Covering your bases
John Livingston, CEO of Absolute Software, which manufactures Computrace LoJack, says that had LaPorta’s computer been populated with patient data that was already backed up elsewhere, the vendor could have remotely deleted that information before Computrace’s recovery team joined local police to physically recover the laptop. According to Livingston, the company’s recovery team maintains partnerships with more than 1,000 police departments across North America.
Of course, computers are targets for theft everywhere, including within the offices that use them. Livingston says that his father was a physician for almost 40 years, and the semi-public places in which he saw his father work made an impression on him. “There’s a lot of patient data being stored on computers, and in somewhat unsecured areas,” says Livingston, “so that’s the obvious vulnerability. … Securing data in any type of healthcare environment is challenging.”
Livingston says that small- and medium-sized healthcare practices are especially vulnerable to theft. “Often the office buildings that they are located in are quite easy to break into. … You might get people breaking in thinking that there are drugs in storage or something like that. … And once criminals get inside the office, they take whatever they can. The computers are a really easy target, because they’re worth a couple hundred bucks sold on the street, or they’re sold on eBay for closer to the value of the machine, and that happens a lot, unfortunately.”
Livingston also points out that smaller doctors’ offices often don’t have the comprehensive IT infrastructure that many larger healthcare organizations possess. “So their backup may be somewhat stale, and in those situations, we’ve recovered computers for small physician offices in which we’ve sort of saved the practice, if you will, because everything was on the computer that was stolen. We located the computer and got it back, and all of the patient information and billing systems were retrieved.”
There are other products that aim to retrieve stolen laptops or deter their theft. The Caveo Anti-Theft PC Card issues audible warning signals if a laptop is moved beyond a distance specified by its owner. Developed by Caveo Technology, the device operates whether the laptop is turned on or off. In addition to emitting sound, laptops equipped with Caveo’s PC card can also automatically prevent thieves from accessing the computer’s operating system, passwords, and encryption keys. If a stolen computer is recovered, a master code is required to regain access.
SprintSecure Laptop Guardian utilizes a mobile broadband connection card that serves as an ignition key (the user must insert it into the laptop to use the computer). If both the laptop and card are stolen, an IT administrator can remotely revoke authentication privileges, rendering the laptop useless to the unauthorized user.
Securing data in transit
Besides theft, Livingston says the other prime vulnerability especially specific to small- and medium-sized practices is the transmission of patient data to third parties.
In August 2006, a computer was discovered missing from Unisys, a subcontractor that provides billing and claims support to the VA Medical Centers in Pittsburgh and Philadelphia. Information contained on this computer included the names, dates of birth, addresses, Social Security numbers, and claims information on approximately 16,000 patients.
Does your practice outsource its billing like the VA? If so, can you ensure that your patients’ information is secure?
Even if your laptop is never stolen, data in transit can be intercepted. That’s why Livingston says secure firewall and encryption systems are crucial. “You need that especially if practices are digital, and they’re uploading patient or financial information … to a central site somewhere for billing purposes,” says Livingston. “The doctors have the onus on them to … secure that transaction on both ends to ensure … no third party can gain access to the information as it transmits back and forth.”
But once you’ve transmitted patient data to a third party, how can you be sure the vendor’s own safety practices are adequate? Tell them to prove it, says Sprague, “When your vendor says, ‘We’ve got it all covered; it’s safe,’” Sprague advises asking it to explain and demonstrate to you exactly how it encrypts your patient data to protect it from prying eyes. Don’t let up until you’re convinced.
If you sufficiently address the physical storage of your hardware and secure your data transmission beyond your practice, Livingston says “you’re pretty well covered.”
