Join 3,433 readers in helping fund MetaFilter (Hide)


How should we protect patient data?
February 22, 2008 7:59 AM   Subscribe

What steps should a small practice take to secure patient data on a laptop?

My wife has just begun a private practice as a child/family therapist. She has bought a Macbook to use as her business computer. I'm helping her set it up and want to make sure that her patient data is as secure as possible should the laptop ever be lost. After reviewing HIPAA regulations, it seems like there are no exact specifications, just a general requirement that appropriate risk management strategies be put in place. So it seems like it's her responsibility to determine and take the best steps.

With that in mind, here is how I'm setting up her Macbook:

1) Separate user account for her practice files and data and personal, non-practice related files. These will have two different passwords and the practice account will be admin, but the personal won't. (That way if someone was able to crack her personal password they still couldn't access patient data)

2) Use of File Vault on the practice account

3) Installation of LoJack software to help with tracking down the laptop in case it was stolen.

Do these seem like the most appropriate steps to take to protect her clients' data? Are there others that we should consider?

I know data security and protection of confidentiality is a "no sure thing" issue, in that you can never 100% protect against disclosure, but she wants to take all available, reasonable precautions. I'm reasonably confident this meets HIPAA requirements, (though we will follow up with a HIPAA compliance specialist to make sure) so this is more about her sense of responsibility to her clients. Therefore we're not asking you to tell us whether we're in compliance with HIPAA (though if want to share your experience with HIPAA, that would be helpful) just if there are other steps that should be taken.

(I'm asking anonymously because of significant liability issues associated with the topic)
posted by anonymous to Computers & Internet (27 answers total) 3 users marked this as a favorite
 
because it a laptop i would suggest encrypting the drive using something like true crypt.
posted by phil at 8:16 AM on February 22, 2008


Seconding truecrypt. It now has the ability to encrypt the entire drive, very useful.
posted by the dief at 8:19 AM on February 22, 2008


Is there a benefit to encrypting the whole drive with Truecrypt, rather than just a folder? Doesn't encrypting the drive result in a performance hit?
posted by Admiral Haddock at 8:27 AM on February 22, 2008


Encrypting the hard drive rather than folders means that you don't have to have the discipline to store sensitive things in the folders that get protected...everything gets protected.
posted by mmascolino at 8:33 AM on February 22, 2008


I've encrypted portions of drives with Truecrypt on Linux -- not folders, but logical drives -- and I haven't seen any appreciable performance hit.

What might be best for anonymous is to divide their disk up and keep sensitive info on a Truecrypt portion, rather than the whole disk.
posted by the dief at 8:34 AM on February 22, 2008


if you encrypt only a folder there is the potential for sensitive information to be exposed without really being aware of it.

what kind of documents are saved in that folder? what applications are you opening those files in? do the applications periodically save in order to prevent data loss, if so where does it save those backups? are the users of the machine accessing sensitive data via a web browser? if so are all temporary files deleted? do the file names themselves contain secure information? if so is it possible that they show up in some applications most recently accessed list? etc.
posted by phil at 8:37 AM on February 22, 2008


The group of physicians on my insurance plan are all *required* to use laptops and to have a computerized chart of the patient. I'm sure there are other groups out there that also do this, and if you contact them or their I.T. department they may be able to help you, or at least tell you what they use.

FWIW, my group is "Health Care Partners" in So. California.
posted by 6:1 at 8:40 AM on February 22, 2008


I'd also keep an encrypted thumbdrive (keychain, always stays on person etc) with copies of the files as a backup.

Drive encryption is the way to go. With your option 1, it doesn't address the drive being removed and mounted in a different system where 'ownership' could be forced to a new user. Options 2 and 3 sound good however.

As for lo-jacking, you could always take it a step further and try this method recently posted on the blue ;)
posted by samsara at 8:43 AM on February 22, 2008


Since this is a Mac, you won't be able to encrypt the whole disk using TrueCrypt (that function is only supported with Windows). I've been using TC on Windows for ages now and it's worked flawlessly. If you create a TC volume small enough you can make backups of the volume to a CD/DVD.
posted by phrayzee at 8:45 AM on February 22, 2008


In reality you should be more or less okay if you encrypt a thumb drive or similar and make surey ou store all information on that, religiously.

Regulations are bad because they are vague, but the same vagueness adds wiggle room. So from a security perspective you could have an application that launches and deals with the files in an unprotected setting and theoretically a malicious application can read data from that ... but this is high security territory. Keep an antivirus on the machine and up to date and have a policy on security. Write your procedures, such as who has access to the machine and what programs are to be installed and your various security settings (antivirus installed, when you updated, encryption scheme, etc.).

