The least safe place to locate a computer loaded with personally identifiable patient health information is outside the protective walls of a clinic, hospital or office. In home care and hospice, the nature of the service dictates that computers — laptop, tablet or handheld — be located outside the office most of the time.
This makes home care computers especially vulnerable to theft and today’s thieves target mobile computers. Just last week, Kaiser Permanente was forced to acknowledge another laptop theft and may have to absorb the expense of another massive round of patient notifications, as required by HIPAA privacy and security regulations. The employee who took the mobile computer home, undoubtedly hoping to catch up on work, has very likely already applied for unemployment benefits.
In data security, as in health care, prevention is far more effective than cure. If you carry patient information in electronic form around the world or around the block, these 9 practices can help keep your mobile computer more secure, and maybe save your job.
1. Avoid using computer bags that look like computer bags.
Computer bags can make it obvious that you are carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase. No self-respecting thief is likely to break into your car to search through a childish or ridiculous-looking bag.
2. Never leave access numbers or passwords in your carrying case.
You would not leave your car keys in the ignition or house keys on the front porch. Storing your mobile computer’s password in the bag with your mobile computer makes it as easy to access patient health information as it was to steal the computer.
3. Carry your laptop with you
As many computers are stolen during a “quick” run into a store or lab as are stolen from cars parked for hours in mall parking lots. If you cannot take your laptop with you, at least lock it in the trunk or hide it under a seat. A telltale computer bag lying on the front seat is an open invitation to a thief.
4. Encrypt your data
If your mobile computer does go missing, encryption provides another layer of protection to the passwords you use to prevent unauthorized access to the operating system and your point-of-care application. Use the encryption system that comes with Windows XP, Vista, and Windows 7 or purchase a third-party alternative. Remember, simple encryption will keep out an amateur thief for a long time but only slow down a skilled hacker. Typically, the original thief sells the computer to someone else within an hour of the theft and rarely bothers with its data. It is the next “owner” your encryption must slow down, even block from accessing patient data. See Step #7 for what to do to protect against the professional hacker, for whom encryption systems are merely a minor annoyance.
5. Keep your eye on your laptop
When you go through airport or hospital security, or leave your coffee house table to refill your latté, do not lose sight of your bag. Hold your computer bag until the person in front of you has gone through the airport or hospital metal detector. Many bags look alike and can be accidentally or intentionally switched in the security shuffle. If you are in the habit of catching up on charting and other paperwork over a $5 cup of coffee, carry your computer with you to the coffee refill urn or select a table near the refill station. It only takes a watchful thief a second or two to get your bag out the coffee shop door.
6. Avoid setting your laptop on the floor
Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down in a restaurant, library, lab or physician’s waiting room, try to place it between your feet or against your leg so you feel it if it moves.
7. Buy a laptop security device
If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also software security systems that will report the physical location of a stolen laptop and automatically erase patient data files the second someone hacks through your password. They come to life when the laptop connects to the Internet. If reported stolen, the security software uploads and then deletes pre-selected files and reports the IP address the thief is using. One such tracing program is ComputracePlus from Absolute Software. For our most recent detailed report on these kinds of products, see http://homecaretechreport.com/article.php?id=910
8. Use a screen guard
These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when traveling or working in a crowded area. There are many brands, including the one from 3M you have seen advertised on TV. Type “laptop screen guard” into Google or Amazon to find dozens from which to choose.
9. If you travel out of town with your mobile computer
Theoretically, hotel staff are the only ones able to access your room when you are away. With today’s electronic key cards that log room entiries by card owner name, thefts by staff are rare because they are so easily traced. They are not unheard of, however. Think of the stories you have probably heard of hotel guests checking in who were mistakenly given the key to an occupied room.
Regardless, there is no reason to travel with a laptop that stores patient information. It is bad enough home care clinicians must travel around town with them. There is no excuse for taking them out of town. Having said that, there are two things to do to protect other mobile computers, those without patient information, while in a hotel. Take it with you when you leave the room or, if you must leave it in your room, at least put the “do not disturb” sign on the door. An unmade bed is a small price to pay.
What to do if your laptop is stolen
- Change your network password to help secure access to corporate servers.
- Report the theft to local authorities (police, etc.) and to your company’s IT department or your direct supervisor. (You should know your agency’s reporting protocol policy.)
- If patient data was on the laptop, contact your account representative, legal representative, or appropriate person at your company so they can take the appropriate actions. Every day a potential HIPAA breach admission is delayed raises enforcement agency suspicions.
