All, I think one of the points being missed here is the role of physical security. There is an underling assumption with an office computer that part of the access control is supported through the organizations physical infrastructure (i.e. security guards, photo id's, video cameras, etc...). While most organizations also have policies and controls for telecommuters ( VPN's, Firewall, Machine Use, Audit Trails...), mobile devices need to be handled differently because there is no assumption that can be made about the environment they operate in, and therefore, controls that were adequate in a office or home environment, no longer provide the same protection.
With that being said, mobile devices cannot be thought of as just another telecomuter device. Certainly, there are several technologies and policy approaches that can help mitigate these issues where in a controlled environment they may have been thought as overkill, but in the mobile environment, are very appropriate. For example, biometrics shows promise. Not as a single authentication solution but as an add-on the the existing schemes. Policies (along with audit trails ) addressing the types of data that can be stored on a mobile device can go a long way in addressing data theft, confidentiality and integrity. Restricting access based on device location can also aid in the authentication of the mobile device. My point being that there are not two categories of computers, there are several and to evaluate the types of policies and controls to be used to protect PHI, one must consider the operating environment of the device. Chris Riley, CISSP Information Tool Designers Inc. Secure Virtual Office Solutions http://www.info-tools.com/ "Kelly, Lee" wrote: > I have trouble with a vendor making such claims. > > As we all know, HIPAA is all about protecting information regardless of > where it is used/stored. If their claims were true, then how are the > thousands of health-care givers who practice tele-medicine, home health care > services, wireless workstations, and many others going to comply with the > rules/regs set forth by HIPAA. > > If their claim were true then PDA's (portable device, similar to a laptop in > that respect), would also have the same issues. > > Thank You, > > Lee Kelly, CISSP > Manager, Assessment Services > Fortrex Technologies > [EMAIL PROTECTED] > 1-877-Fortrex - Office > 1-301-906-6269 - Cell > > -----Original Message----- > From: William Dobson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 2:06 PM > To: Jeff Carswell; [EMAIL PROTECTED] > Subject: RE: Laptop Security Compliance > > Encryption on portable devices is recommended to our clients whenever there > is confidential or proprietary information on them, or when they are clients > to a more robust VPN solution. > > The device can't be HIPAA compliant! It's the user or organization that > needs to operate the device in such a way as to remain HIPAA compliant. > Strong telecommuting policies are also dictated whenever critical or > sensitive information is ported on PDAs and laptops. That's industry best > practice....nothing special to HIPAA. > > William H. Dobson, Jr, CISSP > Federal Business Development > Information Assurance Assessments > Trustwave Corporation, Annapolis, MD > Office 410-573-6910 x 2622 > Cell 301-655-8548 > Fax 410-571-8493 > > -----Original Message----- > From: Jeff Carswell [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 24, 2002 9:20 PM > To: '[EMAIL PROTECTED]' > Subject: Laptop Security Compliance > > Recently our company was visited by a vendor selling a Palm based EMR > solution and they made the statement, "Under HIPAA there is no way to make a > laptop compliant if it is being used out in the field". Can this really be > true?? If anyone has additional info or links to regs that speak directly > to this issue it would be greatly appreciated. > > Thanks. > > Jeff Carswell > Vice President, Corporate Development > Affiliated Sante Group > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. -- ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
