sted in: Computer Security February 3, 2016
By Dan Gospe
If you think you have no incidental data on your network, and all of your data resides on a nice, encrypted server, think again. Incidental data can creep its way onto many devices in your network, and significantly increase your likelihood of data breach. Do you know how to find the incidental data on your network, and how to keep it off of your systems? If not, read on! There are many common places that incidental data can be found.
What is Incidental Data?
Simply put, the term “incidental data” refers to data that was captured and stored outside of the scope of your secure holding areas. For example, a typical dental practice might have data residing on their printers, PCs, scanners or cell-phones, to name a few. To achieve true HIPAA compliant security, you’ll want to eliminate all data that is falls outside of your managed, centralized data stores.
Check your PCs
First, let’s see if there is any incidental data on your PCs. The most common computers that hold unsecure data are your non-clinical machines; especially, the PCs of your doctor or reception staff. Here are a few common places that you can look to see if there are any patient identifiers lurking in the system – and they all have an easy fix.
- “Desktop” Folder – This is the easiest to spot. Are there any xrays on your desktops? Chances are, there are, especially if you are exporting images from Dexis, Schick, or some other imaging software. The desktop is a handy place to temporarily store files, but it is not a secure location!
- “Downloads” Folder – from downloading email attachments from a web email program. Many people are surprised to see the amount of data stored in their Downloads folder that they had no idea they had.
- “Documents” Folder – you may find Patient Letters, Letters to Specialists, Bookkeeping Data, Spreadsheets, or some other “work in progress”.
- Email – if you are using Outlook or Thunderbird for email, you’ll want to have your profiles stored on the server, and not on the workstations. Otherwise, all the email that you have is accessible without access to your email account.
- Cache Data – This one is harder to spot, but it’s there deep within your Windows directories. The best way to keep data off of your cache is to have your browser delete your cache each time the program closes, or to turn off caching on internet browsers.
The Fix: Create shared folders from your server for your workstations to use as “working directories”. These folders should be encrypted. Set all of your default folder locations to this shared folder on the server. After that, go into your email client settings and direct its storage to a secured folder on the server.
Here is a brief “How-To” for disabling your internet caching for several browsers.
There you have it! No more incidental data on the workstations.
Printers and Scanners
- Many printers and scanners have onboard memory, keeping images of scanned documents either in internal or external memory. Check your specs – is memory being stored on these systems? If it is, turn it off.
- If you are scanning to a folder, or a USB drive, then you are likely creating incidental data.
The fix: Check your specs to see if you have internal memory. If so, turn it off. If you are scanning to a USB drive, use an encrypted USB drive (HIPAA demands data in transit be encrypted). If scanning to a folder, make sure it’s going to a shared, encrypted folder on the server.
Cell Phones
Cell phones have incidental data on them if they are used to access your practice email. In this case, many times the logins are automatic, so anyone with your cell-phone can access your email!
The fix: encrypt your cell-phones. Pretty much all cell-phones have built in encryption, and it’s easy to implement. Also make sure that you are using the security features of your cell-phone, such as a swipe-code or passcode to unlock. Ideally, you’ll want to force password entry when logging into your email accounts as well.
In summary
Going through these steps will help you identify incidental data on your network, and help you eliminate the risk by centralizing your storage.
Dan Gospe is the Chief Operating Officer and HIPAA Privacy Officer at dmi Networking, Inc. He can be reached through the contact form on this site, or in his office at 707-523-5915.