TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.

My system is encrypted with TC already.  Would it not continue to function and be adequate as long as I have the password?  I'm not clear why I would need to change to something like DiskCryptor, unless what TC's announcement means is that my existing encryption is vulnerable.

Reviewed the tute video on DiskCryptor, BTW, and it's actually an easier setup than TC was.  If I were to decide to change to DiskCryptor, I assume the system would need to be decrypted first.

Thanks for the post, Doc.

yeah, their farewell message is so absurd that it looks suspicious.

i'd rather recommend to use the previous version of TrueCrypt and avoid updating. it is probably too secure for it's own good. :/

Welcome.

My question wasn't clear.  As long as I don't update to the new version of TC, my existing TC encryption should be unaffected should it not?  Does the warning apply only to version 7.2 or to all versions of TC?  In what I've read, some seem to be generalizing the warning, some not, but this appears to be based on assumption not fact.

That crossed my mind, too, moshi.

With medical information, so-called PHI, I'm required by the feds to use encryption that is unbreakable... except by them, apparently.

Reviewing the SourceForge TrueCrypt page (how to migrate an encrypted volume/drive), it certainly implies that all versions of TrueCrypt are not secure (otherwise, why would migration be necessary?), but doesn't explicitly declare that to be the case.  Sad that we're left to puzzle that out.

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.

I think it isn't secure...or won't be shortly...

I would think at least to avoid the Federal idiocy you could ask them which is ok for use, since TC has crapped out, no? 

Worth noting that the TrueCrypt security audit is going to proceed regardless. So it should be known before too long if there really is some major issue that is not feasible to fix, or if it would be practical for someone else to fork or take over the project.

Do the HIPAA rules actually specify acceptable ciphers and key lengths, key management requirements, etc? In the financial world the big one is GLBA, which only stipulates that measures must be planned, documented, and implemented to protect NPI but do not specify what those measures need to be.

Though even if there isn't a strict requirement, if there is a known vulnerability (there isn't at this point) that you are disregarding that could be a civil liability should a breach occur. I'd expect that any vulnerability that does exist would be in the realm of key strength or security, since they are using standard ciphers.

The HIPAA rules are like GLBA (it appears):

While the Feds don't specify which OS's are acceptable, the OS must be regularly maintained with security updates & patches to remain HIPAA & HITECH compliant.  Which is why we had to replace all our XP workstations in March.  My suspicion is that if the encryption software is abandoned by its developer, we might face a similar 'non-compliance' issue.  Only matters if audited or breached, but penalties are ridiculous if they decide (after the fact, of course) that you should or could have taken steps to mitigate the risk and didn't.  Not clear to me what the risk is yet, so I'm going to let the dust settle a bit & review the issue in due time with the tech who maintains our network & machines.

On a slightly OT note, CMS has a 'helpful tool' for use as a sort of template for conducting a security risk analysis for practices using EHR's, which all covered entities are required to do annually.  I downloaded and started through the assessment.  After an hour and a half of mind-numbing questions on all sorts of minutiae (Have you created an action plan for a lightning strike within 200 yards of your facility?  And distributed it to all appropriate personnel?  Had them review and sign off on the plan?  Designated a Responsible Party to initiate and implement the plan? You get the drift.) I glanced up at the progress bar & saw I was only half way through.

I got up, called my dentist and asked for an emergency root canal.  So I'd feel better.

Steve Gibson (GRC)

While it's still ok to use, it won't let you encrypt new files.

Also, as time goes on, it will become less secure. I believe it's better to find something reliable now, since your real concern is the security of the patients' data.

7.1a still encrypts.  I think it's reasonable to wait & see what the audit reveals before switching.  YMMV.

DiskCryptor looks like a really good alternative, but the process of creating the bootable LiveCD prior to encryption is a bit over my head and I'm not what you'd call a novice (not to mention requires media not available to me).

Daiwa, thought this was a good article:

http://www.ghacks.net/2014/06/06/five-tips-disk-encryption-software-diskcryptor/?_m=3n%2e0038%2e1269%2ehj0ao01hy5%2e1bf4