crystal practice management – encrypting the...

www.crystalpm.com 2013

Abeo Solution, Inc. (800) 308 – 7169 11118 Conchos Trail, Austin, TX 78726 Page 1

Crystal Practice Management – Encrypting the Database

Contents Overview ....................................................................................................................................................... 1

Level of Encryption ....................................................................................................................................... 1

Why encrypt your Crystal Practice Management data? ............................................................................... 1

How to encrypt the database ....................................................................................................................... 2

Which option to choose for data encryption? .............................................................................................. 2

Encrypting the entire drive ........................................................................................................................... 2

BitLocker ....................................................................................................................................................... 3

TrueCrypt ...................................................................................................................................................... 3

Encrypting the data folder .......................................................................................................................... 12

Encrypt a backup drive ................................................................................................................................ 20

Overview Crystal Practice Management stores all patient and administration information within a MySQL

database. All non-Crystal PM patient information [referral letters, paper medical records, x-rays, 3rd

party applications, etc.] can be attached to a patient’s chart which is then store with the MySQL

database.

Level of Encryption If this document is followed properly the level of encryption will be set to AES SHA-512 or AES RIPEMD-

160 depending of encryption configuration.

Why encrypt your Crystal Practice Management data? Due to changes in HIPAA, if patient data is unencrypted and the computer and/or hard-drive, is stolen

then you are required to inform all of your patients that their personal information is now at risk. If a

security breach is committed intentionally, or accidentally, penalties can be assed. [Maximum fine for a

serious violation is $50,000 per single violation, with a $1.5 Million maximum total per year, and



possible prison sentences up to 10 years]. A security breach also includes all unencrypted backups of

the data.

How to encrypt the database While this guide does give a step by step instruction on how to encrypt your Crystal Practice

Management data, it is recommended that only System Administrators attempt this process.

Create a backup of the MySQL data.

You have 2 choices for encryption software BitLocker and TrueCrypt.

With whichever software you decide to use, there are 2 different ways to encrypt the data

1) Encrypt the entire drive

2) Encrypt the MySQL data folder.

Which option to choose for data encryption? We recommend encrypting the entire hard-drive, but at a minimum the data folder. For Windows 8 the

only option currently available is to encrypt a data folder.

Things to consider, every time the computer is reset, a password must be entered

o If the entire hard-drive is encrypted (recommended solution) then the password will

have to be entered before the operating system will load [a BIOS level password].

o If just the data folder is encrypted then the Operating System will load properly, but the

MySQL service will not start until the folder is mounted.

Several offices have their server configured so that it can only be accessed from the network [it does not

have a monitor or keyboard attached, or the server is in a closet, or the server is not easily accessible].

If the server is reset (power goes out, downloaded security update, etc.) then someone must manually

type in the password before the database can be accessed.

If only the data folder is encrypted, then the operating system will load [allow for network remote

access], but MySQL will not load until a user connects, types the password into the TrueCrypt software,

and starts the MySQL database.

Encrypting the entire drive At the time of writing this document (12/2/2013) Windows 8 does not allow for encrypting of the entire

drive, please scroll down to encrypting the data folder.



Operating Systems which allow for encrypting the entire drive: Windows 7 (32-bit and 64-bit), Windows

Vista (32-bit and 64-bit), Windows XP (32-bit and 64-bit), Windows Server 2008 R2 (64-bit), Windows

Server 2008 (32-bit and 64-bit), Windows Server 2003 (32-bit and 64-bit), Windows 2000 SP4. You can

encrypt the drive with either the BitLocker or TrueCrypt.

BitLocker Windows 7 Ultimate and Enterprise editions/Windows 8 Professional and Enterprise editions

http://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-drive-

encryption

1) Open Bitlocker Drive Encryption by clicking the Start Button, clicking Control Panel, clicking

Security, and then clicking Bitlocker Drive Encryption.

2) Click Turn On BitLocker. This opens the BitLocker setup wizard. If you're prompted for an

administrator password or confirmation, type the password or provide confirmation.

3) Follow the instructions in the wizard.

