Best practice for protecting from laptop theft

With increased convenience of laptop usage in many industries comes higher degree of data breach due to laptop theft.  Almost all segments, from NASA  to Hospitals,  laptop theft has brought in many damage to it’s reputations and  lawsuits.  Experts at EHR 2.o, have listed some of the best practice to protect this from happening in your practice.
1. Keep the Laptop Close at Hand and in a secure area.
Don’t start leaving your bag “just for a minute” because it may sprout legs and disappear. If possible, remain in physical contact with it at all times or have it attached to a security cable that is anchored securely also. It’s not foolproof, but will take may deter snatch-and-grab thieves.
2. Label and Tag the Laptop and All Accessories
Make sure that everything that can be labeled is labeled with the name of the individual or organization that owns it, and ensure that these labels are conspicuous. The potential theft value of a laptop or peripheral is reduced greatly when additional work is required to remove the identifying marks. Conspicuous identity labels also significantly increase the risk of a potential thief being caught in the act of theft.
3. Password Protect your Devices and Applications/Software that Contain PHI
It may seem like an extra time burden to have to enter a password every time you use your phone or tablet, but that process of “unlocking” will keep your data protected if you should lose your device.  Also, having double password, one on the device to unlock it and one to open the software application that you are using (like Private Practice) will go a long way to  keeping  information secure  AND it’s required under the HIPAA Security Rule. Most devices have a security or privacy setting in the Preferences or Options menu of the device.
4. Don’t Share Your Password
It may sound obvious, but your password is no longer valid or secure if more than one person knows what it is.  The whole point of a password for locking your device is to keep it secure from others.  In terms of your EHR software, your unique login forms your audit log for who accessed the record and when.  Everyone in your practice who is authorized to review client PHI should have their own login in order to be secure and compliant with HIPAA requirements for ePHI.
5. Automatic Time-Out
We know it’s a drag, but arranging your device setting to lock after a period of inactivity or automatic time-out” is a good idea. Especially important for shared devices, like office computers, this is a good way to ensure that the lock is enabled in the event of a theft or loss. If you aren’t using it, the device is automatically locked. Just don’t forget to hit the save button before you walk away from the device, timeouts can sometimes cause you to lose data if you have not saved it!
6. Clean Out the Trash and Empty Your Cache (use free software to automate this: ccleaner or macintosh untilities)
If you store client data on your device for the purpose of managing your workflow, that’s fine. Just don’t forget to periodically empty those folders where you store data after you no longer need it. For example, you might have a folder on your laptop or tablet that contains current client info. After the birth, you should delete the data that you no longer need. HIPAA guidelines recommend that you create a security policy that includes review of data stored on devices. We suggest that you assign one person in your office to be the Security Officer and they can oversee “wipes” of all PHI from all devices on a regular basis.
Also, if you are logging into a secure site for PHI (like Private Practice) you should periodically empty your cache. The cache is a saved folder of websites that your brower (like Safari or Explorer) saves on your computer to help you navigate to popular websites quickly. That means that the first or the last page you were on is sometimes available without having to login again. To empty your cache, open up your browser and click on Preferences. You’ll see the option for Empty Cache in the drop down menu. Be sure to do this on a routine basis!
7. Encryption covers a couple of encryption concerns mentioned by the American Medical Association (AMA).
140-2 FIPS Validation:  First always look for encryption software that is recognized under NIST Federal recommendations and is 140-2 FIPS validation.
Key Management: Its importnat to note that losing the encryption key might lead to  serious problems down the road.  Use vendor approved software that can safetly takes the headaches of key management and backups out of the equation for your health IT support staff.
Encrypt Laptops and Portable Media: File encryption versus whole disk encryption are options that need to be throughly investigated with a is included, of course, in case confidential data needs to be sent over e-mail, for example.
Smartphone and tablets (iPad, Android, etc.) are new and have basic encryption capabilities that are new.
Basic Configuration: iPhone / iPad
A) iPad and iPhone can use the Mac App Store Apple Configurator 1.0.
B)  Handheld Hardening Checklists  – University of Texas
C) Check Apple App Store for approved Apps
Google Android  Hardening Checklist  – University of Texas
Encryption:  Android phones and tablets are handled separately by each manufacturer especially for encryption.
8. Train your staff about physical security basics and securing laptops safely.
As the provider on the team, you are responsible for making sure that everyone around you understands the importance of privacy and security. This ranges from reminding staff to refrain from texting information during a birth (!) to explaining to clients that email in not a secure form of communication about their health concerns. There is a lot to understand, but you can start by balancing common sense with a little bit of extra effort on some of the more subtle nuances of keeping information secure in our ever increasing high tech world.
By Valdez ladd. 
Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.