Computers

Desktop computers and their progeny (for example, laptops, notebooks, personal digital assistants) present special challenges to confidentiality. The following questions may be helpful.

Where Is the Computer?

Some readers may have visited clinics and seen confidential information about patients on a computer screen. One of the first questions to ask is, When this computer is on, who can see the screen? Can anyone who is not authorized see patient names or other sensitive information on the screen? This can be a problem for those who work with confidential information on portable computers during long flights or in terminals, waiting rooms, and other public spaces.

When the computer is unattended—whether for only a few minutes or overnight—is there a secure barrier between it and anyone who might want to access it or steal it? If you were to offer someone a considerable sum of money to access the computer without authorization or to steal it, how confident are you that you would not lose your money?

Is the Computer Protected from Hackers?

If the computer is hooked up to the Internet, a software or hardware firewall can help protect against unauthorized entry. Note the word help. No method of protection is foolproof. All have strengths but also vulnerabilities. The more layers of protection you use, the more secure your confidential data will be. If one or two layers fail to block unauthorized entry, others may work. Like a house with many locks and forms of security, a well-protected computer may discourage all but the most determined and skilled hackers.

Is the Computer Protected from Malicious Code That Can Access Confidential Information?

When computers connect to the Internet, they are vulnerable. Security hardware and software can lower but not remove the vulnerability. Viruses, Trojans, worms, and other malware continue to find more devious paths to fool a computer's defenses. E-mails formatted in HTML can mask malicious code. E-mail attachments can infect a computer before they are opened. A visit to a Web site may result in a malicious program downloading into the computer without the user's knowledge. These programs can look for a computer's most sensitive files (for example, those that fit the patterns of social security numbers, credit card numbers, passwords, financial statements; those that contain words like private, confidential, clinical, or medical). They can transmit those files to a temporary throwaway address in another country, post them on an anonymous Web site, or send them to every e-mail address in your computer's memory.

One approach to protecting confidential information on a computer is a two-step process: (1) keep several layers of protection on the computer and (2) keep the information encrypted on a removable medium (such as a portable external hard drive, CD, or DVD). The removable medium would always be kept secure and would be hooked up to the computer only when the therapist is using it.

An approach that offers more protection is to use one computer for connecting with the Internet and storing nonconfidential data and a separate computer that is never hooked up to the Internet or other networks to store confidential information. Because the confidential information is stored on a completely isolated, stand-alone computer, there is no wired or wireless link from it to any network and it cannot transmit data to unauthorized recipients.

Is the Computer Password-Protected?

If someone finds a computer unattended or steals it, a system of passwords can make it difficult to access confidential information. Loading the operating system when turning on the computer, gaining access to a set of files, and opening a particular file can be made contingent on passwords.

Words do not make the most secure passwords. Dictionary programs are readily available to hackers, who use them to enter a password-protected computer. A password is likely to block password-breaking software if it has a combination of lowercase letters, uppercase letters, and symbols and if it runs at least a dozen characters long.

Any password is useless if someone who is determined to access your computer sees it written down somewhere. Someone sitting at your computer and attempting to gain unauthorized access is likely to look through the papers on and in your desk (including under the keyboard and on the monitor) to see if the password has been jotted down.

Is Confidential Information Encrypted?

Even if someone defeats your password protection, he or she will still face a formidable layer of protection if your electronic protected health information as outlined by the Health Insurance Portability and Accountability Act is encrypted. Apple, Microsoft, and other makers of the major computer operating systems as well as other companies (for example, PGP at http://www.pgp.com) provide software programs that will encrypt files.

How Are Confidential Files Deleted?

On most computers, using the Delete key to get rid of a file leaves virtually all of the file on the hard disk, where it can be easily retrieved by an inexpensive data recovery program. To dispose confidential files, it is useful to use some form of secure deleting, such as one that involves repeatedly overwriting the old file with random characters.

How Are Computer Disks Discarded?

From time to time, the news media report what has become a standard story: someone sells or discards a computer on which confidential information is discovered. If a computer disk or other electronic storage medium stored confidential information, it should be completely degaussed or physically destroyed.

0 0

Post a comment