For Bitlocker with Windows Server 2008, Windows Vista

http://go.microsoft.com/fwlink/?LinkId=53779

TrueCrypt

1) Download and Install TrueCrypt [available at http://www.truecrypt.org/] - Free open-source disk

encryption software for Windows.

2) Run TrueCrypt

http://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-drive-encryptionhttp://windows.microsoft.com/en-us/windows7/help-protect-your-files-using-bitlocker-drive-encryptionhttp://go.microsoft.com/fwlink/?LinkId=53779



3) Create Volume



4) Encrypt the system partition or entire system drive

5) Type of System Encryption – Normal



6) Area to Encrypt – Encrypt the whole drive

7) Encrypt Host Protected Area - No



8) Number of Operating Systems – depends on server configuration [Typically Single-boot]

9) Encryption Options – AES RIPEMD-160



10) Volume Password -- (do not forget!!) No one can recover a missing password, and the data will

be lost if you forget the password

11) Collecting Random Data



12) Keys Generated

13) Create Rescue Disk



14) Burn the iso image to a CD and verify the Rescue Disk

15) Wipe Mode – suggested 3-pass or higher



16) System Encryption Pretest – will require a reboot of the computer



17) Pretest Complete

18) Encrypting the drive can take several hours to several days depending on size of drive, speed of

drive, and wipe mode.

Once the drive has been encrypted all data stored on this drive is secure, and a password must be

entered after ever restart of the computer.

Encrypting the data folder Within TrueCrypt, make sure that TrueCrypt was started with Administrator privileges turned on or that

the current user has administrative privileges. There are 3 steps to this Creating a Folder, Mounting a

Drive, and Moving over the MySQL data.

1 Creating a Folder



1.1 Create an encrypted file volume



1.2 Create an encrypted file container

1.3 Volume Type - Standard TrueCrypt volume



1.4 Select File c:\cpmdata

1.5 Encryption Options - AES, SHA-512

1.6 Volume Size - depends on number of files being scanned for a typical office 50 GB, for multi-site

office that scans for every patient 500 GB may be required. [ To determine your current



database requirements right click on easyopti folder and select properties, it will tell you the

current Size On Disk, depending on how long you have been using Crystal add 50%-500% to the

size of the Container]



1.7 Volume Password -- (do not forget!!) No one can recover a missing password, and the data will

be lost if you forget the password.

1.8 Large Files – No, by default Crystal PM limits the files to 3.5 GB

1.9 Volume Format – FAT or NTFS, Cluster: Default



1.10 Format

2 Mount the Drive

2.1 Select an available drive, and Select the File [S: Drive, c:\cpmdata]



2.2 Enter the password and mount the drive

3 Moving over the MySQL data

3.1 Stop MySQL [run: net stop mysql]

3.2 Move the data folder to the new drive [S: drive]

Typically C:\Program Files\MySQL\data

Or C:\Program Files (x86)\MySQL\data

Move both the mysql and easyopti folders

3.3 Modify the my.ini [located in C:\Windows\my.ini

Change the line



"datadir=C:/Program Files/MySQL/data/" or "datadir=C:/Program Files (x86)/MySQL/data/"

To

"datadir=S:/" where s is the drive letter

3.4 Start the database [run: net start mysql]

3.5 Every time the server is reset a user will need to login to the server, load the TrueCrypt

software, Mount the drive, and then start the MySQL database [run:net start mysql]

Additional Steps: Each time the Computer is rebooted you will need to run TrueCrypt [and enter the

password] before starting the database.

Encrypt a backup drive 1) Run the TrueCrypt software

2) Create Volume



3) Encrypt a non-system partition/drive

4) Standard TrueCrypt volume



5) Select Device, and select the Removable Disk



6) Volume Creation Mode – Create encrypted volume and format it

7) Encryption Options - AES, SHA-512



8) Volume Size - Next

9) Volume Password -- (do not forget!!) No one can recover a missing password, and the data will be

lost if you forget the password.



10) Volume Format



11) Mount this hard-drive to new Drive Letter [Z:\]

12) Modify the Backup.bat file either on the desktop or in the c:\program files (86)\CrystalPM folder

Right Click on the file and select Edit



13) Change the new backup location to the mounted folder [Z:]

crystal practice management – encrypting the...

Documents