Many clinical systems can be accessed via the internet making it convenient to work from your personal computer. However, there is growing concern regarding HIPAA privacy and security issues with using personal computers.
Reasons for the concerns are:
- Malware, such as viruses and ransomware, are tools bad actors use to gain access to ePHI and other sensitive information. Security and compliance minded companies implement anti-malware software and continually update it to detect and eliminate malware. With personal computers there is no guarantee this defense is in place and kept current.
- Computer devices require an operating system (OS) to manage the various functionalities of the computer. Windows 10 is an example of an OS. Bad actors are continually looking for vulnerabilities within the various versions of these systems to attack and access them for ill-gotten gain. Vendors provide routine updates as vulnerabilities are discovered to remove them and prevent bad actors from accessing. This requires a vigilant process of routinely updating the OS to eliminate vulnerabilities. This process is not guaranteed or consistent with personal computers.
- Encryption of devices is a security feature by which information is encoded such that only authorized individuals can access. Encryption is a HIPAA-endorsed safe harbor, meaning lost or stolen devices containing ePHI that are encrypted do not constitute a breach. Configuration of encryption is not guaranteed on personal computers.
- Remote wipe is a security feature that allows an administrator to issue a command to delete data on a computer. This is used as a safeguard when equipment is lost or stolen to avoid unencrypted data falling into the hands of a bad actor. Proper configuration and/or additional software is required to provide this capability, and this is not guaranteed to be implemented on personal computers.
- Consider, ePHI can be stored on a personal computer such as reports produced by the clinical system containing PHI. This means individuals, such as others within the household, who have no need to view or access the ePHI have that capability. This can result in a HIPAA reportable breach. To heighten the risk, once an employee leaves their current employer, they are no longer authorized to access the ePHI; however, there is no capability for the employer to remove the ePHI from the employee’s personal computer to eliminate access.
Reliant employees are not allowed to use personal computers to access Reliant systems and may refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls.