COM Device Full Disk Encryption Requirements

Device Encryption Requirements

To comply with the data security standards identified in 45 CFR §164.312(a)(2)(iv) and §164.312(e)(2)(ii) of the Health Insurance Portability and Accountability Act (HIPAA), the College of Medicine is implementing Full Disk Encryption (FDE) on all COM-owned and managed devices using the installed Sophos Antivirus client.

Approximately 75% of the college’s devices already have FDE fully implemented and will experience no impact. 

The remaining 25% will fall into one of the three below categories:

Windows Seamless Transition

• For Windows devices that have a Trusted Platform Module (TPM), the transition from unencrypted to encrypted will be relatively seamless to the user.  The Sophos client will trigger the enablement of BitLocker FDE at the next system reboot and will relay the information between the client and the Sophos Central Administration tenant.  This will occur at the next system restart.

Windows Requires User Interaction

• NOTE:  A small percentage of users will fall into this category.  Users in this category should notify their department administration that a tech refresh of this equipment is required within the next year as this computer will not be able to upgrade to Windows 11.
• For Windows devices that do not have a TPM, the user will receive the below Windows notification from Sophos (Image 1).
• Users should enter a new, unique BitLocker password/passcode that can be between 8 and 100 characters in length.
• Users should store this new BitLocker password/passcode in Stache, or some other password manager, for safekeeping.
• Users will be required to reenter this BitLocker password/passcode at each reboot/startup on this device.

MacOS Requires User Interaction

• Mac users will see the below MacOS Prompt from Sophos (Image 2).
• Users should enter their login information to allow Sophos to encrypt the device.

Image

Image