I know we have been talking a lot lately about HIPAA and records security. But an area of security that sometimes gets overlooked is flash drives, laptops and other portable electronic storage media. By their very nature of portability, their location gets moved, stored elsewhere, taken to a different location (home maybe?) to work on projects. Keeping track of these items is trying to track a moving target.

In a recent issue of ADVANCE for Health Information Executives, James Boyle, assistant editor, wrote about identity theft as a result of stolen or misplaced computer equipment. Mr. Boyle interviewed John Livingston, CEO of Absolute Software Corp., a provider of firmware-based computer theft recovery, data protection and secure asset tracking solutions. The summary of this article discusses this moving target and how stolen information has increased. There were at least 46 data breaches in the U.S. during 2007, involving 62 stolen or lost computers at health care facilities. Those thefts resulted in almost five million compromised identities. Recently, some health care facilities were surveyed and asked to list their top issues with electronic security. 

Failure to protect sensitive data, inability to accurately manage mobile equipment and having sensitive information on public terminals were some of their top issues. HIPAA requires that health care organizations encrypt electronic PHI stored on open networks such as laptops. However, a recent survey by Research Concepts found that 72 percent of IT asset managers believe the employees – those with access to encryption keys and passwords – were the ones responsible for the most incidents of data breach in their organizations.

According to Mr. Livingston, 30 percent of thefts of equipment are due to external sources such as someone taking a laptop from a car or pretending to be a courier and scooping up a laptop. Those types of incidents were cited as the cause of nearly 50 percent of data breaches. By their very nature, health care organizations are public places and can be more vulnerable to theft by external sources. Good encryption software can help with these situations, but the passwords need to be very sophisticated. He recommended that passwords be required to be changed frequently, string 2 words or a phrase together, use numbers and symbols combined with letters. And whatever you do, do not write the password on a sticky note.

Good passwords can also help guard against internal theft, by people who have regular access to the building. But sometimes passwords are not enough.

Health care organizations can also look at embedded antitheft technology for portable equipment. With that technology, your IT department can stay in contact with the computer when it’s stolen. With some software, you can even start deleting sensitive material remotely if the thief tries to access the information.

Health care organizations must also audit the number of computers (and related storage equipment) in their inventory, who is assigned to use them, their physical location, the software installed, etc. But recent studies (unnamed in the article) show that most organizations can only locate 60 percent of mobile equipment.

In many facilities, public information can be accessed on open-air terminals such as nursing stations, public information terminals and help stations. Some of these workstations are at greater risk of data breaches. Information can be easily accessed and downloaded. Facilities should always monitor and protect unattended stationary computers with an authentication prompt. Verify that information on monitors cannot be viewed by a casual glancing at the screen. Security and manageability need to be in balance to make everything easily accessible for those that need the information, but under proper protections.

Health care facilities need to have a comprehensive plan to secure all computer equipment and sensitive information. Asset-tracking and recovery software can be a part of that plan. Other tools would be cable locks for laptops, encryption software and secure passwords. Review and update the plan consistently.

Data breaches are a huge concern for facilities but not many have “nightmare scenario” policies in place should a breach occur. If a data breach happens, a standard procedure should be in place for timely notification of supervisors, law enforcement, patients and the media. Computer theft recovery software solutions can track lost or stolen equipment, remotely delete sensitive files and partner with law enforcement to recover the equipment.

"A lot of facilities turn their attention to prevention, but don't know how to react if a breach actually occurs," said Livingston. "Most of the time it's the 'It's not going to happen to me' attitude. We have to look beyond that and get proactive with our IT security."