But take note that when Livingston refers to “physical storage,” he’s not talking about simply placing your portable devices in file drawers. He recommends physically locking down all hardware — your laptops as well as your desktops — “so you can’t remove them without some type of physical force.” Such locking devices are easily available and affordable. And don’t forget your server — you’ll want to bolt that down too.
Sound a bit paranoid? Given the frequency with which patient data is compromised, these preventive steps can go a long way toward not only avoiding that embarrassing press conference, but also toward possibly saving your entire practice. Don’t take refuge in the thought that your portable devices require user IDs and are password-protected. While these safeguards shouldn’t be neglected, they’ve also proven to be surmountable barriers in the hands of knowledgeable techies. Your best defense is to keep them from falling into the wrong hands in the first place.
But a determined thief can defeat even your most zealous efforts to protect your property. If a laptop or other portable device does go missing, how can you prevent the thief from accessing the precious data it contains?
Hardwired against crime
When you purchase a new laptop, you are buying a blank slate, although standard software, such as Microsoft Office, is often already installed. But the extra protection you’ll need to prevent unauthorized access to the patient information that will soon populate your computer’s hard drive is most often purchased in the form of additional software that you must select and install yourself. Such installation is usually quite easy, but you may want to consider upping the ante by purchasing a computer hardwired against unauthorized use.
Sprague says “the first and most simplistic” protective action any practice can take is to encrypt the data stored in their computers. “If a laptop walks out the door, and there is data stored on that laptop, you want to ensure it’s not lost,” he says. “So whole-disk encryption of your data is very important.” To that end, Sprague advises practices to opt for corporate-model computers over consumer ones: “Specifically say to your vendor: ‘I want to buy a machine with hardware-based, full-disk encryption,’” he says. “The extra cost is small, so it’s a relatively inexpensive option for a small office that wants to know that its data are encrypted on its hard drives.”
If your offices’ hard drives aren’t encrypted and upgrading your machines isn’t in your short-term business plan, you can purchase software to encrypt your current hard drives. Sprague says that although software-based encryption isn’t as foolproof as hardware-based encryption, “it works reasonably effectively.”
But to completely secure your data, you need to go even beyond encryption.
Consider the following plausible scenario: En route to your house after work, you stop at a grocery store to pick up some essentials. In your back seat is a laptop from the office that you’ve neglected to keep from sight. When you return with your groceries, your car window is smashed and the laptop is gone — a computer containing many of your patients’ personal identification and clinical information. The worst-case scenario is upon you, and you’re at fault.
Now let’s say this thief is no amateur. Before he unloads his stolen merchandise, he wants to investigate to see whether it contains any useful information. Finding himself locked out of your computer without your user ID and password, he and his friends do a little digging and find what they are looking for on the hard drive. They enter the correct user ID and password, and … Bingo! A treasure trove of personally identifiable information is at their fingertips for the taking.
How did this happen?
Most operating systems (Windows being the most ubiquitous) have remarkable memories and cache much of your computer activity.
If your computer is like most on the market, your personal authentication information is in there somewhere — hidden deep, though not so much so that it can’t be retrieved by a knowledgeable and determined techie. The key is to keep unauthorized users from ever being able to crack your passwords. Requiring authorized users to log into your network with unique user IDs and passwords should be part of your standard operating procedure, but it’s not foolproof.
Such a scenario wouldn’t be possible if your new laptop was equipped with a trusted platform model, or TPM, says Sprague. He explains that a TPM “is in essence a silicon vault for keys on your laptop or desktop.” If you authenticate yourself to your computer with your user ID and password, the process takes place within that TPM chip. “So the secret is never exposed to the operating system or external memory or any of those other devices,” Sprague explains.
Computers with TPM systems are also useful to IT departments that can track exactly how many computers are authorized to access your practice’s network. So if you have, say, 35 machines in your network and a 36th pops up, you know your network’s been compromised. Sprague likens the technology to that used in cell phones: “Your cell phone is secured on [the carrier’s] network because it has a little secret in the hardware in the phone that I can’t steal,” he explains. “Therefore, I can’t bill phone calls to your account because I can’t get your secret code out of your phone because the hardware is extremely hard to break. There are billions of phones out there, so this is a pretty well-understood technology.”
Currently, Sprague says, TPM-model computers are available on most commercial PCs and laptops. He estimates that it’ll probably be another year until the technology trickles down to consumer machines. So he strongly recommends that practices purchase commercial-model computers for their offices.
