Security: Protect Your Practice and Sleep Better

The National Institutes of Health. The Gap. Pennsylvania Department of State. Blue Cross/Blue Shield. Harvard University. Kraft Foods. Tenet Healthcare Corporation. What do these seemingly disparate organizations have in common? They’ve all experienced either outright theft or inadvertent loss of sensitive consumer or patient data - just between February and March of this year.

The missing data ranged from dates of birth, Social Security numbers, credit card numbers, medical conditions, to even political affiliations. How did this happen? Stolen laptops, hard drives, and flash memory sticks top the list. Other organizations mistakenly sent e-mails containing private information to unintended recipients, had consumer data retrieved from discarded PCs, or experienced Web programming errors.

According to the U.S. Department of Justice statistics, identity theft is currently surpassing drug trafficking as America’s No. 1 crime.

And while the sheer size of these organizations might make them tempting targets for crooks, don’t assume that your practice is safe just because it’s smaller than the NIH. Anyone can be a victim. But there are ways to protect yourself - and your patients.

In 2006, the nonprofit Privacy Rights Clearinghouse’s analysis of data breaches found that of those reported by medical organizations, 40 percent were attributable to laptop thefts, 20 percent to “insider malfeasance,” 20 percent to “human/software incompetence,” 17 percent to non-laptop computer theft, and 3 percent to outside hackers. A study by the University of Massachusetts Dartmouth conducted in 2004 estimated that in the U.S. alone, a laptop is stolen every 53 seconds. Gartner, Inc., a worldwide IT research and advisory company, says its research reveals that 80 percent of computer crime consists of “inside jobs” by “disgruntled employees.”

In February, a laptop containing the names, Social Security numbers, and personal health information of 4,800 patients was stolen from the relatively small University Health Care in Salt Lake City. Reports of stolen or lost patient data abound among practices large and small.

Do you or your staff take home laptops to catch up on patient paperwork outside of clinic hours? Do you ensure that your staff members are able to gain access only to the patient information they need to do their jobs? Do you know where your patient information resides within your network, PCs, portable devices, and backup storage? And how secure is your practice’s office building when you’re not in it?

Very few practices can confidently answer all of these questions. And the consequences of such ignorance can be devastating.

Take the case of Compass Health, a small mental-healthcare provider in Washington, which in June 2006 reported a laptop theft to authorities. The computer contained patients’ Social Security numbers and clinical and demographic data. The practice sent letters to all potentially affected patients with information about the steps they should take as a result of the theft. And it distributed a state wide media advisory in an effort to notify other individuals for whom it did not have current contact information. And then, of course, came the calls from local and national media outlets.

All this over a single stolen laptop.

“The nature of the beast here is that the devices go missing,” says Stephen Sprague, CEO of Wave Systems, a provider of client and server software for hardware-based digital security. “So assume all your patients’ records are on that device. Do you really want to have a press conference?”

Even if, like Compass Health, you take all appropriate steps to protect your patients in the wake of a computer theft, bad press can severely damage your credibility with current and future patients.

Is paperless dangerous?

So should you just toss out your electronic equipment and go back to paper files?

You probably know the answer to that. Whether you own an EMR or not, your practice cannot operate without computers running the software that is vital to its everyday operations. So tossing your PCs out the window isn’t an option. Besides, paper is just as, or more, vulnerable to theft as is electronic equipment.

“Paper is an insecure form for storing patient data, which is at best locked behind doors or within file drawers,” says Stephen Moulton, director of product development for Innovative Card Scanning, a developer of scanning devices and software for hospitals and practices. “Paper can be copied, stolen, taken without you even knowing it, as well as lost or misplaced, which could give you the feeling that it was stolen if it is out of your control or possession.”

Thomas Weida, medical director of the University Physician Group at Fishburn Road in Hershey, Pa., says that in his previous paper-based office, he recalls an instance in which a file clerk easily pulled a specific paper chart she was unauthorized to view - her ex-husband’s. The practice fired the employee when it learned what she’d done, but not before she shared the stolen information with others. Of course, the practice also had to inform the ex-husband about the incident. Certainly, this was nothing to call a press conference about, but it was a privacy violation for which the practice was responsible, nonetheless.

