Healthcare institutions can no longer say they don’t have a need for drive encryption. Federal laws will only get tougher as the years go by and we are having to encrypt everything ePHI. Now that many of us are on Windows 8 we have a “free” encryption option that is built in, Bitlocker.
With Bitlocker you can encrypt files and folders, partitions or the entire system drive. It is recommended for Healthcare institutions to enable pre-boot authentication; in case of theft or loss, a pin must be entered at startup in order to continue the boot process.
However, in order to set up a pin for pre-boot authentication, we must first make some changes to Local Group Policy in Windows 8. The image shows the two options I have configured for a Surface Pro running Windows 8.
We can find the Local Group Policy Editor clicking on the Windows logo and searching for gpedit. Windows will populate search results with the appropriate application.
Once Local Group Policy Editor is open, under Computer Configuration we expand Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives.
From there, for tablets such as the Surface Pro, we enable Enable use of BitLocker authentication requiring preboot keyboard input on slates.
We then enable Require additional authentication with the following settings:
- Check the box Allow BitLocker without a compatible TPM
- Do Not Allow TPM
- Require startup PIN with TPM
- Do not allow startup key with TPM
- Do not allow startup key and PIN with TPM
Once that is configured, setting up BitLocker with pre-boot authentication in Windows 8 is simple. All one has to do is right-click over the C: drive and select Turn On BitLocker. You will be asked to enter a PIN and either save the Recovery Key to a file that you can store in a USB drive or send it to the printer to keep in a safe place. Best of luck 🙂