Portable Media: Minimizing Risk
A Senior Care Chain Eliminates a Potential Privacy ThreatRice Health Care Facilities, a family-owned business with long-term care centers in rural Wisconsin and Michigan, discovered that staff members were routinely using unencrypted thumb drives to store such things as slide presentations, audit reports and other documents. And many of these included patient information, in violation of corporate policies.
After launching an effort to educate staff about the risks involved in using portable media, Uren and his IT team discovered that patient information still was being stored on the devices. So the chain took the extra step of investing in technology that locks down USB ports on various computers.
"HIPAA compliance and identity theft prevention were both big motivators, given the nature of our business and the type of residents we cater to," says Kevin Uren, IT manager. "A lot of them can't protect themselves. It's really up to us to do that for them."
Portable Media Restrictions
While the chain was confident that information within its electronic health records system was protected, it was worried that data outside that system, especially information on portable media, was vulnerable, Uren notes. So the company implemented an application from DeviceLock to control the use of portable media on 500 PCs and laptops at all its facilities.The senior care provider uses the DeviceLock application to prevent most staff members, who usually use computers in public areas, such as nursing stations, from using a thumb drive for any purpose. Certain managers can use portable media in read-only mode.
When users log on to any computer linked to the organization's network, the DeviceLock technology enforces the appropriate policies for use of thumb drives, CD burners and other portable media. The lock-down technology also enables Uren and his IT team to audit the use of portable media and provides alerts when someone has attempted to plug in a device and received a denial message.
"If someone can make a business case for needing the ability to write to a CD or a thumb drive to, for example, distribute information to an auditor, we can give them temporary permission to do that for 30 minutes," Uren explains.
Continuous Training
Once each month, the long-term care chain has its directors of nursing attend education updates on security and compliance, including policies on the use of portable media. Those supervisors, in turn, provide monthly training to their staffs, Uren says.In another security move, all computers connected to the chain's network function as thin clients that don't store information from the EHR system, Uren explains. And the chain conducts internal risk assessments, as well as outside assessments by consultants, at least once every year.
Uren sees the USB-port lockdown strategy as "just another way to help safeguard the information we're responsible for."