Jon Tomes and Alice McCart here: Our favorite HIPAA IT security guru is Brent Sadler, our guest commentator for this blog post. We needed his opinion to fold into Jon’s opinion for a client regarding a stolen laptop. When we read it, we decided that our blog readers might need to have this information, too. So here it is below. If you would like to get in touch with Brent directly regarding help with a HIPAA IT security issue, he is available at brent@wccit.com.
Brent Sadler’s opinion: In the case of a laptop that has been lost or stolen, there are several factors to look at to determine the risk. Obviously, the very first thing to know is whether it was encrypted. If not, then the next question to ask is what the Operating System (“OS”) was.
If the OS was Windows and running any version of the “Home” edition, then it is wide open to anyone who has access. The passwords in the Home edition are for convenience in separating individuals and not in any way security. At best, it keeps the honest guy out.
If the Windows edition is “Professional” or in some cases “Enterprise,” this level is the business level of Windows and does have good password security. However, it is still limited in its protection. There are two types of users that could be on the machine. The first is the “Local” user and/or the “Local Administrator.” The second type of user account might be a “Domain User.” A machine will ALWAYS have a local user and local administrator, but it will have a Domain User only if the computer/laptop has been connected to a business server domain by the company’s IT personnel. A domain user controls what that user can access and see on the business network, such as Server shares, Exchange server, and so forth.
There is no commonly known or even remotely easy way to uncover or de-encrypt a Domain User account password. However, the Local Administrator or User account is easily changed. There are readily available tools that can be downloaded for free or a small cost that allow even the most ignorant person to change the password if it isn’t known. One example is at https://pogostick.net/~pnh/ntpasswd/.
It is therefore my opinion that, if a laptop is lost or stolen without encryption, any data that is local to that system is under a great risk of being recovered or seen. If, however, no sensitive data is kept local and such sensitive data is accessed only via a domain user account, it is safe to consider that all the information is relatively safe. Again, though, this scenario would assume that best practices were in effect by the laptop user and that he or she did not save his or her domain password in a text file on the machine, did not store emails that listed a password, did not keep the domain password on a little yellow stickie stuck to the laptop, and so forth.
Jon and Alice here again: Jon has written and provided for you on the HIPAA Documents Resource Center CD, 6th edition, which accompanies his Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, a sample Portable Computer Policy. Use your Risk Analysis of all of your mobile devices, Jon’s sample policy, and Brent’s wise words above to draft a policy that meets the HIPAA IT security needs of your organization. And then implement that policy, train your workforce on the policy, and enforce the policy. Store it in Your Happy HIPAA Book for the required six-year document retention period for proof of HIPAA compliance in case, God forbid, the feds come calling.
Also, as an aside and a reminder, if you are having trouble logging in to our Premium Member section on our Veterans Press website at www.veteranspress.com for some reason, please let us know so that our IT/order department folks can help you. If you bought our HIPAA Compliance Library, it came with a one-year free subscription to the Premium Member section. If you remember having had access a long time ago, perhaps it’s time to sign up for another year for only $99.95. It’s where Jon has all of his new policy/procedure templates and other HIPAA compliance information posted for you to download.
Also, if you want help writing your HIPAA policies and procedures, Alice McCart will be presenting a webinar through MentorHealth on Thursday, September 15, from noon to 1:30 p.m. Central time, on the topic “Key Factors to Write HIPAA Compliance Policies,” with registration available at http://www.mentorhealth.com/control/w_product/~product_id=800835LIVE/~Alice_McCart/~Key_Factors_to_Write_HIPAA_Compliance_Policies.
