Western Digital Passport Encryption

[Augsburger]

My wife is coordinating the hospital's integration of a new research physician and department. The researcher requires movable storage medium for physically moving large research data from one system to another and up until now the only storage vehicle approved by the hospital has been the Kangaroo thumb drives which employ 256 bit AES encryption. The physician's tech coordinator says that the WD Passport's 256 bit Smart Ware encryption is more than adequate. The technology department at the hospital is currently overwhelmed right now in dealing with some new regulations and not making a decision as to the adequacy of the WD Smart Ware encryption (aka they don't have the balls to make a call either way). Do you think the WD encryption is comparable or perhaps better for this application?

Thank you in advance for your time.

[screaming oranges]

Speaking from experiences concerning security at my workplace, the issue here isn't whether it is adequate or not, but whether it's approved for use. The fact that the IT Dept hasn't approved it should be reason enough for anyone to not use the WD encryption since, if there were a breach of sensitive info somewhere, IT will wash their hands and say "we never approved use of this."

I don't know enough about encryption to answer your question, but I just wanted to give you a heads-up on the possible legal issues that could ensue because of this. Someone I know got fired over something similar, even though no harm was done, but it was a violation of the employer's policy. In the end, that's what counts, regardless of efficiency, intention, etc.

[bhjazz]

After a bit of poking around, it appears that the WD Smartware encryption is just standard AES encryption. The Smartware seems to be a backup and maintenance tool that uses AES encryption. Here's some text from WD:

After configuring the software the very first time you boot up the drive, SmartWare will run automatically (if you allow it), providing an automatic and continuous “backup and drive management” solution. The software comes built-in, i.e. it resides on a separate partition on the hard drive, but the auto-backup can be disabled.

As for the “safer” attributes of the new drives, each one comes equipped with WD Drive Lock – password protection + 256-bit hardware encryption. Once the password is set, the owner (or anyone who knows the pw) is the only person who can access the data. If the password is lost, there is NO way to retrieve it because the password is never shared with Western Digital in any capacity.

Beyond the password, every bit of data stored on the drive is protected by 256-bit AES encryption. In other words, without the password, the data is basically impossible to access. Might sound a bit over the top, but WD said they wanted to err on the side of total security.

Lots of marketing reselling AES drive security if you ask me. That's from this page. So I don't think their encryption is any better than regular AES. Also, here's the link to wikipedia for AES Enctryption.

Additionally, I'm with oranges: the hospital probably has rules and regulations to govern this. I think you're being a great help. The fact they think it's "more than adequate" tells me they might be seeing it as better, which it isn't. It also might mean they see that it has standard AES and that is more than adequate.

Good luck. Tread carefully!

Edited March 7, 2011 by bhjazz

[Augsburger]

Speaking from experiences concerning security at my workplace, the issue here isn't whether it is adequate or not, but whether it's approved for use. The fact that the IT Dept hasn't approved it should be reason enough for anyone to not use the WD encryption since, if there were a breach of sensitive info somewhere, IT will wash their hands and say "we never approved use of this."

I don't know enough about encryption to answer your question, but I just wanted to give you a heads-up on the possible legal issues that could ensue because of this. Someone I know got fired over something similar, even though no harm was done, but it was a violation of the employer's policy. In the end, that's what counts, regardless of efficiency, intention, etc.

Thanks for the response. The research fellow is a very important and prestigious addition to the hospital staff so in effect the hospital's IT department is deferring to the researchers own IT team members. To the extent that there should be no patient information at risk just research data, the loss would be mostly the physicians IP and not be a HIPPA violation which would cause a hit to the hospital if it were to occur. I was just concerned of the CYA issue and pissed others did not seem to be doing their job.

Thanks again for both of your posts.