The idea is that you go to the judge with a policy in place and confirmed everyone with access was updated with the policy and there was some sort of auditing taking place (simple as making sure everything installed is what matches the list, making sure more people aren't using the laptop even if it is just "once in awhile," and writing down dates when you audit). He'll say "Wow you had a good policy and you stuck to it, well l337 HIPPA hacker they couldn't have expected you'd plant a program that reads off open applications" or whatever a potential attack would entail. It might, MIGHT also protect you against malicious or stupid employees ("Well we were following policy, they were conforming and updated on the policy every 3 months and here's dates we checked, etc.)

MIGHT, I say, MIGHT. I was dealing similarly vague regulations (SarOx) and that's the sort of thing I came up with. Much more strict as it was not just one laptop, but that's how I approached it. Compliance can get very expensive if you let security experts run with it. PLEASE consult a lawyer and see what they say, as I did. They sometimes aren't a lot of help, but I felt vindicated by bringing the issues to them, coming up with a response and having them approve it. This is less technical IT and more business oriented than you'd realize.
posted by geoff. at 9:03 AM on February 22, 2008


Not to freak you out in your search for an answer, clearly you seem to be doing due diligence in following HIPAA guidelines, but Princeton researchers released a paper today about how to break full-disk encryption:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

A video overview is also available.

A combination of encryption methods (full-disk (Disk Crypt), per-folder (File Vault and Disk Utility) and per-file (Disk Utility)) is probably best to mitigate the potential for information loss, if the trade-offs are performance and use convenience.
posted by Blazecock Pileon at 9:26 AM on February 22, 2008 [1 favorite]


I could've sworn there were requirements for how data is protected, but maybe that's just institutional policies that have been put in place. Everything I've ever seen has said data has to be kept in a locked location with security cameras.
posted by gramcracker at 9:29 AM on February 22, 2008


Sorry, I meant TrueCrypt, not "Disk Crypt". Support for OS X was added earlier this month.
posted by Blazecock Pileon at 9:34 AM on February 22, 2008


Regarding that paper on breaking full disk encryption, you all should note that the circumstances are kind of limited in that the attacker has to take possession of the computer, or at least it's ram, while it is on or with in a few seconds of it being powered down. Sleeping counts. So don't travel with the computer asleep, shut it down. Shut down overnight. Things like that.
posted by d4nj450n at 9:35 AM on February 22, 2008


Everything I've ever seen has said data has to be kept in a locked location with security cameras.

I have worked in a HIPAA-regulated computing environment without cameras over my head.
posted by Blazecock Pileon at 9:36 AM on February 22, 2008


Regarding that paper on breaking full disk encryption, you all should note that the circumstances are kind of limited in that the attacker has to take possession of the computer, or at least it's ram, while it is on or with in a few seconds of it being powered down.

Good point, you don't want to travel with the computer asleep. But the attacker may have time on his or her side:

3.2 Decay at reduced temperature

It has long been known that low temperatures can significantly increase memory devices’ retention times [29, 3, 46, 24, 40, 39]. We performed a second series of tests to measure this effect. In each trial, we loaded a pseudorandom test pattern into memory, and, with the computer running, cooled the memory module to approximately 50 C. We then powered off the machine and maintained this temperature until power was restored. We achieved these temperatures using commonly available “canned air” duster products (see Section 4.2), which we discharged, with the can inverted, directly onto the chips.1 As expected, we observed a significantly lower rate of decay under these reduced temperatures (see Figure 4). On all of our sample DRAMs, the decay rates were low enough that an attacker who cut power for 60 seconds would recover 99.9% of bits correctly.

As an extreme test of memory cooling, we performed another experiment using liquid nitrogen as an additional cooling agent. We first cooled the memory module of Machine A to 50 C using the “canned air” product. We then cut power to the machine, and quickly removed the DRAM module and placed it in a canister of liquid nitrogen. We kept the memory module submerged in the liquid nitrogen for 60 minutes, then returned it to the machine. We measured only 14,000 bit errors within a 1 MB test region (0.17% decay). This suggests that, even in modern memory modules, data may be recoverable for hours or days with sufficient cooling.

posted by Blazecock Pileon at 9:41 AM on February 22, 2008


Password-related stuff:

- Visit the "Security" control panel. Check the boxes to require a password to wake from sleep or screen saver, and to disable automatic login.

- Make sure to use a separate password for each account.

- Make sure your passwords are of good strength. Non-dictionary word, mixed-case, includes both numbers and letters.
posted by mkultra at 9:49 AM on February 22, 2008


IAAL, IANYL.

You should to your HIPAA compliance specialist, but what you are talking about doing is probably sufficient under HIPAA. It is also a hell of a lot more than most do in that context. A lot of them are not going to be compliant. The fact that you are even thinking about this stuff and structuring a coherent approach to these issues probably gets you most of the way there. The last time I looked at the regs on HIPAA security, they didn't require anything specific in any context (e.g. large-scale document management systems), let along for something like a personal laptop.
posted by iknowizbirfmark at 9:52 AM on February 22, 2008


With the sort of resources and will it would take to freeze your DRAM to get the key to your encrypted partition, you could probably install cameras to spy on the passphase being entered instead. I don't see that this news changes anything. Encrypting the whole drive never was a guarantee against the NSA or any very dedicated attacker with physical access; it remains excellent protection against laptop thieves with a side-business in identity theft or vice versa.

