Skip to main content
Disk Encryption in ISO 27799

Disk Encryption in ISO 27799

$349.00
How you learn:
Self-paced • Lifetime updates
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Your guarantee:
30-day money-back guarantee — no questions asked
Who trusts this:
Trusted by professionals in 160+ countries
When you get access:
Course access is prepared after purchase and delivered via email
Adding to cart… The item has been added

This curriculum spans the technical, operational, and governance dimensions of disk encryption in healthcare settings, comparable in scope to a multi-phase internal capability program that integrates cryptographic controls into clinical workflows, risk management, and compliance frameworks across diverse infrastructure environments.

Module 1: Aligning Disk Encryption with ISO 27799 Control Objectives

  • Determine which ISO 27799 controls (e.g., 8.3, 10.1, 12.4) require encryption of data at rest in healthcare information systems.
  • Map encryption scope to specific data types such as electronic health records (EHR), backup media, and portable devices containing patient identifiers.
  • Assess whether full-disk encryption (FDE) or file-level encryption better satisfies confidentiality requirements under control 8.3 (Access Control).
  • Define encryption requirements for legacy systems that cannot support modern cryptographic modules without violating system stability.
  • Coordinate with legal counsel to verify that encryption key management practices comply with data protection obligations in jurisdiction-specific health privacy laws (e.g., HIPAA, GDPR).
  • Document risk exceptions when encryption cannot be applied due to technical constraints, ensuring alignment with risk assessment procedures in ISO 27799 section 5.3.
  • Integrate encryption controls into existing risk treatment plans without duplicating or conflicting with other security measures like access logging or network segmentation.
  • Validate that encryption implementation supports auditability requirements under control 12.4 (Logging and Monitoring) by preserving log integrity on encrypted volumes.

Module 2: Risk Assessment for Encryption Deployment in Clinical Environments

  • Conduct threat modeling to evaluate risks of unencrypted disk loss in mobile clinical workstations used in hospital wards.
  • Quantify the impact of encryption-induced latency on time-critical applications such as radiology image retrieval systems.
  • Identify high-risk endpoints (e.g., laptops, USB drives) used by home health nurses that store temporary patient data.
  • Assess the likelihood of cold boot attacks against powered-down devices in shared clinical workspaces.
  • Balance encryption coverage against operational disruption during peak clinical hours when rebooting devices for policy enforcement.
  • Classify systems based on data sensitivity and availability requirements to prioritize encryption rollout sequences.
  • Engage clinical stakeholders to evaluate workarounds that may bypass encryption, such as printing sensitive data to unsecured printers.
  • Document residual risks associated with pre-boot authentication failures in emergency access scenarios.

Module 3: Selecting Encryption Technologies and Cryptographic Standards

  • Evaluate hardware-based encryption (e.g., SEDs) versus software-based solutions (e.g., BitLocker, LUKS) for compatibility with hospital device management systems.
  • Verify that cryptographic algorithms (AES-256) and key lengths meet NIST SP 800-175B and ISO 27001 Annex A.10 requirements.
  • Assess vendor claims about FIPS 140-2 validation for encryption modules used in medical imaging archives.
  • Determine whether self-encrypting drives require centralized policy management via Enterprise Password Manager (EPM) or equivalent.
  • Compare performance overhead of inline encryption in virtualized environments hosting EHR databases.
  • Select encryption solutions that support multi-factor pre-boot authentication without introducing usability bottlenecks for clinicians.
  • Ensure cryptographic key generation occurs within approved hardware security modules (HSMs) or trusted platform modules (TPMs).
  • Prohibit the use of deprecated encryption tools (e.g., EFS without proper PKI integration) in new deployments.

Module 4: Key Management Architecture and Operational Controls

  • Design a key recovery process that allows authorized IT personnel to retrieve encrypted data without compromising separation of duties.
  • Implement role-based access to key management systems, ensuring that clinical staff cannot export or view encryption keys.
  • Establish secure storage mechanisms for recovery keys, such as split knowledge procedures or escrow to designated custodians.
  • Define key rotation intervals based on data sensitivity and regulatory retention periods for health records.
  • Integrate key lifecycle operations (generation, revocation, archival) into existing identity governance workflows.
  • Enforce dual control for master key access in environments where psychiatric or HIV-related data is stored.
  • Test backup and restoration of key stores under disaster recovery conditions without exposing plaintext keys.
  • Log all key access attempts and integrate alerts into SIEM systems for anomaly detection.

