Portable storage and HIPAA
Posted by: Robert Markette
May 24, 2006

I was reading one of the many publications I receive each month from the ABA, and came across an article on electronic discovery ? in other words obtaining and using evidence that is stored on computers and other electronic media.  The article itself did not have any relation to healthcare, but it did make me think about a few other issues that relate to computer security.  As you all know, that relates to the HIPAA Security Rule.

The article mentioned a number of places lawyers should look when engaging in electronic discovery.  The author mentioned a number of sources, including PDAs, USB (or flash) drives and Digital Cameras.  In discussing flash drives, the author noted that with a USB drive, an individual can remove a large amount of information ?quickly, quietly, and discretely.?  The same idea applies to PDAs, because they can be used as USB drives, in many cases.

The first question this might raise for you as a provider is, did you consider flash drives, PDAs, or other similar forms of storage when you performed the risk analysis required by the HIPAA Security Rule?  

If you did not consider flash drives and other similar forms of storage overtly, where they discussed when you consider employee activity that could lead to disclosures of electronic protected health information (?EPHI?)?  You may have not considered them at the time for any number of reasons, including the fact that USB drives were far more expensive two years ago.  (I know when I wrote the HIPAA Security Rule Compliance Resource Manual, they were not as widely used and, therefore, may not have been considered in your risk analysis.)That is no longer the case.  

It may be that your network is set up in such a way that an employee couldn?t steal EPHI in this fashion.  (For example your clinical record software does not allow files to be stored locally.)  However, even if EPHI is not a concern, what about other proprietary or trade secret information?  For example, it is much easier to walk out with a large volume of documents such as marketing information, personnel policies, training manuals etc., if they are in an electronic format and stored on a USB drive.  It is also harder to prove such items have been stolen.  (I am told that forensic computer professionals can find evidence of such file transfers, but that can get expensive.)

I have even heard of cases involving employees installing harddrives and other peripherals onto office computers.  Obviously, installing an entire harddrive makes the theft of even larger amounts of information possible.  It also makes it harder to demonstrate what was stolen, if you can prove that at all.  Most organizations have policies and procedures on installing software, but may not have considered an employee would install hardware of that magnitude.  There are ways to secure the computer chassis to prevent the installation of an internal harddrive, but most companies sell very large capacity external harddrives that are relatively small and simply plug into a USB port.  

These are examples of how as technology changes (and as certain technologies become cheaper), you will need to be aware of how these changes affect your computer security policies and procedures and be ready to adapt them accordingly.  

Permalink

Taking computers home at night.
Posted by: Robert Markette
May 23, 2006

I was watching the news last night and saw the story about the information about 26.5 million veterans that was stolen from a Veteran?s Administration?s employee?s home. According to the report, the employee had taken a laptop home from the office and the information was stolen when someone broke into the employee?s home. This made me think about HIPAA, because of the increasing use of lap top computers in homecare and hospice and the related potential for theft of computers which maintained protected health information (?PHI?).

In the VA?s case, the VA had a clear policy prohibiting taking computers home from the office. Nevertheless, this employee was able to leave the office with the laptop. In contrast, many home care and hospice providers allow employees to take files and/or laptop computers home with them. In most cases, the entire purpose of having a laptop is to allow the employees to take the laptops with them to patient?s homes and often home with them at night. (A similar concern would arise if you allow employees to remotely access your system, if they were to save any PHI on their home computer.)

However, this incident serves as a reminder that your protected health information may be at risk in the employee?s home. Although it is unlikely a burglar would break into an employee?s home looking for PHI, the burglar might see a laptop computer as an item of value to steal, both as a potential repository of identity information as well as an electronic item to pawn.

Although this kind of incident is a legitimate risk, in my opinion, unless your employees live in neighborhoods that have a history of burglaries, etc., the odds of such an intrusion are relatively low. Because the odds of the occurrence are relatively low, there are ways to address the security issues, without forbidding employees from taking computers at of the office.First, you should make sure that all of your computers, laptop or otherwise are password protected. This makes it more difficult for a thief to obtain information from the stolen computer. Second, if your employees are taking computers home, they should be trained to not leave them in the car or out in the open in the home. (remember, your employee?s family members can be a source of disclosures as well.) The employees should be aware of the potential risks of working on the laptop in public places as well.On the other hand, if you decide to enact a policy forbidding employees from taking files or computers home with them, you should have a way to enforce it. As the VA learned, having a policy is not enough, the employee still took the laptop home. You need to be able to prevent the employees from leaving the office with the laptop. In addition, the policy should, provide steep penalties for taking a computer home,

Permalink