Is there a benefit to encrypting the whole drive with Truecrypt, rather than just a folder? Doesn't encrypting the drive result in a performance hit?

When you encrypt the whole drive, you don't have to worry about the OS or applications helpfully storing decrypted info as temp files in various caches (as Windows is wont to do) or in swap space (as all OSes are wont to do.) Plus, you don't have to worry about some given program misbehaving and storing something somewhere you don't know about -- you don't have to be an expert in each and every program -- it doesn't matter.

With Linux, I've used 128-bit AES whole-disk (but for the /boot partition) encryption on an 800 MHz Pentium III with 256MB, and didn't notice a slowdown. (Yes, I know that an unencrypted /boot partition opens me up to someone with access to my machine modifying my initrd to record my passphrase.)

I don't know enough about Mac OS X to offer specific advice, but I'll advise you to also look into encrypting your swap partition and looking into where the apps with which you access the sensitive data might be writing temp files.
posted by Zed_Lopez at 10:05 AM on February 22, 2008


Seconding the recommendations for encryption (Filevault for the Mac, Truecrypt for PCs and Linux). Chose a secure but memorable password.

But more importantly, I'd recommend physically securing the laptop so that it isn't easily stolen. Laptops are easily stolen and sold, so one of the most likely methods of exposing patient data is if the laptop is stolen. While file encryption supposedly reduces this risk, try telling that to the patients whose data was on the computer (and you will have to notify them).

To secure the laptop, I recommend:

- locking the laptop using a Kensington-style lock to a table or desk
- keeping the laptop on your person at all times when traveling (don't leave it in a hotel room, coat check room, in the car or in the trunk)
posted by zippy at 10:15 AM on February 22, 2008


If you're using Mac OS X 10.5 or 10.4 (likely, since you have a MacBook), you can enable secure virtual memory ("swap") in System Preferences > Security > "Use Secure Virtual Memory".
posted by Blazecock Pileon at 10:16 AM on February 22, 2008


re: Haddock, and expanding on what phil said

Many applications save temporary files in various system locations, e.g. Word recovery temp files, web browser cache, etc. If these temporary files are on an unencrypted portion of the disk, then your sensitive files are "leaked" despite your attempts to encrypt their particular folder. Furthermore, you can't escape this: All modern operating systems will occasionally dump portions of RAM's contents onto your hard drive; it's a coping strategy for when available memory is running low. If you haven't encrypted this swap space (or whatever Mac OS X calls it), then your data gets leaked.

Whole disk encryption (through TrueCrypt or other products) is a great way to side-step that whole problem.

Now, the next thing: Run a tight ship. The computer needs to be secure from network attacks. Using a Mac goes a long way towards this simply because most hacking is aimed at Windows machines. But still, you need to keep up with whatever security patches are released by Apple, and don't install frivolous software, especially if it is some kind of network service.
posted by qxntpqbbbqxl at 10:18 AM on February 22, 2008


Whatever procedures you adopt, document them clearly and go over the procedures on a periodic basis (say once a year) to make sure you've kept up with technology.
posted by happyturtle at 11:43 AM on February 22, 2008


You might want to look into Undercover as an alternative to LoJack. It has a neat feature of taking photos of the thief if the MacBook has built-in iSight.

And I second happyturtle's call to document and review your practices. Nothing more fun than trying to figure things out without any documentation at all.
posted by fenriq at 11:59 AM on February 22, 2008


BIOS level password as a first step, then do something about encrypting the data.

Keeping your laptop in a satchel rather that a laptop case is a good idea too. That way it's not obviously a laptop, and you put other things in the satchel so you always have it with you or need to know where it is.
posted by mattoxic at 1:08 PM on February 22, 2008


I've used whole disk encryption with SafeGuard Easy. I'm happy with it.

The performance hit seems minimal to nonexistent, and their marketing stuff says so too... Not sure if that convinces you but it's safe.

Apparently page files or something (maybe the DRAM people are talking about?) don't protect client data enough when there's a sophisticated thief.
posted by powpow at 4:44 PM on February 22, 2008


Two other solutions:

1) Don't keep client data on the laptop. Leave it at work where "appropriate security" is easily defined: locked file cabinet.

2) Keep records, but not personally identifiable records. No names, insurance info, SSNs, etc. Number the records and either memorize the key or keep it physically secure separate from the laptop.

Seems like alot of worry and bother just to be able to carry a laptop around.
posted by gjc at 6:25 PM on February 22, 2008


« Older Please recommend some albums I...   |  Can I really wash my hair less... Newer »
This thread is closed to new comments.