Does HIPAA mandate that computers explicitly use "Full Disk Encryption" (FDE) or is "Used Disk Space Only" encryption enough to satisfy HIPAA guidelines? I have not been able to get a definitive answer on this online. Any inputs are appreciated. Thank you. BitLocker Full Disk encryption: BitLocker encryption of the entire disk will take a long time depending on the size of the encrypted drive. The reason is that it encrypts every byte in the drive, including the unused drive part. But it is also the most secure encryption method, because it not only encrypts the existing data on the drive, but also encrypts the confidential data that has been deleted or moved and remains on the marked unused part of the drive, which effectively prevent the driver from being cracked after the theft to restore your confidential data and cause data leakage. Used Disk Space Only encryption: The time of Used disk space only encryption is determined by the amount of data stored on the drive. This choice can reduce the encryption time by more than 99% because it only encrypts the existing data stored on the drive. For those that have been deleted, the sector where the file is located, will not be encrypted. These sectors can be recovered by disk recovery tools unless they are overwritten by encrypted data. Therefore, the security factor of this option is at a certain risk, but for a brand new unused disk, you can use this option without causing security impact.

Security & GRC
3.7k viewscircle icon1 Comment
Sort by:
IT Manager in Consumer Goods2 years ago

very simple, just use FDE. see : BitLocker planning guide - Windows Security | Microsoft Learn  
Usually it takes from 20 mins to 4 hours. Don't think, encrypt full disk, forget about the topic and move on. 

Content you might like

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.29%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.48%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.18%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).4%

View Results

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Read More Comments

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Read More Comments

Generally speaking, are you feeling optimistic about the state of DEI in cyber? Interested in hearing your reasons in the comments.

Yes – very optimistic!16%

Yes – mildly optimistic.61%

No20%

I’m not sure1%

View Results

Which key pentesting capability do current AI-driven vendor solutions most fail to cover?