Module 5: Pre-Boot Authentication and Access Control Integration

  • Configure pre-boot PIN policies to meet minimum complexity requirements while minimizing clinician login delays.
  • Integrate TPM-based attestation with Active Directory to prevent booting on unauthorized or tampered hardware.
  • Implement fallback authentication methods for devices used in emergency departments where speed is critical.
  • Disable USB boot options and external device access during pre-boot to prevent bypass attacks.
  • Enforce screen lock timeouts that trigger re-authentication after periods of inactivity on encrypted workstations.
  • Coordinate with physical security teams to ensure that unattended, authenticated devices are not left accessible in public areas.
  • Test single sign-on (SSO) workflows to confirm that domain authentication follows successful pre-boot validation.
  • Document procedures for securely wiping pre-boot credentials from decommissioned devices.

Module 6: Encryption in Virtualized and Cloud-Based Healthcare Systems

  • Enable virtual machine disk (VMDK) encryption in VMware environments hosting patient billing databases.
  • Verify that cloud service providers (e.g., AWS, Azure) support customer-managed keys for EBS or managed disks containing PHI.
  • Assess risks of hypervisor-level access to memory and disk data in shared cloud tenancies.
  • Configure snapshot and clone operations to inherit encryption policies or require explicit re-encryption.
  • Implement host-level encryption for temporary swap files generated by virtualized EHR applications.
  • Monitor API calls related to key management in cloud environments using audit trails and alerting rules.
  • Ensure that backup images of virtual machines remain encrypted during transfer and storage in offsite repositories.
  • Validate that live migration of VMs does not expose memory contents containing decryption keys.

Module 7: Incident Response and Forensic Readiness with Encrypted Disks

  • Develop procedures for acquiring forensic images from encrypted drives without destroying evidence.
  • Train incident responders to identify encryption status during breach investigations involving lost or stolen devices.
  • Store decryption keys in a secure, access-controlled repository for use during authorized forensic analysis.
  • Define time-sensitive workflows for retrieving keys when investigating potential data exfiltration.
  • Preserve logs showing pre-boot authentication attempts to establish timeline of unauthorized access.
  • Coordinate with legal teams to obtain necessary authorization before decrypting devices involved in employee investigations.
  • Test forensic tool compatibility with encrypted volumes to ensure memory dumps and disk images can be analyzed.
  • Document chain-of-custody procedures for encrypted media submitted for forensic examination.

Module 8: Audit, Monitoring, and Compliance Verification

  • Configure centralized logging of encryption status (compliant/non-compliant) across all endpoints using SCCM or Intune.
  • Generate monthly reports showing percentage of encrypted devices by department, including outliers in radiology or labs.
  • Validate that audit logs capture failed pre-boot authentication attempts and policy enforcement events.
  • Perform periodic sampling of devices to verify encryption is active and not disabled by local administrators.
  • Integrate encryption compliance data into automated risk dashboards used by the CISO office.
  • Respond to auditor requests by providing evidence of encryption coverage for systems in scope of HIPAA or NIST assessments.
  • Track exceptions and remediation timelines for devices delayed in encryption rollout due to clinical dependencies.
  • Use configuration management databases (CMDB) to correlate encryption status with asset ownership and support contracts.

Module 9: Decommissioning and Secure Data Erasure

  • Execute cryptographic erasure by destroying encryption keys for solid-state drives before physical disposal.
  • Verify that key destruction renders data irrecoverable, especially for drives containing longitudinal patient studies.
  • Use NIST SP 800-88 compliant sanitization methods when cryptographic erasure is not supported or trusted.
  • Obtain signed certification from third-party disposal vendors confirming secure wipe or physical destruction.
  • Update asset registers to reflect decommissioning status and removal from encryption monitoring systems.
  • Retain records of erasure procedures for minimum audit retention periods (e.g., 6 years under HIPAA).
  • Inspect returned leased equipment for residual encryption policy settings before reissuance.
  • Disable pre-boot authentication and remove device from key management systems prior to transfer or resale.

Module 10: Governance Integration and Continuous Improvement

  • Assign ownership of encryption policy enforcement to a designated information asset owner in the healthcare organization.
  • Incorporate encryption compliance into quarterly risk committee reporting with metrics on coverage and exceptions.
  • Update security policies to reflect changes in encryption standards, such as deprecation of older TPM versions.
  • Conduct tabletop exercises to test governance response to widespread key loss or encryption system failure.
  • Review vendor contracts to ensure encryption support is maintained during software upgrades or EHR migrations.
  • Integrate encryption control effectiveness into annual internal audit plans and external certification cycles.
  • Establish feedback loops with clinical departments to identify usability issues impacting encryption adherence.
  • Monitor emerging threats (e.g., side-channel attacks on SEDs) and adjust control baselines accordingly.
!