Crystal Practice Management Encrypting the Database www.crystalpm.com 2013 Contents Overview... 1 Level of Encryption... 1 Why encrypt your Crystal Practice Management data?... 1 How to encrypt the database... 2 Which option to choose for data encryption?... 2 Encrypting the entire drive... 2 BitLocker... 3 TrueCrypt... 3 Encrypting the data folder... 12 Encrypt a backup drive... 20 Overview Crystal Practice Management stores all patient and administration information within a MySQL database. All non-crystal PM patient information [referral letters, paper medical records, x-rays, 3 rd party applications, etc.] can be attached to a patient s chart which is then store with the MySQL database. Level of Encryption If this document is followed properly the level of encryption will be set to AES SHA-512 or AES RIPEMD- 160 depending of encryption configuration. Why encrypt your Crystal Practice Management data? Due to changes in HIPAA, if patient data is unencrypted and the computer and/or hard-drive, is stolen then you are required to inform all of your patients that their personal information is now at risk. If a security breach is committed intentionally, or accidentally, penalties can be assed. [Maximum fine for a serious violation is $50,000 per single violation, with a $1.5 Million maximum total per year, and Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 1
possible prison sentences up to 10 years]. A security breach also includes all unencrypted backups of the data. How to encrypt the database While this guide does give a step by step instruction on how to encrypt your Crystal Practice Management data, it is recommended that only System Administrators attempt this process. Create a backup of the MySQL data. You have 2 choices for encryption software BitLocker and TrueCrypt. With whichever software you decide to use, there are 2 different ways to encrypt the data 1) Encrypt the entire drive 2) Encrypt the MySQL data folder. Which option to choose for data encryption? We recommend encrypting the entire hard-drive, but at a minimum the data folder. For Windows 8 the only option currently available is to encrypt a data folder. Things to consider, every time the computer is reset, a password must be entered o o If the entire hard-drive is encrypted (recommended solution) then the password will have to be entered before the operating system will load [a BIOS level password]. If just the data folder is encrypted then the Operating System will load properly, but the MySQL service will not start until the folder is mounted. Several offices have their server configured so that it can only be accessed from the network [it does not have a monitor or keyboard attached, or the server is in a closet, or the server is not easily accessible]. If the server is reset (power goes out, downloaded security update, etc.) then someone must manually type in the password before the database can be accessed. If only the data folder is encrypted, then the operating system will load [allow for network remote access], but MySQL will not load until a user connects, types the password into the TrueCrypt software, and starts the MySQL database. Encrypting the entire drive At the time of writing this document (12/2/2013) Windows 8 does not allow for encrypting of the entire drive, please scroll down to encrypting the data folder. Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 2
Operating Systems which allow for encrypting the entire drive: Windows 7 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows XP (32-bit and 64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2008 (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows 2000 SP4. You can encrypt the drive with either the BitLocker or TrueCrypt. BitLocker Windows 7 Ultimate and Enterprise editions/windows 8 Professional and Enterprise editions http://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-driveencryption 1) Open Bitlocker Drive Encryption by clicking the Start Button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption. 2) Click Turn On BitLocker. This opens the BitLocker setup wizard. If you're prompted for an administrator password or confirmation, type the password or provide confirmation. 3) Follow the instructions in the wizard. For Bitlocker with Windows Server 2008, Windows Vista http://go.microsoft.com/fwlink/?linkid=53779 TrueCrypt 1) Download and Install TrueCrypt [available at http://www.truecrypt.org/] - Free open-source disk encryption software for Windows. 2) Run TrueCrypt Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 3
3) Create Volume Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 4
4) Encrypt the system partition or entire system drive 5) Type of System Encryption Normal Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 5
6) Area to Encrypt Encrypt the whole drive 7) Encrypt Host Protected Area - No Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 6
8) Number of Operating Systems depends on server configuration [Typically Single-boot] 9) Encryption Options AES RIPEMD-160 Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 7
10) Volume Password -- (do not forget!!) No one can recover a missing password, and the data will be lost if you forget the password 11) Collecting Random Data Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 8
12) Keys Generated 13) Create Rescue Disk Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 9
14) Burn the iso image to a CD and verify the Rescue Disk 15) Wipe Mode suggested 3-pass or higher Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 10
16) System Encryption Pretest will require a reboot of the computer Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 11
17) Pretest Complete 18) Encrypting the drive can take several hours to several days depending on size of drive, speed of drive, and wipe mode. Once the drive has been encrypted all data stored on this drive is secure, and a password must be entered after ever restart of the computer. Encrypting the data folder Within TrueCrypt, make sure that TrueCrypt was started with Administrator privileges turned on or that the current user has administrative privileges. There are 3 steps to this Creating a Folder, Mounting a Drive, and Moving over the MySQL data. 1 Creating a Folder Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 12
1.1 Create an encrypted file volume Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 13
1.2 Create an encrypted file container 1.3 Volume Type - Standard TrueCrypt volume Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 14
1.4 Select File c:\cpmdata 1.5 Encryption Options - AES, SHA-512 1.6 Volume Size - depends on number of files being scanned for a typical office 50 GB, for multi-site office that scans for every patient 500 GB may be required. [ To determine your current Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 15
database requirements right click on easyopti folder and select properties, it will tell you the current Size On Disk, depending on how long you have been using Crystal add 50%-500% to the size of the Container] Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 16
1.7 Volume Password -- (do not forget!!) No one can recover a missing password, and the data will be lost if you forget the password. 1.8 Large Files No, by default Crystal PM limits the files to 3.5 GB 1.9 Volume Format FAT or NTFS, Cluster: Default Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 17
1.10 Format 2 Mount the Drive 2.1 Select an available drive, and Select the File [S: Drive, c:\cpmdata] Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 18
2.2 Enter the password and mount the drive 3 Moving over the MySQL data 3.1 Stop MySQL [run: net stop mysql] 3.2 Move the data folder to the new drive [S: drive] Typically C:\Program Files\MySQL\data Or C:\Program Files (x86)\mysql\data Move both the mysql and easyopti folders 3.3 Modify the my.ini [located in C:\Windows\my.ini Change the line Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 19
"datadir=c:/program Files/MySQL/data/" or "datadir=c:/program Files (x86)/mysql/data/" To "datadir=s:/" where s is the drive letter 3.4 Start the database [run: net start mysql] 3.5 Every time the server is reset a user will need to login to the server, load the TrueCrypt software, Mount the drive, and then start the MySQL database [run:net start mysql] Additional Steps: Each time the Computer is rebooted you will need to run TrueCrypt [and enter the password] before starting the database. Encrypt a backup drive 1) Run the TrueCrypt software 2) Create Volume Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 20
3) Encrypt a non-system partition/drive 4) Standard TrueCrypt volume Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 21
5) Select Device, and select the Removable Disk Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 22
6) Volume Creation Mode Create encrypted volume and format it 7) Encryption Options - AES, SHA-512 Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 23
8) Volume Size - Next 9) Volume Password -- (do not forget!!) No one can recover a missing password, and the data will be lost if you forget the password. Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 24
10) Volume Format Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 25
11) Mount this hard-drive to new Drive Letter [Z:\] 12) Modify the Backup.bat file either on the desktop or in the c:\program files (86)\CrystalPM folder Right Click on the file and select Edit Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 26
13) Change the new backup location to the mounted folder [Z:] Abeo Solution, Inc. (800) 308 7169 11118 Conchos Trail, Austin, TX 78726 Page 27