If an organization chooses to allow PHI to be stored on the I would suggest looking at a method of protecting that data in storage as well. Reality is that Laptops are lost, stolen, or left unattended all the time. With enough time any password can be broken.
Jeffrey D. Blevens
Project Manager
National HIPAA Team
KPB-9
Phone: 503-813-4139
Fax: 503-813-2433
| "Eddie G. Anderson" <[EMAIL PROTECTED]>
04/24/02 08:13 PM
|
To: "Jeff Carswell" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc: Subject: RE: Laptop Security Compliance |
Jeff:
Not true based on the proposed security rule. There is actually NO language
specific to laptop, mobile computers or "in the field", only to the type of
communications network. In fact, in the Background section it states that
the rule shall:
"7. Be technologically independent of the computer platforms and
transmission protocols used in electronic health transactions, except when
they are explicitly part of the standard." A laptop used "in the field" (I
assume a standalone pc) would actually be one of the easiest scenarios with
which to comply. You only need to be password protected (application),
physical control of media (i.e. don't leave your laptop unattended), audit
controls for data and employ auto logoff (notwithstanding the normal
awareness, training and documentation requirements). I have no idea what
your vendor was getting at. I hope he/she was not even inferring that the
PDA was more or, even as secure as a laptop but that is not really the
issue. The type of network the device is communicating with (let' assume a
wireless connection to a LAN/WAN network with internet access) dictates your
level of compliance issues NOT the type device.
Closed Network - Where the network is via dedicated lines owned or
controlled by the entity and not connected to any "public" network, the
following must be in place:
Integrity Controls (ensure the validity of the data)
Message Authentication (received matches sent)
One of the following:
Access Controls (already required)
Encryption
Open or Public network (internet)-Where the network is open (e.g., shared
data line, Internet, switched WAN), then the following must be in place:
Alarm (IDS)
Audit Trail
Entity and user Authentication
Event Reporting
Encryption
FYI: I personally would employ some encryption beyond WEP for the wireless
part. also, any mobile device raises some physical security concern (i.e.
leaving it unattended) but so does leaving the back entrance to the
office/clinic/hospital unlocked.
Eddie G. Anderson
204 Blue Crab Cove
Emerald Isle, NC 28594
Phone 252-354-5111
Fax 866-286-8038
email [EMAIL PROTECTED]
-----Original Message-----
From: Jeff Carswell [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 9:20 PM
To: '[EMAIL PROTECTED]'
Subject: Laptop Security Compliance
Recently our company was visited by a vendor selling a Palm based EMR
solution and they made the statement, "Under HIPAA there is no way to make a
laptop compliant if it is being used out in the field". Can this really be
true?? If anyone has additional info or links to regs that speak directly
to this issue it would be greatly appreciated.
Thanks.
Jeff Carswell
Vice President, Corporate Development
Affiliated Sante Group
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
