Laptop and desktop computers are typically used as platforms for data entry of protected health information. Covered entities use traditional software like Microsoft Office, e-mail software like Microsoft Outlook, electronic health record (EHR), charting, and scripts applications. All these application could be storing protected health information on the local computer.

There are many vulnerabilities to protected health information (PHI) on these systems. Some common overlooked vulnerability points could be in web browsers that store information locally on the computers, USB devices that could easily connect to computers to copy data, and even old, deleted files that are easily recoverable with rudimentary tools available today.

The security of protected health information is greatly dependant on the security of the least common denominator of technology, and those devices are usually the ones used by people the most. Technologies exist today that can easily mitigate threats to privacy and security of protected health information. Multiple approaches could be taken to protect PHI. Encrypting entire hard drives using whole disk encryption will prevent contents from being viewed by unauthorized individuals in case a computer is lost or stolen. Secondary access control like smart cards, two-factor authentication tokens, and biometrics implemented to secure end points could significantly mitigate risks to unauthorized access to PHI.

They key to making security technologies work is that they need to be transparent to the end user, yet secure enough to protect information properly. The technologies need to be easy to manage so that they are less prone to human error. It is important to take these factors into consideration when deciding on the best solution for your organization.

The HITECH Act, as part of the American Recovery and Reinvestment Act (ARRA), encourages the mitigation of threats to data in use by requiring various levels of notification following a breach of unsecured protected health information (PHI). If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals then such information is not unsecured PHI, and therefore may not be subject to breach notifications directed by the HITECH Act. Encryption solutions by our partners like PGP can implement encryption necessary to mitigate the risks to PHI security.

ExperiorData Solutions: Implement whole disk encryption and endpoint security on desktop and laptop computers; evaluate the need for two-factor authentication and smart card technologies.