Technology Corner

DATA SECURITY IN A MOBILE ENVIRONMENT
by Dan Voss - Product Manager

Very few weeks go by when there isn’t some type of story in the national news media about a laptop or backup tape containing lots of personal information being stolen or lost. As the trend to electronic patient care reporting software continues, there is a growing need for EMS providers to understand the risks and mitigation strategies for preventing the loss of personal information. While I will refer to laptops in this article, the same consideration must be made for backup tapes, flash drives, CD/DVD’s and any other type of removable storage device.

This isn’t the first time that the industry has heard about privacy protection. The industry has been dealing with HIPAA for a number of years now, and HIPAA has rules about protecting Personal Health Information (PHI). HIPAA does mandate that providers protect PHI, but it generally doesn’t specify how that PHI must be protected.

There is a new patchwork of laws forming across the country of which EMS providers need to be aware. These laws are the Identity Theft Protection laws. These laws cover varying pieces of personal identity information, not just patient identity. Many of these laws specify not only what must be protected, but also how it must be protected to prevent the loss of this data from requiring the attention of your state. You likely only have one application that is responsible for storing PHI on your laptops, but you may have a variety of applications that store personal information that comes under the umbrella of the personal identity theft laws.

In general, the Identity Theft laws do not require businesses to do anything – unless they lose control of data that was in their possession. The requirements of what must be done once control of data is lost vary, but most laws require the business to notify the affected people that their identity information may have been compromised. If a large group is to be notified, the state may require that the loss of the data be made public through media notification. The state may also require credit monitoring be offered to the people affected.

Complying with these requirements can be expensive and embarrassing.

There are ways to avoid this embarrassment in most states with Identity Theft laws. Most of these laws waive the notification requirements if the data is encrypted.

So, is encryption the silver bullet that will kill the possibility of embarrassment and expensive notification procedures? It may be.

But then the question is, what do you encrypt and how?

Is all of the identity information that you carry in electronic form in your patient care documentation software?

Do you carry an electronic address book on your laptop or PDA?

A list of names with addresses and birthdates qualifies as information that should be protected from identity theft.

This type of information can live in documents, spreadsheets, or other applications outside of the application that you use to document PHI.

Even if your existing application stores PHI in encrypted form, is that enough?

If application encryption of data isn’t enough, what can be done?

Data security requires a layered approach.

The first layer is the physical layer. This may sound like common sense, but don’t leave your laptops in unlocked vehicles. Use locking docking stations or cable locks to secure the laptop in the vehicle. This will help prevent the opportunistic smash and grab.

One might assume that the second layer is password protection. However, if the purpose of grabbing your laptop is to see the data that is on the hard drive, the drive will probably be removed from the computer and hooked up to another computer to access the files on the computer without having to break the password that is on the computer’s operating system. You can compare this process to hotwiring a car. You don’t need the keys if you can hotwire the car.

Once the hard drive is removed from the computer, encryption is your best protection. And, since it’s difficult to know exactly where personal identity information may be living on your computer, the most secure method of encryption is to encrypt the whole drive. Having an encrypted hard drive is similar to having a vehicle that has a computer chip in the ignition key that must be present for the car to start. This makes hotwiring the vehicle much more difficult.

The Windows Vista operating system Ultimate and Enterprise versions offer a new feature called BitLocker that provides encryption of the system volume. Note that neither the Vista Business edition nor any of the Vista Home versions include BitLocker. If Windows Vista is not a possibility, there are other third party applications that can be purchased to offer similar protection.

If you can identify specific folders and files on your laptops that contain personal identity information that you wish to safeguard, then the Encrypted File System option available in Windows 2000, Windows XP, and Windows Vista may be a low/no cost solution.

Of course, all this effort for encryption is for naught if you do not protect your passwords. Let’s use the car analogy again. If you leave the keys for your car in the ignition, it’s pretty easy to steal. This is the same case with the data on your computer. Even with an encrypted drive, if the thief knows a valid username and password to access the computer then the best encryption technology may not protect your data.

In conclusion, if you want to do everything that you can to avoid being featured on the front page of the newspaper because of data loss, act on these three things:

1. Physically protect your computers
2. Require the use of individual user names and complex passwords to access your mobile computers and their applications
3. Encrypt the data on your mobile computers