Laptop Security: 5 Steps to Getting it Right

If you use a laptop in any capacity within your office you may be placing your practice at grave risk if you do not take the necessary steps to prevent data theft.  We’ve all heard the horror stories:

  • May 22, 2006: A Department of Veteran Affairs data analyst (read: low on the totem pole) had three laptops stolen from his home which contained personal information of 26.5 million veterans.
  • January 29, 2008: Blue Cross Blue Shield of New Jersey loses a laptop with data for more than 300,000 patients.
  • March 13, 2008: A thief broke into a locked office at University Health Care in Utah and stole a laptop and a flash drive which had some 4,800 patient names and Social Security numbers.
  • July 16, 2008: A backup tape containing records for 47,000 patients was stolen from an employee of Greensboro Gynecology Associates, a three doctor practice in Greensboro, NC.

The costs associated with rectifying these data spills–letters to each patient, credit monitoring, credit restoration, and loss of trust in the institution–is astronomical. Your patients’ protected health information (PHI) is not only valuable to you, and your patients, but also to data thieves and crooks of all kinds.

Below are 5 steps which you can quickly implement in your practice to ensure that you are protecting all laptops, PCs, and removal memory devices.

5 Steps to Protecting Laptops

1 – Knowledge is power know what you’re holding.
Know what data is stored on your laptop at all times. Does your EMR reside locally on your laptop or does it simply connect to your network to access data from a central server? If your practice’s EMR/PM stores data locally on your laptop then you will need to take extra precautions to ensure that your physical device is always secure.Even if you do not have a list of all of your patient’s Social Security numbers on your laptop, there may still be plenty of valuable data if you look in the right places. Ask yourself a few key questions:

  1. Do you check emails on your laptop? Have you ever received emails with protected health information (PHI)?
  2. Do you log into secure payer or hospital systems from your laptop?
  3. Do you use your laptop to check your web-based practice management system when you are out of the office?
  4. Do you store passwords to secure sites (financial services, email, etc) on your laptop?Search your laptop to see what type of data you will need to secure. Use software such as Find SSNs to locate all of the places within your computer which may store PHI. Be sure to follow the steps below to make sure that you protect this data that you have found!

2 – Secure the fort encrypt

Encryption software uses algorithms designed to secure computer data so that it cannot be recovered without proper authorizations. Encryption software scrambles your data until the time you need to retrieve it-think of it as reconstructing a piece of paper which has been shredded each time you need to read it.There is plenty of great encryption software on the market. Microsoft Vista users can make use of BitLocker Drive Encryption and Mac OS X users can utilize FileVault. There is also an open source software named TrueCrypt which works on Vista, XP, Mac OS and Linux.TrueCrypt allows you to create virtual encrypted disks, encrypt entire partitions, and encrypt removable storage devices such as flash thumb drives. It also has a fancy features which allows for “plausible deniability in case an adversary forces you to reveal the password: 1) Hidden volumes and operating systems, 2) unidentifiable TrueCrypt volumes.”

3 – Don’t be predictable set strong passwords

Gary McKinnon, is a British computer hacker who is facing extradition to the US for perpetrating the “biggest military computer hack of all time.” He did it by searching US military network computers for blank passwords-that is computers without any password whatsoever.You are smarter than that.Set passwords that are hard for others to guess. Stay away from “123456″ or “password” because anyone who figured out how to swipe your laptop will crack these silly passwords in no time at all. Security experts suggest that you use a variety of uppercase, lowercase, and special characters. Also, if you have trouble remembering a long password, use a full sentence. For example, “MTBCs medical billing is great!” would make an excellent password.Do not tape your password to your laptop’s shell or leave the password on a slip of paper in your laptop case. Keeping your password with your laptop is akin to keeping your keys in the ignition of your car.

 4 – Cover your tracks securely erase unneeded data

Keeping unnecessary PHI on your laptop is like playing with fire and it could cost you. To securely remove unnecessary data from your laptop or office computers you will need a software utility which not only deletes the data, but overwrites the data as well.Let’s say that you have a file named “patient data.xls” which you would like to delete. Typically you can drag and drop that file into the Windows Recycle Bin and then empty the Recycle Bin. This, however, does not delete the actual file! It simply makes the physical hard-drive space available for new data. Each file residing on your computer occupies physical space on your hard drive consisting of ones and zeros (1, 0, etc.) When you use the Recycle Bin it simply tells the computer that the physical space is available for over-writing at some future date, it does not remove the file from your PC.Files deleted through the Recycle Bin can be easily recovered using software utilities like Recover My Files and PC Tool’s File Recover.You will need a program, like Eraser, to overwrite the hard disk drive to ensure that the data is permanently unrecoverable. Eraser uses a variety of overwriting standards including, Department of Defense approved algorithms and the Gutmann algorithm to overwrite the files multiple times with random bits of nonsensical data. Using Eraser you can also schedule secure erases of data (old emails, unnecessary files, etc.) for multiple times per day, week, or month.If you’re going to delete PHI, use Eraser to make sure it is actually gone for good.

5 – Travel smartly common sense: don’t leave home without it
It is best not to advertise that you are carrying a laptop by avoiding those black leather shoulder cases and using a bag which is a bit more discreet.Likewise, do not check-in the bag containing your laptop when traveling by plane or train and do not leave your laptop on the backseat of your car.Keep your eye on your laptop at all times when going through airport security. Get a checkpoint friendly laptop sleeve so you don’t advertise the brand (or value) of your precious cargo. Avoid setting your laptop bag down on the floor when you are traveling through the airport or unfamiliar surroundings.

Use a screen guard to ensure the prying eyes can’t peek over your shoulder. If you are in a Wi-Fi hotspot and there are other computer users, just glace around and see how many computer screens you can clearly read. If you are a traveler who wants to check e-mail, credit card balance information, and stocks on the road, be sure that you don’t have wandering eyes following your every click.