At BIDMC, we've researched several solutions and have chosen McAfee Endpoint Encryption (formerly SafeBoot Encryption) to ensure we comply with these new regulations.
We've done a comprehensive analysis of the application, which I encourage you to download.
In summary, the impact of encryption on disk write and read is so small that users cannot perceive any change in performance.
How will we implement the product?
Today, we have asset control software which lists all laptops received through IS Inventory Control. These records make it easy to contact customers and schedule to have their laptop hard disk encrypted. During that visit, we will teach them on how to use the system with the encryption software on it. On average, we're experiencing a one time 2.5 hour encryption time. This varies depending upon the speed of the processor, amount of RAM and the size of the hard disk. The encryption can also be removed if necessary, but it will take approximately the same amount of time to decrypt the hard disk as it took to encrypt it. Decrypting must be done by IS.
What about support?
From a support perspective McAfee Endpoint utilizes an enterprise control console and if passwords are forgotten, encryption access can be reauthorized by contacting IS. We've found the support effort to be less than other products we've investigated lately such as Seagate Full Disk Encryption that we looked at recently.
What are the challenges?
Currently there is no McAfee Endpoint solution for Apple products. McAfee is currently working on a solution and they are hoping to have it released some time next year. Since McAfee Endpoint encrypts the entire hard disk and the encryption drivers must be loaded to decrypt the hard disk, Windows emulator solutions for Mac OSX such as Fusion or Parallels will not work.
Thus, based on our research, the McAfee encryption solution addresses our requirements for protecting 1000 laptops to ensure compliance with the new Massachusetts Law by January 2009. We'll complement this software solution with education to ensure users avoid storing protected health/identified information on mobile devices whenever possible.