|
|
Hospitals Create Security Programs to Safeguard Laptops and Data
The theft of laptop computers and private data is happening nationwide. Hospitals are not exempt, according to recent reports by the news media. For example, at the emergency department of St. Mary’s Hospital in Leonardtown, Md., a laptop used to check in patients was stolen from a desk in February. Patients’ names, Social Security numbers, birth dates and other sensitive information were taken in the theft.
At Allina Hospitals & Clinics in Minneapolis in October 2006, data for 28,000 home-care patients were taken when the password-protected laptop was stolen from an employee’s car. And at Johns Hopkins University in Baltimore, eight data tapes with information for employees and patients became missing in December 2006. They were suspected to have been lost by a courier taking them to be backed up. Lost with the tapes were Social Security numbers and bank data for more than 52,000 current and former employees, as well as personal information for patients.
Although the number of incidents—and risk of patient data being abused—is relatively low, the cost in public relations can be considerable. The community’s confidence and trust in a hospital is shaken when patients’ private and sensitive information is improperly taken from a healthcare facility. The impacted parties are often left feeling alarmed and vulnerable.
That’s the kind of scenario St. Mary’s wanted to minimize when the laptop was taken from its emergency department. Therefore, the hospital warned the community beyond any legal responsibility to do so. “We felt an obligation to share the information,” hospital Vice President Joan Gelrud explains in an April 2007 Health Facilities Management (HFM) article by Jan Greene.
Furthermore, St. Mary’s also retained a credit reporting agency to monitor affected patients’ credit records upon request. “It’s not OK in our estimation to share the information that there’s been a potential breach in your identity but not give people anything to do about it,” Gelrud says.
Fortunately, an actual data breach from a stolen laptop is a relatively improbable occurrence, according to Bryan Warren, a security official with Carolinas HealthCare System, a multihospital system based in Charlotte, N.C. The target of most thefts is the item being stolen,” Warren says in the HFM article. “There are no grandiose schemes of identity theft,” he says. “They just want to hock it and get the money.”
That’s good news because it represents a security issue that can be adequately addressed through the proper measures. Most hospital security and IT departments have the expertise in house to establish an effective security policy for their mobile devices. Some hospitals have addressed the issue using a multidisciplinary approach.
For example, Carolinas HealthCare System set up a laptop theft prevention task force in October 2006 to include security, IT security, human resources, corporate compliance, HIPAA experts and insurance representatives. “We put together a brain trust to work on how we educate staff on the dangers of unsecured electronic devices,” Warren explains.
Consequently, the organization has included laptop security information for continuing-education employees in mandatory sessions on physical security and corporate compliance. And physical security personnel carry wallet cards to share with the victim of a mobile device theft. The instructional card outlines the procedure to follow to ensure the information technology department, HIPAA specialists and corporate compliance are quickly notified about the incident.
St. Mary’s, on the other hand, created a multidisciplinary group to analyze the theft of its laptop, as well as the security of mobile devices in general. “We learned that while our focus is providing the best patient care possible, there’s a balance between having data at your fingertips and the security of that patient information,” Gelrud says.
As a result of its analyses, St. Mary’s now inventories all visible pieces of technology. Laptops that don’t need to be mobile are physically secured, and there is a restriction on the amount of sensitive data kept on laptops unnecessarily. Additionally, the hospital requires password protection on all mobile devices with sensitive data.
To optimize a security program, according to Warren, it’s essentially to plan ahead for the loss of a device. He recommends these two important proactive steps: Have a Web site prepared to go “live” with information for the public, and establish a relationship with a credit reporting service beforehand.
“The time for creative thinking is not on the spot when you find out it happens,” he advises. “Have data breach policies ready to go.”
This article was reproduced for educational purposes from the April 2007 Health Facilities Management Magazine article entitled “Hospitals Take Measures to Secure Laptops—and Private Data” by freelance writer Jan Greene of Alameda, Calif.
|