Security

Hospitals take measures to secure laptops—and private data
By Jan Greene

Judging by the news headlines, it seems that every day another laptop or data tape is stolen from a company. And hospitals are not immune to this trend:

• A laptop used to check in patients at St. Mary’s Hospital’s emergency department in Leonardtown, Md., was stolen from a desk in February. It contained names, Social Security numbers and birth dates for patients.

• A password-protected laptop was stolen from the car of an employee of Allina Hospitals & Clinics in Minneapolis in October 2006. It contained data for 28,000 patients receiving home care.

• Eight data tapes containing information for both employees and patients at Johns Hopkins University in Baltimore went missing in December 2006, believed to have been lost by a courier taking them to be backed up. The tapes included Social Security numbers and bank data for more than 52,000 current and former employees, and some personal information for patients.

• Seton Hospitals in Texas were unlucky enough to suffer two laptop thefts in February, one from a secure office and another from a staff member’s locked vehicle. Both contained personal information on patients, including Social Security numbers.

While the actual number of cases—and risk of patient data being misused—is relatively low, the cost in public relations can be quite high. The community’s trust in a hospital is at stake when patients’ personal medical information and Social Security numbers get out of a hospital’s grasp.

That was a major concern for St. Mary’s, which was determined to alert the community beyond any legal requirement to do so. “We felt an obligation to share the information,” explains hospital Vice President Joan Gelrud. St. Mary’s also invested in a credit reporting agency that would monitor affected patients’ credit records upon request. “It’s not OK in our estimation to share the information that there’s been a potential breach in your identity but not give people anything to do about it,” she says.

Each of these organizations had to go through an extensive public relations effort after the loss. They notified affected patients and employees directly, and in most instances also provided extensive information about the problem on their Web sites. Typically, the hospitals also offered affected patients access to credit reporting agencies to make sure their credit security had not been compromised.

Hospital officials can take comfort in the fact that an actual data breach from a stolen laptop is relatively unlikely. “The vast majority of thefts have been for the item itself,” says Bryan Warren, a security official with Carolinas HealthCare System, a multihospital system based in Charlotte, N.C. “There are no grandiose schemes of identity theft. They just want to hock it and get the money.” So far, Carolinas HealthCare has not experienced any big security breaches.

Setting up a good mobile device security policy is not just a matter for the security and IT departments to work out. It’s actually an issue that can be handled well by a multidisciplinary committee, some hospitals have found.

At Carolinas HealthCare System, a laptop theft prevention task force was set up in October 2006 and included security, IT security, human resources, corporate compliance, HIPAA experts and insurance representatives.

“We put together a brain trust to work on how we educate staff on the dangers of unsecured electronic devices,” explains Warren.

As a result, the organization has added laptop security information to continuing education for employees in mandatory sessions on physical security and corporate compliance. Physical security personnel carry wallet cards they can give to the victim of a mobile device theft that details the steps to take to ensure the incident gets reported rapidly to the information technology department, HIPAA specialists and corporate compliance.

For St. Mary’s, the multidisciplinary group got together after the laptop theft to carry out a root-cause analysis of the case, and broadened it to analyze mobile device security in general.

“We learned that while our focus is providing the best patient care possible, there’s a balance between having data at your fingertips and the security of that patient information,” Gelrud says. Among the changes made as a result: making an inventory of every visible piece of technology, physically securing laptops that don’t need to be mobile and reducing the amount of sensitive data kept on laptops unnecessarily. One more safeguard: St. Mary’s is now requiring password protection on mobile devices that have sensitive data.

Planning ahead for the loss of a device is vital, Warren says. He suggests having a Web site designed and ready to go up that details information for the public, and establishing a relationship with a credit reporting service ahead of time. “The time for creative thinking is not on the spot when you find out it happens,” he advises. “Have data breach policies ready to go.”

By Jan Greene, an Alameda, Calif.-based freelance writer.

Specific ways to secure sensitive data:

  • Educate employees about data security and how to secure a mobile device;
  • Encrypt patient data and use password protection on devices;
  • Keep sensitive data on a network and not on a laptop’s hard drive; and
  • Consider using mobile-specific security products that can track a stolen laptop’s location as soon as it is turned on.

To respond to this article, please click here.

Click here for a FREE subscription to Health Facilities Management.