Look for similar articles under these categories: 

• College Health,
• Electronic Medical Record,
• EMR,
• HealthCare IT,
• HIPAA General,
• Medical Privacy

8 responses to "Lost Laptop with Patient Names, Treatment Summaries and Other PHI"

1. # Mike Duffy commented on June 21st, 2009:

   The best solution I’ve found is full-disk encryption with a hardware USB key + password. Without the key and the password (something you have + something you know), the laptop is just a brick.

   We used this technology when sending nurse reviewers into the field to conduct chart audits.

   Even full-disk encryption with a strong password is a good solution, e.g. Microsoft BitLocker under Vista:
   http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption.

   Like backing up your data, laptop security isn’t particularly hard, but not many people do it.

2. # Don Easton commented on June 21st, 2009:

   It should be a legal requirement that all portable computing devices have the functionality of remote wiping. Pretty easy to implement. In fact, Exchange Server can do that to PDA devices, if I recall correctly. But, I agree that the use of an EMR or ASP would eliminate the risk of this occurring. Either way, it is uncalled for and should be a non-issue in this day and age. And WHY was the computer left in the car?

3. # John commented on June 21st, 2009:

   Mike,
   I’ve worked with some of the USB hardware keys before and have always been concerned about losing the hardware key and then being up a creek. Certainly nice encryption is an option as well.

   The comparison to backups is a good one. Only major difference being that people think they’re backups are running. Most people haven’t thought about losing a laptop.

4. # Larry commented on June 22nd, 2009:

   Our company has a product the is USB based key that provides storage, virtual desktop, etc as well as portable apps aimed at the PHR and EMR marketplace. The device has biometric and/or password authenication, 256 bit AES encryption, plus support certificates /PKI and can be remotely managed once the device is inserted to a web connected device. Even if the device is lost or stolen, there is virtually no chance at compromise due to the encryption and authenication components. Certainly would make sense in this application.

5. # Dugolo commented on June 22nd, 2009:

   There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network.

   Remote wipe doesn’t get an organization out of notification because the data could have been accessed before the computer connected to the internet. Since you can’t be sure, you have to report the data breach, and the remote wipe capability becomes less valuable. Whole-disk encryption is the only way out of data breach notification for laptop losses.

6. # John commented on June 22nd, 2009:

   Larry,
   That sounds really interesting. The best part is the remote management of the device I think. I’d like to learn more about how the remote management works.

7. # John commented on June 22nd, 2009:

   Dugolo,
   Thanks for pointing it out. I had the same thought. However, wiping it will still give some comfort to those that are notified that there was less risk of it getting out. Especially since the computer is certainly password protected. Plus, the technology can help you recover the laptop in many cases as well.

   Certainly encryption is the way to go, but even better than that is my first concept of storing no PHI on the laptop in the first place. That’s the beauty of an EMR.

8. # Larry commented on June 23rd, 2009:

   Thanks John for the interest in the management functionality question.
   To give you a high level overview of the management functionality, our product can be either a single use device where one person provides his/her personal authentication, once set-up, through biometric (finger) or password or both. However to take full advantage of the level of security, an administrator can provision, configure, and support the device or groups of devices depending on the rollout. Some of the management features are:
   • Automated sync tool for backup of records and updates to apps when connected to web
   • PHR app is a zero footprint which leaves no trace on host PC
   • Ability to securely deliver communications from payer/provider when part of a plan/group/etc.
   • Admins can tailor security policies and device behavior to different end user needs
   • Use of credentials such as digital certificates and soft tokens (RSA) to provide an additional layer of security when part of a larger EHR group/plan/organization.
   • Admin roles can be separated to provide proper delegation of management duties as a heighten level of security. For example, separate admin for configuration, certificate authority, and device issuance is possible.
   • Capable of tracking a complete history of any administrative activities, user activities, security policies, and state of each individual device for audit and compliance requirements.
   • Admins can create queries based on username, device serial number, or certain issuance parameters to get information about the devices in the system.
   • Remote administrative device recovery option in the event of lost, damaged, or inoperable device
   • Optional data destruction after multiple failed authentication attempts or in the event the device is lost or stolen. If the lost or stolen device is inserted into a computer connected to a live web connection, the device beacon will alert home server which will issue the command to destroy data
   Our focus when we looked at the development around a portable device for PHR and data storage, our attempt was to leverage a device which will provide the best in security as well as utilizing an industry platform. Our product is intended to be an alternate to web based solutions when security is a real concern.