Why PGP is needed?
In order to meet all applicable Federal and State laws and regulations, including HIPAA Security Rule requirements, for securing high risk confidential information (HRCI), Mass-DAC requires all files containing HCRI (e.g., data submission files, data quality reports) to be encrypted and signed using PGP public key cryptography. The encrypted files must then be uploaded to the Mass-DAC secure document repository through the Harvard Medical School (HMS) virtual private network (VPN).
Public key cryptography provides a more secure method of encryption than using pass-phrases alone which must be shared by both the sender and receiver (symmetric encryption). Public key cryptography utilizes two distinct keys, a public key used by the sender to encrypt files and a private key held by the receiver to decrypt files (asymmetric encryption). Using asymmetric encryption allows Mass-DAC and participants to exchange messages securely since all communications involve only public keys, and no private keys are ever transmitted or shared. The process is similar to owning a bank safe deposit box, which can only be opened with two keys present, one the bank holds (private), and one the box owner holds (public).
Mass-DAC policy requires each participating site to be able to create and accept PGP keys for HRCI. Mass-DAC recommends using the PGP Desktop version 9 or later. The current desktop versions of PGP Encryption Desktop Professional and PGP Drive Encryption are available from Symantec and both cost under $250.
Please note, Mass-DAC does NOT utilize the e-mail component of PGP, so it will not interfere with your own hospitals e-mail encryption protocols. All hospitals must upload PGP encrypted files and archives the Mass-DAC secure document repository through the HMS VPN. Mass-DAC can not help with PGP installation at your site, but will be happy to answer questions on how to use PGP for Mass-DAC purposes once installed.
Using PGP with Mass-DAC
Each quarter the data manager will need to use PGP to create an archive and extract files from a downloaded archive. Other tasks, like creating and importing keys may only happen once a year. Below are links to the pages that describe the details on how to do these tasks using the PGP Desktop. If you use another PGP product, your workflow may be different. If you need additional help, please feel free to contact the Mass-DAC data manager, with any questions on using PGP for Mass-DAC files.
- Creating, sharing and importing PGP keys – (download pdf) – This is commonly done for new data mangers, new software installs, or periodic updates of new keys from Mass-DAC.
- Creating a PGP encrypted signed archive – (download pdf) – This needs to be done with all HRCI data and data submissions. Multiple files may be added to the PGP archive, so you only need to upload a single file for each data submission.
- Extracting files from a PGP archive – The PGP desktop does not allow you to view file contents. Files must be extracted to your computer or server to be able to open them with Excel, a PDF reader or a text editor.