“From my personal experience,” says Weida, “the protection for inadvertent or malicious access to charts is better electronically than it used to be when we had paper charts. With paper charts, anyone could go to the chart rack, open it up, and look at the full chart. If they were really slick people from outside, they could throw a stethoscope around their neck and put on a white coat and flip through records. … I would say that the information is more secure now than it was before even though more people have the potential to access it, and that’s because we can track every access.”

Electronic charts may be better protected than paper, but they’re hardly failsafe. Indeed, Weida reports that his current practice, which uses an EMR, also experienced an incident in which a woman snooped through her ex-husband’s medical records. In this case, recalls Weida, “the initial excuse was that she needed his new address. But our IT department was able to look at that record, realize that she opened it more than once, maybe about five or six times, and also realized that she was not just opening demographic data. She was terminated. We have a very strong policy on that here. You only get one strike, and you’re out.”

One significant difference between the incidents: The EMR-based practice didn’t have to find out through the grapevine about the security breach or launch a he-said/she-said investigation. The computer kept a record of each accessed file. Another difference: The EMR practice was able to implement additional security protocols to prevent further breaches.

The office network now has a built-in mechanism to ensure that only those authorized individuals can view sensitive patient information.

The bottom line: Both paper and electronic charts are vulnerable to theft or loss. But while paper records carry their inherent vulnerabilities, a stolen or improperly accessed laptop can reveal much more patient data than a single paper file. Although the healthcare industry has in general been slower to adopt new technologies, the electronic age has dawned, and there’s no turning back. You can no longer operate an efficient practice without some type of software containing patient data. And like most new technologies, these capabilities bring with them new opportunities for criminal activity.

An ounce of protection

Still, most people give little thought to the consequences of stolen hardware until it happens to them. When Mark Anthony LaPorta, an internist in Miami, purchased a software-based theft protection service for his new laptop a couple of years ago, it was little more than an afterthought. His fancy new computer cost him $2,000, and paying an additional $105 for three years’ theft protection seemed to make sense. “I was going to be carrying a big brand-new laptop around,” says LaPorta, “so I thought, ‘Let’s protect it and see what happens.’ I’m amenable to that sort of thing. … I thought ‘Oh well, after three years, I’ll forget about it; nothing will happen.’”

Turns out he didn’t have to wait long before something did happen.

A few weeks later, while traveling on a speaking circuit, LaPorta received a call from his local police, informing him that his house had been broken into. He was told that nothing appeared to be missing, but when he returned home he discovered that the shiny new computer he had left sitting on his coffee table was gone.

So LaPorta reported the theft to the vendor of the Computrace LoJack software he’d purchased. At that point, the vendor placed Computrace’s monitoring center on alert for the missing computer. When the thief logged onto the Internet on LaPorta’s stolen laptop, the computer “called” the monitoring center every 15 minutes, allowing Computrace to track its whereabouts.

A week later, LaPorta received an e-mail from his vendor telling him that his computer had “called home.” Computrace’s own “recovery team” was activated and worked with LaPorta’s local law enforcement and his Internet Service Provider to obtain the necessary subpoenas and warrants to apprehend the thief and recover the computer. A few days later, LaPorta’s vendor restored the stolen laptop to the police station in his home town. All he had to do was pick it up.

When LaPorta booted up his retrieved laptop, none of his data was missing: “The software I purchased puts itself on the hard drive, buried down deep inside of the computer, so even if the thief tried to wipe the drive to start over after stealing it, he couldn’t.”

Covering your bases

John Livingston, CEO of Absolute Software, which manufactures Computrace LoJack, says that had LaPorta’s computer been populated with patient data that was already backed up elsewhere, the vendor could have remotely deleted that information before Computrace’s recovery team joined local police to physically recover the laptop. According to Livingston, the company’s recovery team maintains partnerships with more than 1,000 police departments across North America.

Of course, computers are targets for theft everywhere, including within the offices that use them. Livingston says that his father was a physician for almost 40 years, and the semi-public places in which he saw his father work made an impression on him. “There’s a lot of patient data being stored on computers, and in somewhat unsecured areas,” says Livingston, “so that’s the obvious vulnerability. … Securing data in any type of healthcare environment is challenging.”

Livingston says that small- and medium-sized healthcare practices are especially vulnerable to theft. “Often the office buildings that they are located in are quite easy to break into. … You might get people breaking in thinking that there are drugs in storage or something like that. … And once criminals get inside the office, they take whatever they can. The computers are a really easy target, because they’re worth a couple hundred bucks sold on the street, or they’re sold on eBay for closer to the value of the machine, and that happens a lot, unfortunately.”

