Given the inherent security weaknesses of the consumer versions of windows e.g., 95, 98, ME, I'm wondering what the consensus is within healthcare for whether these systems need to be upgraded meet compliance requirements. Any thoughts?
Thanks, Paul Singleton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 3:06 PM To: [EMAIL PROTECTED] Subject: RE: Laptop Security Compliance I completely agree that portable devices that are physically removed from the covered entity's secure space need to be treated with special consideration. Each type of device must be carefully considered and special policies and procedures developed. At a minimum, power on passwords are a must. Additionally, encrypting all PHI data on the device is also a must. For example, I have seen recent reports of over 20,000 lost PDA (Palms) found just last year in the Atlanta airport, and similar numbers of lost laptops. PDA's owners must also carefully consider transmission of their data via Infrared, since it can be easily intercepted. Ultimately, I believe it comes down to imposing safeguards by device type, and enforcing compliant actions. In most cases it does mean changing user behavior - not easy. You may also need to ban outside portable devices not authorized and tracked. But one very important point is that you need a partner who truly understands the vulnerabilities of each device to help you with policies until they become standardized and template driven. But at a minimum, I would suggest the following be done to all portable devices: 1) Audit their contents frequently to prevent accumulation of PHI. 2) Set the web browsers to delete their cache on every use (start up or on shut down where possible), and keep the cache size very small <5MB - remember, any web-based application's pages and data can be cached (depending upon browser option settings). 3) Set the browser's advanced settings to "Not save encrypted pages to disk", this prevents SSL/Secure pages from being cached to the hard drive and later be made visible (should apply to desktops too). 4) Disable IR transmit and receive as always being ON. Tell the users to use it only when needed and to be careful about PHI as multiple undetected devices can receive it. 5) ALWAYS employ a power on password that is unique and different from system and network passwords. 6) In the case of laptops, prohibit Windows 95, 98, and ME - Windows 2000 and XP at least have a reliable authentication scheme if someone gets through the power on password (such as when your user sets it to "password" or tapes it on the screen) 7) Optionally consider an encrypted folder (under Win 2k or XP) where known PHI must be transported 8) If using a wireless network, get the best security assessment you can afford - don't trust your IT department, their skill set is maintenance, not security. At least if your do these "best practice" activities the risk is substantially reduced. Regards, Dr. Tim McGuinness, Ph.D. Sr. Compliance Specialist & Solutions Architect Certified HIPAA Chief Privacy Officer DynTek Inc. www.dyntek.com -----Original Message----- From: Chris Riley [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 8:31 AM To: [EMAIL PROTECTED] Subject: Re: Laptop Security Compliance All, I think one of the points being missed here is the role of physical security. There is an underling assumption with an office computer that part of the access control is supported through the organizations physical infrastructure (i.e. security guards, photo id's, video cameras, etc...). While most organizations also have policies and controls for telecommuters ( VPN's, Firewall, Machine Use, Audit Trails...), mobile devices need to be handled differently because there is no assumption that can be made about the environment they operate in, and therefore, controls that were adequate in a office or home environment, no longer provide the same protection. With that being said, mobile devices cannot be thought of as just another telecomuter device. Certainly, there are several technologies and policy approaches that can help mitigate these issues where in a controlled environment they may have been thought as overkill, but in the mobile environment, are very appropriate. For example, biometrics shows promise. Not as a single authentication solution but as an add-on the the existing schemes. Policies (along with audit trails ) addressing the types of data that can be stored on a mobile device can go a long way in addressing data theft, confidentiality and integrity. Restricting access based on device location can also aid in the authentication of the mobile device. My point being that there are not two categories of computers, there are several and to evaluate the types of policies and controls to be used to protect PHI, one must consider the operating environment of the device. Chris Riley, CISSP Information Tool Designers Inc. Secure Virtual Office Solutions http://www.info-tools.com/ "Kelly, Lee" wrote: > I have trouble with a vendor making such claims. > > As we all know, HIPAA is all about protecting information regardless > of where it is used/stored. If their claims were true, then how are > the thousands of health-care givers who practice tele-medicine, home > health care > services, wireless workstations, and many others going to comply with > the rules/regs set forth by HIPAA. > > If their claim were true then PDA's (portable device, similar to a > laptop in > that respect), would also have the same issues. > > Thank You, > > Lee Kelly, CISSP > Manager, Assessment Services > Fortrex Technologies > [EMAIL PROTECTED] > 1-877-Fortrex - Office > 1-301-906-6269 - Cell > > -----Original Message----- > From: William Dobson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 2:06 PM > To: Jeff Carswell; [EMAIL PROTECTED] > Subject: RE: Laptop Security Compliance > > Encryption on portable devices is recommended to our clients whenever there > is confidential or proprietary information on them, or when they are clients > to a more robust VPN solution. > > The device can't be HIPAA compliant! It's the user or organization > that needs to operate the device in such a way as to remain HIPAA > compliant. Strong telecommuting policies are also dictated whenever critical or > sensitive information is ported on PDAs and laptops. That's industry best > practice....nothing special to HIPAA. > > William H. Dobson, Jr, CISSP > Federal Business Development > Information Assurance Assessments > Trustwave Corporation, Annapolis, MD > Office 410-573-6910 x 2622 > Cell 301-655-8548 > Fax 410-571-8493 > > -----Original Message----- > From: Jeff Carswell [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 24, 2002 9:20 PM > To: '[EMAIL PROTECTED]' > Subject: Laptop Security Compliance > > Recently our company was visited by a vendor selling a Palm based EMR > solution and they made the statement, "Under HIPAA there is no way to > make a > laptop compliant if it is being used out in the field". Can this > really be > true?? If anyone has additional info or links to regs that speak > directly to this issue it would be greatly appreciated. > > Thanks. > > Jeff Carswell > Vice President, Corporate Development > Affiliated Sante Group > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. -- ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
