There has been much debate about security of endpoint devices like tablet PCs, desktops, and laptops where web-based EMR packages are used. There is a potential false sense of security by assuming that just because an EMR or PMR app is web-based then data at rest encryption, like whole disk encryption, is not required since no local data is stored. However, consider these possible scenarios:

- Protected health information (PHI) is exported from an EMR, practice management, or even an accounting  app and is stored locally in a text file or a Microsoft Office document.

- If you use mainframes and use terminal emulators a user could do a “print screen” to save the image locally.

- E-mail attachments containing PHI could be saved locally.

- Web browser temp and cookie files could contain clues about how data is accessed and retrieved.

- E-mail clients that have a local store could be used. The  local store, like a personal folder file (.pst) file in Microsoft Outlook, could contain PHI. Also, in a Microsoft Exchange environment the end user could inadvertently enable the AutoArchive feature where older content is stored locally on the computer in a .pst file.

In a recent Advance for HIM article entitled “Are you Secured”, Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. writes:

“Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. “Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data,” said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. “Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted.”

The point is that just because the EMR or other app that is web-based is used in you environment it doesn’t meant that data at rest protection should be ignored. Installing whole disk encryption to protect data at rest could provide peace of mind and protection against unwanted breach notification should that device be lost or stolen. With the strict enforcement of breach notification rules coming to fruition in February, 2010 it’s better to be safe then sorry by implementing encryption as specified in the HITECH Act within ARRA.

Related articles by Zemanta

• Encrypt EHR – Else HIPAA Violations Need Be Reported To Government & Media (docinthemachine.com)