Livingston also points out that smaller doctors’ offices often don’t have the comprehensive IT infrastructure that many larger healthcare organizations possess. “So their backup may be somewhat stale, and in those situations, we’ve recovered computers for small physician offices in which we’ve sort of saved the practice, if you will, because everything was on the computer that was stolen. We located the computer and got it back, and all of the patient information and billing systems were retrieved.”

There are other products that aim to retrieve stolen laptops or deter their theft. The Caveo Anti-Theft PC Card issues audible warning signals if a laptop is moved beyond a distance specified by its owner. Developed by Caveo Technology, the device operates whether the laptop is turned on or off. In addition to emitting sound, laptops equipped with Caveo’s PC card can also automatically prevent thieves from accessing the computer’s operating system, passwords, and encryption keys. If a stolen computer is recovered, a master code is required to regain access.

SprintSecure Laptop Guardian utilizes a mobile broadband connection card that serves as an ignition key (the user must insert it into the laptop to use the computer). If both the laptop and card are stolen, an IT administrator can remotely revoke authentication privileges, rendering the laptop useless to the unauthorized user.

Securing data in transit

Besides theft, Livingston says the other prime vulnerability especially specific to small- and medium-sized practices is the transmission of patient data to third parties.

In August 2006, a computer was discovered missing from Unisys, a subcontractor that provides billing and claims support to the VA Medical Centers in Pittsburgh and Philadelphia. Information contained on this computer included the names, dates of birth, addresses, Social Security numbers, and claims information on approximately 16,000 patients.

Does your practice outsource its billing like the VA? If so, can you ensure that your patients’ information is secure?

Even if your laptop is never stolen, data in transit can be intercepted. That’s why Livingston says secure firewall and encryption systems are crucial. “You need that especially if practices are digital, and they’re uploading patient or financial information … to a central site somewhere for billing purposes,” says Livingston. “The doctors have the onus on them to … secure that transaction on both ends to ensure … no third party can gain access to the information as it transmits back and forth.”

But once you’ve transmitted patient data to a third party, how can you be sure the vendor’s own safety practices are adequate? Tell them to prove it, says Sprague, “When your vendor says, ‘We’ve got it all covered; it’s safe,’” Sprague advises asking it to explain and demonstrate to you exactly how it encrypts your patient data to protect it from prying eyes. Don’t let up until you’re convinced.

If you sufficiently address the physical storage of your hardware and secure your data transmission beyond your practice, Livingston says “you’re pretty well covered.”

But take note that when Livingston refers to “physical storage,” he’s not talking about simply placing your portable devices in file drawers. He recommends physically locking down all hardware - your laptops as well as your desktops - “so you can’t remove them without some type of physical force.” Such locking devices are easily available and affordable. And don’t forget your server - you’ll want to bolt that down too.

Sound a bit paranoid? Given the frequency with which patient data is compromised, these preventive steps can go a long way toward not only avoiding that embarrassing press conference, but also toward possibly saving your entire practice. Don’t take refuge in the thought that your portable devices require user IDs and are password-protected. While these safeguards shouldn’t be neglected, they’ve also proven to be surmountable barriers in the hands of knowledgeable techies. Your best defense is to keep them from falling into the wrong hands in the first place.

But a determined thief can defeat even your most zealous efforts to protect your property. If a laptop or other portable device does go missing, how can you prevent the thief from accessing the precious data it contains?

Hardwired against crime

When you purchase a new laptop, you are buying a blank slate, although standard software, such as Microsoft Office, is often already installed. But the extra protection you’ll need to prevent unauthorized access to the patient information that will soon populate your computer’s hard drive is most often purchased in the form of additional software that you must select and install yourself. Such installation is usually quite easy, but you may want to consider upping the ante by purchasing a computer hardwired against unauthorized use.

Sprague says “the first and most simplistic” protective action any practice can take is to encrypt the data stored in their computers. “If a laptop walks out the door, and there is data stored on that laptop, you want to ensure it’s not lost,” he says. “So whole-disk encryption of your data is very important.” To that end, Sprague advises practices to opt for corporate-model computers over consumer ones: “Specifically say to your vendor: ‘I want to buy a machine with hardware-based, full-disk encryption,’” he says. “The extra cost is small, so it’s a relatively inexpensive option for a small office that wants to know that its data are encrypted on its hard drives.”

