Healthcare Information Security

Cybersecurity News

Encrypting healthcare data at rest: NIST best practices

By Patrick Ouellette

- Whether it’s full disk encryption, volume and virtual disk encryption or file/folder encryption, the Department of Health and Human Services (HHS) requires that HIPAA covered entities use storage encryption technologies as part of their storage security controls for data at rest. HHS refers to NIST’s Guide to Storage Encryption Technologies for End User Devices for which encryption processes for data at rest are valid for healthcare organizations.

While the guide dates back to 2007, HHS still defers to NIST Special Publication 800-111 under its “Guidance to render unsecured protected health information unusable, unreadable, or indecipherable to unauthorized individuals” section. Take a look at NIST’s guidelines for full disk encryption, volume and virtual disk encryption and file/folder encryption below and see how they stack up to your organization’s encryption practices:

Full Disk Encryption

Full disk encryption (FDE), or whole disk encryption, involves encrypting all the data on the hard drive used to boot a computer, including the computer’s operating system (OS), and permitting access to the data only after successful authentication to the FDE product. Because the majority of FDE products are software-based NIST focused on software-based FDE solutions. But remember that FDE may also be built into a hard drive disk controller. NIST says that hardware and software-based FDE offer similar capabilities through different mechanisms. For example, if a user tries to boot a device protected with hardware-based FDE, the hard drive prompts the user to authenticate before it allows an OS to load.

For a computer that is not booted, all the information encrypted by FDE is protected, assuming that pre-boot authentication is required. When the device is booted, then FDE provides no protection; once the OS is loaded, the OS becomes fully responsible for protecting the unencrypted information. The exception to this is when the device is in a hibernation mode; most FDE products can encrypt the hibernation file.

READ MORE: Too Few Organizations Implement Data Encryption, Survey Says

Virtual Disk Encryption and Volume Encryption

Virtual disk encryption calls for container file encryption, which is a single file that resides within a logical volume and is able to hold many files and folders, and permitting access to the data within the container only after proper authentication is provided, at which point the container is typically mounted as a virtual disk. Virtual disk encryption is used on all types of end user device storage.

Alternatively, volume encryption is the process of encrypting an entire logical volume and permitting access to the data on the volume only after proper authentication is provided. According to NIST, volume encryption is most often performed on hard drive data volumes and volume-based removable media, such as USB flash drives and external hard drives. Volume encryption of boot and system volumes is essentially a special form of FDE, and it is not discussed in this section; see the FDE material in Section 3.1.1 for additional information.

Volume and virtual disk encryption have many similarities, according to NIST, as software running on the OS used to access the volume or container handles all attempts to read to or write from the protected volume or container. And after the OS has been loaded, if the user needs to use the encrypted volume or container, it will be mounted after the user has provided the required authentication.  From there, the software will then automatically decrypt and encrypt the appropriate sectors as needed.

When virtual disk encryption is employed, the contents of containers are protected until the user is authenticated for the containers. If single sign-on is being used for authentication to the solution, this usually means that the containers are protected until the user logs onto the device. If single sign-on is not being used, then protection is typically provided until the user explicitly authenticates to a container. Virtual disk encryption does not provide any protection for data outside the container, including swap and hibernation files that could contain the contents of unencrypted files that were being held in memory. Volume encryption provides the same protection as virtual disk encryption, but for a volume instead of a container.

READ MORE: Using Health Data Encryption for Breach Prevention

File/Folder Encryption

Folder encryption and file encryption (encrypting individual files on a storage medium and permitting access to the encrypted data after authentication) are alike, except for the fact that it addresses individual folders instead of files. Both can be implemented via drivers, services, and applications.

Some OSs offer built-in file and/or folder encryption capabilities and many third-party programs are also available. Although folder encryption and virtual disk encryption sound similar—both a folder and a container are intended to contain and protect multiple files—there is a difference. A container is a single opaque file, meaning that no one can see what files or folders are inside the container until the container is decrypted. File/folder encryption is transparent, meaning that anyone with access to the filesystem can view the names and possibly other metadata for the encrypted files and folders, including files and folders within encrypted folders, if they are not protected through OS access control features. File/folder encryption is used on all types of storage for end user devices.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks