovery of stolen laptop computers.

Q: What is Computrace NOT designed to do?
The product is not:

  • A means of tracking, obtaining an inventory, or monitoring normal laptop activity
  • A means of knowing what other software is resident on the laptop
  • A guarantee of loss prevention
  • An application known to disrupt routine computing on the laptop
  • An automatic trigger for finding a lost or stolen device

Q: How much does Computrace cost?
The cost of this software is $65 per computer for a 3-year contract. This cost will be covered by Penn Medicine. Please note that each license is valid for a 3 year contract period. After that point, a new license will need to be purchased.

Q: Does Computrace protect my laptop when I travel?
The software is designed to work in both the USA and Canada. In other locations, reliance on the cooperation of local law enforcement is not necessarily as consistent.

Q: What happens if my laptop doesn't connect to the internet once within 30 days?
The device must check in through an Internet connection once each 30 days in order to maintain the recovery guarantee. Otherwise, if it is reported stolen during the leave period, attempts to recover it would be made, but the replacement monies could not be paid out if the device is not recovered. Once the device regularly reports in again, it is under the standard warrantee.

Q: Is there a means through this contract by which the data on my computer can be viewed by others?
No.

Q. What are the kinds of laptop losses covered by this service?
Internal Loss, Internal Theft, and External theft.

Q: Does Computrace interfere with applications that are in operation?
No. ComputracePlus does not affect system performance or security. The agent itself occupies a small amount of memory when idle. When placing a call to the Monitoring Center, it occupies approximately 27 KB during the data transfer.

For more information, contact Bob DeSilets at medsecurity@mail.med.upenn.edu or 215-746-5578.

Penn Medicine Academic Computing Services (PMACS) at the Perelman School of Medicine

Links of Interest

Job Opportunities