Securing your desktop machines is probably one of the most important parts of any HIPAA policy. I have a feeling that this topic will continue to get more and more attention as time goes on and people get caught with desktops not being protected. This could definitely lead to a potential HIPAA Lawsuit that I’m sure you want to avoid.
The Healthcare IT Guy recently posted some good information on what is being called “Pod Slurping” where people with a small iPod can extract large amounts of data from your system. There’s some really great posts out there on what you can do with an iPod. When you add all the different types of USB memory sticks and other small data carrying devices you could get into some real trouble if you’re not careful. Protecting yourself against these types of “attacks” will be essential.
I really see two methods of protecting yourself. First, you could create a policy that these types of devices aren’t not allowed in your environment. While this is difficult to control it is definitely a step in the right direction. The key to this working is enforcement whenever somewhat violates this policy. If it is made clear that there are severe consequences for violating this policy it will give you a layer of protection.
Second, there are some new programs out there that are really gaining momentum and becoming a great(albeit expensive) option for the future. My favorite option is Cisco’s Security Agent. I trained on this product and it is very powerful. Because it is so powerful it is often not practical for the small doctor’s office. However, larger organizations should seriously look at this option. Not only can it protect your EMR from rogue usb and iPod devices, but can also minimizes the need for adWare and Anti-virus programs. There are many other software packages on the market that do this also.
I would suggest using a combination of these two ideas to secure your environment. If your software implementation is good you shouldn’t need to worry about the first method, but it is always a good idea to have it in case the software doesn’t work right. Plus, auditors like to see those type of policies.