I completely agree that portable devices that are physically removed from
the covered entity's secure space need to be treated with special
consideration. Each type of device must be carefully considered and special
policies and procedures developed. At a minimum, power on passwords are a
must. Additionally, encrypting all PHI data on the device is also a must.
For example, I have seen recent reports of over 20,000 lost PDA (Palms)
found just last year in the Atlanta airport, and similar numbers of lost
laptops. PDA's owners must also carefully consider transmission of their
data via Infrared, since it can be easily intercepted. Ultimately, I
believe it comes down to imposing safeguards by device type, and enforcing
compliant actions. In most cases it does mean changing user behavior - not
easy. You may also need to ban outside portable devices not authorized and
tracked. But one very important point is that you need a partner who truly
understands the vulnerabilities of each device to help you with policies
until they become standardized and template driven.
But at a minimum, I would suggest the following be done to all portable
devices:
1) Audit their contents frequently to prevent accumulation of PHI.
2) Set the web browsers to delete their cache on every use (start up or on
shut down where possible), and keep the cache size very small <5MB -
remember, any web-based application's pages and data can be cached
(depending upon browser option settings).
3) Set the browser's advanced settings to "Not save encrypted pages to
disk", this prevents SSL/Secure pages from being cached to the hard drive
and later be made visible (should apply to desktops too).
4) Disable IR transmit and receive as always being ON. Tell the users to
use it only when needed and to be careful about PHI as multiple undetected
devices can receive it.
5) ALWAYS employ a power on password that is unique and different from
system and network passwords.
6) In the case of laptops, prohibit Windows 95, 98, and ME - Windows 2000
and XP at least have a reliable authentication scheme if someone gets
through the power on password (such as when your user sets it to "password"
or tapes it on the screen)
7) Optionally consider an encrypted folder (under Win 2k or XP) where known
PHI must be transported
8) If using a wireless network, get the best security assessment you can
afford - don't trust your IT department, their skill set is maintenance, not
security.
At least if your do these "best practice" activities the risk is
substantially reduced.
Regards,
Dr. Tim McGuinness, Ph.D.
Sr. Compliance Specialist & Solutions Architect
Certified HIPAA Chief Privacy Officer
DynTek Inc.
www.dyntek.com
-----Original Message-----
From: Chris Riley [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 26, 2002 8:31 AM
To: [EMAIL PROTECTED]
Subject: Re: Laptop Security Compliance
All,
I think one of the points being missed here is the role of physical
security. There is an
underling assumption with an office computer that part of the access control
is supported
through the organizations physical infrastructure (i.e. security guards,
photo id's, video
cameras, etc...). While most organizations also have policies and controls
for
telecommuters ( VPN's, Firewall, Machine Use, Audit Trails...), mobile
devices need to
be handled differently because there is no assumption that can be made about
the
environment they operate in, and therefore, controls that were adequate in a
office or
home environment, no longer provide the same protection.
With that being said, mobile devices cannot be thought of as just another
telecomuter
device. Certainly, there are several technologies and policy approaches
that can help
mitigate these issues where in a controlled environment they may have been
thought as
overkill, but in the mobile environment, are very appropriate. For example,
biometrics
shows promise. Not as a single authentication solution but as an add-on the
the existing
schemes. Policies (along with audit trails ) addressing the types of data
that can be
stored on a mobile device can go a long way in addressing data theft,
confidentiality and
integrity. Restricting access based on device location can also aid in the
authentication
of the mobile device.
My point being that there are not two categories of computers, there are
several and to
evaluate the types of policies and controls to be used to protect PHI, one
must consider
the operating environment of the device.
Chris Riley, CISSP
Information Tool Designers Inc.
Secure Virtual Office Solutions
http://www.info-tools.com/
"Kelly, Lee" wrote:
> I have trouble with a vendor making such claims.
>
> As we all know, HIPAA is all about protecting information regardless of
> where it is used/stored. If their claims were true, then how are the
> thousands of health-care givers who practice tele-medicine, home health
care
> services, wireless workstations, and many others going to comply with the
> rules/regs set forth by HIPAA.
>
> If their claim were true then PDA's (portable device, similar to a laptop
in
> that respect), would also have the same issues.
>
> Thank You,
>
> Lee Kelly, CISSP
> Manager, Assessment Services
> Fortrex Technologies
> [EMAIL PROTECTED]
> 1-877-Fortrex - Office
> 1-301-906-6269 - Cell
>
> -----Original Message-----
> From: William Dobson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 25, 2002 2:06 PM
> To: Jeff Carswell; [EMAIL PROTECTED]
> Subject: RE: Laptop Security Compliance
>
> Encryption on portable devices is recommended to our clients whenever
there
> is confidential or proprietary information on them, or when they are
clients
> to a more robust VPN solution.
>
> The device can't be HIPAA compliant! It's the user or organization that
> needs to operate the device in such a way as to remain HIPAA compliant.
> Strong telecommuting policies are also dictated whenever critical or
> sensitive information is ported on PDAs and laptops. That's industry
best
> practice....nothing special to HIPAA.
>
> William H. Dobson, Jr, CISSP
> Federal Business Development
> Information Assurance Assessments
> Trustwave Corporation, Annapolis, MD
> Office 410-573-6910 x 2622
> Cell 301-655-8548
> Fax 410-571-8493
>
> -----Original Message-----
> From: Jeff Carswell [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 24, 2002 9:20 PM
> To: '[EMAIL PROTECTED]'
> Subject: Laptop Security Compliance
>
> Recently our company was visited by a vendor selling a Palm based EMR
> solution and they made the statement, "Under HIPAA there is no way to make
a
> laptop compliant if it is being used out in the field". Can this really
be
> true?? If anyone has additional info or links to regs that speak directly
> to this issue it would be greatly appreciated.
>
> Thanks.
>
> Jeff Carswell
> Vice President, Corporate Development
> Affiliated Sante Group
>
> **********************************************************************
> To be removed from this list, go to:
> http://snip.wedi.org/unsubscribe.cfm?list=privacy
> and enter your email address.
>
> **********************************************************************
> To be removed from this list, go to:
> http://snip.wedi.org/unsubscribe.cfm?list=privacy
> and enter your email address.
>
> **********************************************************************
> To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
> and enter your email address.
--
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