If your offices’ hard drives aren’t encrypted and upgrading your machines isn’t in your short-term business plan, you can purchase software to encrypt your current hard drives. Sprague says that although software-based encryption isn’t as foolproof as hardware-based encryption, “it works reasonably effectively.”

But to completely secure your data, you need to go even beyond encryption.

Consider the following plausible scenario: En route to your house after work, you stop at a grocery store to pick up some essentials. In your back seat is a laptop from the office that you’ve neglected to keep from sight. When you return with your groceries, your car window is smashed and the laptop is gone - a computer containing many of your patients’ personal identification and clinical information. The worst-case scenario is upon you, and you’re at fault.

Now let’s say this thief is no amateur. Before he unloads his stolen merchandise, he wants to investigate to see whether it contains any useful information. Finding himself locked out of your computer without your user ID and password, he and his friends do a little digging and find what they are looking for on the hard drive. They enter the correct user ID and password, and … Bingo! A treasure trove of personally identifiable information is at their fingertips for the taking.

How did this happen?

Most operating systems (Windows being the most ubiquitous) have remarkable memories and cache much of your computer activity.

If your computer is like most on the market, your personal authentication information is in there somewhere - hidden deep, though not so much so that it can’t be retrieved by a knowledgeable and determined techie. The key is to keep unauthorized users from ever being able to crack your passwords. Requiring authorized users to log into your network with unique user IDs and passwords should be part of your standard operating procedure, but it’s not foolproof.

Such a scenario wouldn’t be possible if your new laptop was equipped with a trusted platform model, or TPM, says Sprague. He explains that a TPM “is in essence a silicon vault for keys on your laptop or desktop.” If you authenticate yourself to your computer with your user ID and password, the process takes place within that TPM chip. “So the secret is never exposed to the operating system or external memory or any of those other devices,” Sprague explains.

Computers with TPM systems are also useful to IT departments that can track exactly how many computers are authorized to access your practice’s network. So if you have, say, 35 machines in your network and a 36th pops up, you know your network’s been compromised. Sprague likens the technology to that used in cell phones: “Your cell phone is secured on [the carrier’s] network because it has a little secret in the hardware in the phone that I can’t steal,” he explains. “Therefore, I can’t bill phone calls to your account because I can’t get your secret code out of your phone because the hardware is extremely hard to break. There are billions of phones out there, so this is a pretty well-understood technology.”

Currently, Sprague says, TPM-model computers are available on most commercial PCs and laptops. He estimates that it’ll probably be another year until the technology trickles down to consumer machines. So he strongly recommends that practices purchase commercial-model computers for their offices.

Best practices

Since protecting your patient data is your responsibility, it’s ultimately up to you to inventory your capabilities, your budget, and your manpower to decide how you will put into place your own protocols to ensure peace of mind.

Yes, you’ll want to equip yourself with the appropriate software and hardware to secure your data. But establishing best practices for your office, educating your staff about them, and enforcing a “no tolerance” policy may be the most effective steps you can take.

Give your staff unique user IDs and passwords and regularly change them; enable “unlocking” functions on other portable computers, such as Blackberries, that require the user to enter a unique PIN to gain access; regularly audit your electronic assets to ensure they are accounted for and in the right hands; regularly upgrade your antivirus software.

Establish a “shutting down” protocol when you close your clinic each night; do not give your employees unauthorized permission to remove any hardware from your office; take measures to lock down your office when you are not there; and, if you are in a larger commercial building, talk to your landlord about their after-hours security to ensure you are comfortable with the protection provided.

If you can’t afford fancy new anti-theft hardware and software solutions, look into lower-cost options that can add new layers of protection to the equipment you already possess. Keep a watchful eye on all of your paper-based and electronic assets that contain patient information, but remember that laptops in particular have proven to be the Achilles heel of many data theft victims.

“The data on your laptop is a controlled substance,” says Sprague. “Treat it as such. Is it under lock and key, and how can you be sure?”

Barbara A. Gabriel, a former associate editor for Physicians Practice, has served as editor and writer for numerous healthcare publications over the past 10 years. Barbara can be reached via editor@physicianspractice.com.

This article originally appeared in the 2008/2009 Physicians Practice Technology Guide.