Healthcare VIPs and Laptops – A Potentially Bad Combination

February 23, 2011

Laptops are great. They provide incredible computing horsepower in a small and portable package. However, sometimes in the hands of certain players in healthcare, they can become a HIPAA security risk.

Laptops are great. They provide incredible computing horsepower in a small and portable package. However, sometimes in the hands of certain players in healthcare, they can become a HIPAA security risk.

Usually within a Covered Entity (CE) (e.g., a practice or clinic, etc.), laptops are either assigned to or outright owned by what one might call VIPs – Very Important Players. A VIP may be a physician, an owner, or a manager. They may have a very important position within the CE, or they may have a very strong – ahem – personality, or both.

There are a variety of reasons why laptops represent a greater HIPAA security threat than workstations, beyond just the most obvious fact that they are portable:

1. Frequently VIPs purchase laptops with their “own” money, and therefore don’t consider them part of the CE’s IT platform, and therefore not subject to HIPAA Security Rule oversight. This is false.

2. Sometimes these laptops are purchased at a retail outlet or from a website, and usually those systems have the wrong operating system (any version of Microsoft Windows “Home” is, by definition, not HIPAA compliant. It does not contain, nor can it be made to operate with, the proper level of security to authenticate a user’s identity and credentials. The problem is that such a laptop will technically function, and give the appearance that everything might be OK but the security is missing. Typically when you ask the retail salesperson what the difference is between the home version and the corporate version of the software, they will say something like, “99 bucks.”)

3. Some VIPs consider themselves as having special powers or authority, and not subject to the same rules as others in the practice. It may be hard for an IT employee or contractor to enforce the procedures necessary to keep the CE covered and protected. (This is why we don’t necessarily think the IT director or CIO is necessarily an automatic choice for HIPAA security officer. Sometimes it needs to be someone with a little more clout and outside of IT.)

4. Laptops tend to be given to senior people within the organization, who are more likely to have more data – as well as data from multiple departments or sources. So both the amount of data and its importance are likely higher for those individuals who use laptops.

5. Because of the portability of laptops, they may not be present in the facility during a HIPAA security audit and therefore not properly assessed and inventoried.

6. VIPs tend to extend their work hours and do considerable work away from the practice, such as doing a lot of outside evening/weekend work, and many times this means their laptops are in their car or in a briefcase (where they may be stolen) or used on a home network (where security is much more lax).

7. When used in a home network, or over a WiFi hot-spot, the security of the laptop can be more easily compromised.

To minimize problems with laptops, the following procedures should be followed:

1. All laptops – whether purchased with “private” funds or not – are part of the CE’s IT platform, and must be part of a HIPAA security audit and Security Rule compliance.

2. Special care should be given if and when laptops leave the CE’s premises, to ensure data is not compromised, lost or stolen.

3. VIPs should not be allowed to circumvent or ignore HIPAA Security policies. All employees and contractors of a CE are governed by the HIPAA Security Rule.

Have you had problems in your practice or facility with laptops and VIPs?