American Academy of Ophthalmology Web Site: www.aao.org
Practice Perfect: Information Technology
A Three-Pronged Strategy for Securing Your Practice’s Laptops
If Ann Hulett, CMPE, COE, had her druthers, nobody would be using laptops at the ophthalmic practice where she works. “They create additional risk,” said Ms. Hulett, who is the administrator at an eye care group in Pueblo, Colo., and was last year’s AAOE chairwoman.
For one thing, laptops can easily fall into the wrong hands. If you have patient data on a laptop that is lost or stolen, your practice would be out of compliance with HIPAA. And even when a laptop doesn’t carry patient data, it can still carry other sensitive information, such as employee records, that you wouldn’t want others to see.
But despite these risks, Ms. Hulett found that laptops were hard to keep out of the practice. “We discouraged the use of laptops but [the doctors] want them,” she said. As a result, most of the 13 ophthalmologists and optometrists in her practice have laptops, and two or three are used by administrators.
If laptops are already a reality in your practice, what can you do to keep them, and the precious data that they carry, secure?
This question was put to Ms. Hulett and two information technology (IT) experts—Ted Demopoulos, principal of Demopoulos Associates, a consulting firm in Durham, N.H., and Ken Broeren, senior technology consultant for The Uptime Group in Denver. This trio of experts suggested three broad approaches that you should pursue: 1) physical security, 2) digital security and 3) making sure your practice has strong policies.
The notion of physically securing laptops is essential, said Mr. Demopoulos, but it is so simple that many people overlook it.
In the office. “Start by using locking cables. Even when my laptop is in my office, which is in a professional building, it’s connected with a locking cable because most thefts are opportunistic. If I get up for a minute, [the laptop] can be gone when I get back,” said Mr. Demopoulos.
Mr. Broeren agreed. “It’s no different than using a bike lock, but its for your laptop,” he said. “If you have any area that’s not secure, that patients can be in and out of, you don’t want those machines to walk away.” Locking cables for laptops are readily available from office supply stores.
Mr. Broeren also urged vigilance in the office. “Train your staff to question anybody who looks out of place,” he said. “As practices get bigger, there are more and more people in and out of offices and they often don’t get questioned.” Some of those people could be tempted to walk away with one of your laptops.
On the road. Mr. Demopoulos suggested that laptops not be carried in laptop cases but, rather, in briefcases or even backpacks. “A laptop case screams out that you’ve got something expensive and easy to steal,” he said.
Mr. Broeren noted that it is easy to lose a laptop while going through airport security checkpoints. “Keep your eye on it, and also tape your business card to the bottom of the laptop. Many laptops look the same, so it would be easy for somebody else in line to innocently walk off with your laptop from a security checkpoint, thinking it was theirs.”
Other commonsense suggestions include not leaving laptops visible in cars. Rather, put them in the trunk or otherwise keep them out of sight.
And if you are using a laptop in a public place, can people who are nearby see your sensitive data? You can prevent that by using an inexpensive screen overlay, sometimes called a privacy filter. This limits viewing of the screen to those looking directly at it and not those viewing it from an angle. These filters, from vendors like 3M, are available from office supply stores.
Besides physically securing your practice’s laptops, you should secure your data digitally.
Encrypt your data. Encryption scrambles the data such that only those with correct passwords can read it. Using more than one type of encryption will reduce your security risk. One type is known to technologists as “boot-level” encryption, said Mr. Broeren. “It loads encryption and decryption software when the laptop boots [starts] and you have to provide a password just to get the operating system to load.” In addition to securing the boot process, you can use readily available software to encrypt the contents of the hard drive itself.
Using boot-level encryption means that if thieves steal your laptop, they won’t even be able to start the machine up. They could take the hard drive out of your laptop and put it in another machine, but if you have encrypted the hard drive’s contents they still won’t get a look at your data.
Mr. Demopoulos cautions, though, about over relying on encryption. “Encryption is a good thing, but it can give you a false sense of security,” he said. For example, a determined hacker can often figure out passwords that are used to decrypt data.
Ms. Hulett said that her practice sidesteps encryption by not permitting laptops to download patient data at all. The practice keeps that data on its server. Its “terminal server” software allows such server-based data to be displayed on the screen of the laptop (or desktop), but the data are never saved on that computer.
Beware of wireless hotspots. Another digital security consideration involves wireless networks, which are commonly used not only within offices, but also at hotspots in coffee shops and airport terminals. (A hotspot is an area where you have wireless access to the Internet.)
These public hotspots typically employ no security at all, which means that your data will be transmitted through the air without encryption unless you deploy security measures yourself. There are many nefarious characters who can capture such unprotected data using easily acquired tools.
Fortunately, there are solutions to this potentially disastrous security problem. You can use a virtual private network (VPN), which creates a tunnel of encrypted data that runs between a laptop and your practice’s data servers. However, Mr. Broeren noted that VPNs can be expensive to install for small medical practices.
“When people see the costs associated with VPNs, they shy away,” he said. He added, though, that if you use outsourced IT contractors, they will take care of the complexities of installing a VPN.
In addition, there are similar solutions that aren’t as expensive, most notably so-called “for-hire VPNs,” such as HotSpotVPN (www.hotspotvpn.com). For a small monthly or annual fee, these services encrypt data sent over a wireless network, though they aren’t quite as secure as full-fledged VPNs.
At the very least, Mr. Broeren urged practices to adopt policies that forbid use of unsecured e-mail programs and that mandate the use of secure Web sites when using a wireless hotspot. You’ll know the Web site is secure because an icon that looks like a lock will appear at the bottom of your Web browser.
Mr. Broeren also added that a firewall can make it difficult for intruders to use the inherent insecurity of a wireless network to access the contents of your hard drive.
Strong Policies for Laptop Use
The third way to secure laptops is to develop strong policies about their use and educate end users about those policies.
“HIPAA requires the types of security policies and the security measures [for laptops] we’ve been talking about, and they should be documented in the plan,” said Mr. Demopoulos. “This doesn’t have to be a long document.” It could be one sheet of paper that covers laptop use, and all employees that use a laptop should read it and sign it, he said.
The policy preferably should forbid use of personal laptops for business purposes, since such equipment is harder to manage and control, said Mr. Broeren.
In addition, the policy should include standards for encryption and passwords, such as password length and complexity. Setting password standards can be a tricky issue, since users often respond to long, complicated passwords by writing them down and storing them in their laptop case. “If you leave a password in a laptop case, you’ve given it all away,” said Mr. Broeren. “So you have to balance your policy between the ease of remembering the password and its strength.”
The bottom line, all three agreed, is that it is not enough to focus on just one approach. Rather, all three approaches—physical security, digital security and usage policies—must be combined to minimize the risk of not only losing laptops but also of losing the valuable, and HIPAA-regulated, data they can carry.
Visit the EyeNet archives at www.eyenetmagazine.org/archives for three additional articles on data security: