| TH E N I H C A T A L Y S T | JU L Y – A U G U S T 2008 |
| | |
Certain events have such impact that they qualify as life-changing. In my case, the theft of my government-issued laptop computer and the breach of personally identifiable information have made me understand the power and danger of computerized or digital information. I want to share with you lessons learned from this unfortunate experience.
Upon the theft of my computer in February, the NIH has renewed its commitment to computer security. However, many people at the NIH — from Bethesda to facilities across the nation and even those working in the field — are probably still at risk for compromising confidential information. Whether you are a scientist, administrator or member of the scientific and suppor staff, you might have access to private information. And even if your laptop issecure (i.e., encrypted), you might have other digital and paper recordsimproperly protected.
Many pieces of personally identifiable information need to be protected beyond the obvious: names, addresses and social security numbers. For example, the first three digits of a ZIP code is considered protected health information as long as fewer than 20,000 people live within that region. Age "over 89" also is considered an identifier. Even a fax number without a name attached is covered by HIPAA (Health Insurance Portability and Accountability Act) Rules. The Privacy Rule, an extension of HIPAA, protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
In talking with people over the past two months, I have come to realize that many have unintentionally violated these rules. To reemphasize: You must protect the scrap of paper reminding you to call a particular patient; you must protect the USB flash drive "stick" with digital information, such as contact lists or reminders to follow-up on an abnormal lab test; you must protect data on your laptop, PDA or BlackBerry.
The electronic age has created dangers with the incredible storage capacity on modern devices. A typical NIH laptop computer can easily contain the text contents of every U.S. phonebook and all associated personally identifiable information on those people. That computer would still have enough capacity to contain the Encyclopedia Britannica and multiple other references. A small USB stick can contain a single file with information on hundreds of thousands of patients. A PDA or BlackBerry further complicates the issue, for there is easy access to information through cashed Internet sites or saved e-mails messages. Encryption of Windows-based laptops is now standard practice at the NIH. Macintosh laptops, PDAs and BlackBerrys currently cannot be encrypted to similar standards and thus can be riskier devices. The small size and portability of these devices make them easy targets for theft or misplacement and thus may compromise protected information.
Learning how to manage the information on portable electronic devices is difficult. Knowing when it is safe to delete information is not trivial. For example, an e-mail message received on a BlackBerry or laptop while away from the office may require action when the user gets back to the office. If it is important, one might be inclined to leave files on the BlackBerry or laptop for review until the issue is resolved. Will you remember to delete all files from the portable device a few days later when the task is completed? Synchronizing multiple copies of files is complicated when they are distributed on multiple devices. Also, do you have the most current version of the document? It can take hours to systematically delete data from USB drives while making sure you have copies of what should be saved.
Working with confidential information requires vigilance in other ways as well. Since the theft of my laptop, I have watched other people misusing electronic devices in public places. I have seen people reading confidential information on laptops in airplanes. I have met people asking for help to find lost PDAs or BlackBerrys. Even though none of these behaviors was done with malicious intent, it is much too easy to compromise the integrity of information stored on portable electronic devices.
For all of the above reasons, NIH may want to consider establishing a policy advisory group under the sponsorship of the NIH CIO and the three functional NIH Deputy Directors to better educate the NIH community on how to recognize sensitive information and how to manage and safeguard that information. Given the turnover of staff, this is — and will be — an ongoing need.
We must continue to improve our handling of protected health information and other confidential information. Achieving those goals depends on all of us, as individuals, working to support and implement privacy standards. I hope others can learn from my experience. I can guarantee that it is better to learn such lessons vicariously than through personal experience.
For more information, please review the following documents: