Health Information Management

TIP: Create consistent laptop use policy for your facility

HIM-HIPAA Insider, June 28, 2010

Editor’s note: This is the third in a series of tips in HIPAA Weekly Advisor on laptop security. The excerpts are courtesy of the HCPro, Inc. newsletter, Briefings on HIPAA.

Develop and implement centralized laptop computer acquisition and maintenance procedures. Require consistency of use and security across your organization, says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder and managing director of AP Health Care Compliance Group, which has offices in Pittsburgh and Purchase, NY. For example, assign this responsibility to an information systems department.

Organizations can create major problems when they allow staff members to buy or use their own laptop computers that may lack necessary security controls to protect PHI. Purchasing laptop computers for employees to use gives an organization more control over the devices and ensures consistent security.

Employees who use laptop computers must follow requirements, criteria, and guidelines set by your IT department. IT must have the resources necessary to accommodate users and ensure that device protection remains up to date.

Organizations that allow employees to use their own laptop computers should establish rules for data ownership regardless of who owns the device, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD. Your mobile security policy should establish the rules of engagement—who, what, where, and when.

Carefully track laptop computers, says Parmigiani. You need to know the following:

  • Which laptop computers and other mobile devices exist in your organization?
  • Who has them and what are their privileges?
  • Which software exists on them?
  • Which data do you allow on them?
  • Which data are actually on them?
  • Are the data backed up?
  • Are the data protected against unauthorized access?
  • Do installed safeguards protect against practices such as phishing, IP spoofing, pharming, malware, and file sharing?
     

Most Popular