Portable Media: Minimizing Risk

A Senior Care Chain Eliminates a Potential Privacy Threat
Portable Media: Minimizing Risk
Finding exactly where all patient information is stored so privacy can be safeguarded is a challenge for many healthcare organizations. Some, including a chain of 21 senior care facilities, are discovering that sensitive patient information is winding up on thumb drives and other portable media, which can easily be lost or stolen.

Rice Health Care Facilities, a family-owned business with long-term care centers in rural Wisconsin and Michigan, discovered that staff members were routinely using unencrypted thumb drives to store such things as slide presentations, audit reports and other documents. And many of these included patient information, in violation of corporate policies.

After launching an effort to educate staff about the risks involved in using portable media, Uren and his IT team discovered that patient information still was being stored on the devices. So the chain took the extra step of investing in technology that locks down USB ports on various computers.

"HIPAA compliance and identity theft prevention were both big motivators, given the nature of our business and the type of residents we cater to," says Kevin Uren, IT manager. "A lot of them can't protect themselves. It's really up to us to do that for them."

Portable Media Restrictions

While the chain was confident that information within its electronic health records system was protected, it was worried that data outside that system, especially information on portable media, was vulnerable, Uren notes. So the company implemented an application from DeviceLock to control the use of portable media on 500 PCs and laptops at all its facilities.

The senior care provider uses the DeviceLock application to prevent most staff members, who usually use computers in public areas, such as nursing stations, from using a thumb drive for any purpose. Certain managers can use portable media in read-only mode.

When users log on to any computer linked to the organization's network, the DeviceLock technology enforces the appropriate policies for use of thumb drives, CD burners and other portable media. The lock-down technology also enables Uren and his IT team to audit the use of portable media and provides alerts when someone has attempted to plug in a device and received a denial message.

"If someone can make a business case for needing the ability to write to a CD or a thumb drive to, for example, distribute information to an auditor, we can give them temporary permission to do that for 30 minutes," Uren explains.

Continuous Training

Once each month, the long-term care chain has its directors of nursing attend education updates on security and compliance, including policies on the use of portable media. Those supervisors, in turn, provide monthly training to their staffs, Uren says.

In another security move, all computers connected to the chain's network function as thin clients that don't store information from the EHR system, Uren explains. And the chain conducts internal risk assessments, as well as outside assessments by consultants, at least once every year.

Uren sees the USB-port lockdown strategy as "just another way to help safeguard the information we're responsible for."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.