The Department of Medicine is working with the School of Medicine Information Services Unit (SOM ISU) to encrypt all University-owned laptops and high-risk desktops by June 30, 2010. These are all laptops that were purchased with university funds and desktops that have sensitive information on the hard drive. The encryption method we will implement is called Check Point Full Disk Encryption (FDE). Computers must meet the minimum hardware and software requirements for full disk encryption. Most computers that were purchased within the last 3 years will be compatible. One notable exception is that Apple computers with PowerPC processors are not supported. If computers aren't compatible, you may have to purchase one that is.

This mandatory project is to ensure compliance with Federal and State laws, as well as protect the good name of UCSF. Some of these laws are:

• HIPAA (Health Insurance Portability and Accountability Act of August 1996)
• California Assembly Bill 211 (AB-211)
• California Senate Bill 541 (SB-541)
• California Senate Bill 1386 (SB-1386)
• FERPA (Family Educational Rights Privacy Act)

You cannot opt out of this project, unless the waver procedure (under development) has been completed. This will likely require the signature of the division chief and the department chair accepting all liability in the event of the computer's loss or theft. Otherwise the only way to exempt a computer from this requirement is to permanently remove it from service. The Dean of the School of Medicine has approved this project in collaboration with the Dean's Staff, School's Chairs and Directors.

The School of Medicine will pick up the intial license costs, but the Divisions may be charged $50/yr per laptop for operations and license maintenance starting the second year. This is made possible by the partnership between the SOM ISU with the assistance of the Department of Medicine IT group.

The amount of time it takes to encrypt each laptop depends on many factors. Be prepared to leave it with us for at least 24 hours. The steps are:

	In independent tests, Check Point Full Disk Encryption performs best overall when compared to full-disk encryption products from SafeBoot, Utimaco, PGP, Guardian Edge and Microsoft.

1. Device pickup
2. Defragment hard disk (arranges files on HD)
3. ChkDsk/Disk repair on hard disk (checks and repairs file structure of disk)
4. Remove any current encryption (e.g., EFS or FileVault)
5. User profile backup
6. Image hard drive (where applicable)
7. Install Check Point
8. Wait until 100% of hard disk is encrypted
9. Archive the backup data
10. Device drop off

The cost in staff time and effort for this process will be recharged at the same rate across the School, regardless of who provides your IT services. The hourly rate is still being negotiated with the SOM ISU. We currently expect to provide the service free of charge to those customers already enrolled in our monthly desktop support service.

Once your laptop or high-risk desktop is encrypted with Check Point FDE, you should not notice anything different except for a new icon in your system tray or menu bar and a new splash screen at startup. Most people will not notice any difference in performance either. If you use an application that continually utilizes the HD, you may notice a little slowdown after the encryption process is complete (usually no more than 10% decrease in disk performance).

Although encryption protects your data when your machine is powered off, it does not protect your data when your machine is powered up and logged in. You should continue to use a screen saver password, an active anti-virus program, and anti-malware software. You should keep up to date with security updates.

If you have any questions regarding the encryption process, please contact the Department of Medicine Helpdesk at helpdesk@medicine.ucsf.edu or call 415-476-6827.

• SOM Encryption Project
• SOM Encryption FAQ
• Independent Checkpoint performance tests and comparison
• Why do I need Encryption?