TrueCrypt — a Free Open Source computer encryption program popular with therapists who love DIY and hate giving money to Microsoft — has unfortunately been found to have a flaw that makes it a no-go for your HIPAA Security needs on Windows computers.
For those of us with the need to heed HIPAA, being able to full-disk encrypt a computer is an absolute godsend (not sure what full disk encryption is or why you want it for your practice? See our article on HIPAA and full disk encryption here.)
For Macintosh users, full-disk encryption is easy. It comes with the Mac automatically. For Windows users, it requires you to have the Pro version of Windows, which very few therapists decide to spring for when they buy a computer.
TrueCrypt was much beloved because it was a free alternative to buying the Pro version of Windows. Despite being free, TrueCrypt managed to do the HIPAA-friendly full-disk encryption thing just as well as Microsoft’s premium product does it.
Unfortunately, researchers at Google recently discovered a flaw in TrueCrypt that makes it possible for a bad guy to actually gain control of the Windows computer running TrueCrypt. In other words, TrueCrypt went from being a big protector for Windows to being a huge liability for it.
Normally this is a good thing. The TrueCrypt team would take this info and make TrueCrypt even stronger with it. Unfortunately, TrueCrypt’s team abandoned the project and there will be no such update. So the software is dead in the water.
There is another Free Open Source alternative called VeraCrypt. VeraCrypt is a continuation of the TrueCrypt project under a new name and by a new team.
At Person-Centered Tech, we’re still conservatively wary about VeraCrypt because it hasn’t yet jumped through the auditing hoops that TrueCrypt had managed to jump through before it was abandoned. The author at IT World who reported on the TrueCrypt story recommends VeraCrypt, however, in his coverage of the TrueCrypt flaw.
Click here for the VeraCrypt website→.
At Person-Centered Tech, we generally recommend that Windows-using therapists use the native Windows encryption software, called BitLocker. To get it, you’ll need to purchase the upgrade for Windows to Windows 7 Enterprise, Windows 8 Pro, or Windows 10 Pro.
Are you concerned that you’re not sure how to use full-disk encryption on your Mac or Windows computer? Our Video Help Center has videos for Macintosh computers, all Windows computers, iPhones and Android phones that demonstrate step-by-step how to use the encryption software designed for those devices.
The Video Help Center is a service available to subscribers to our Person-Centered Tech Support service.
Brief History of TrueCrypt’s Decline
We reported in June of 2014 when the TrueCrypt software project was suddenly abandoned by its maintainers in a mysterious and still-unexplained way. At that time, however, we labeled the level of concern around TrueCrypt as simply “moderate.”
Why moderate? Even though the software project wouldn’t get updated, it would continue to provide strong encryption for the computers of those using it for years to come.
At that time, we advised people to transition away from TrueCrypt slowly and according to their convenience.
Now we must advise those still using TrueCrypt to protect their clients’ information that they should switch away from it ASAP. They can either upgrade Windows and use Microsoft’s proprietary BitLocker or put their trust in VeraCrypt.
Special thanks to therapy tech consultant Clinton Campbell, LMHCA CISSP for bringing this matter to my attention.