LAPTOP LOCKDOWN

Nov 1, 2001 12:00 PM, By Jennifer Pero

Keeping assets and information protected at Ochsner Clinic Foundation isn't always easy. The New Orleans-region healthcare provider — rated among the top 50 hospitals in U.S. News and World Report — combines 25 clinic sites, a 427-bed hospital and the state's largest health plan. Ochsner is also the city's largest non-profit private employer, with more than 6,000 full-time employees, all kept busy treating more than 300,000 patients and logging more than a million patient visits each year.

To provide its customers with advanced services and programs, Ochsner is continuously expanding physical and IT infrastructures to meet medical demands. Employing laptops instead of traditional bedside charts to update and generate real-time notes and reports about a patient's health, is one such implementation.

With so much information and traffic passing through its facilities, it's imperative that the clinic emphasize security along with the welfare of its patients.

The price of portability

Convenience isn't cheap. Laptops are more expensive than desktop computers, not to mention the need to secure the data on that laptop.

Laptop theft can cost more than $5,000, and potentially expose priceless confidential information.

Norris Yarbrough, administrative associate director of safety security and transportation for Ochsner Clinic, says asset protection — for items such as laptops — is increasingly difficult to monitor. When the clinic moved to bedside charting on laptops last year, Yarbrough had to reevaluate his security plans.

“Traditionally, our method of protecting laptops was simply ‘lock up your laptop,’ but with more employees using the computers, I knew our traditional way wasn't going to be the answer,” he says. “If you take a laptop and put it in a service environment with multiple users, you take away your first line of defense — the ability to lock it up when the owner is not using it.”

For Yarbrough, the challenge was to protect the computers at every step, without compromising their portability. After experimenting with lock-down pads, cables and docking stations, Yarbrough still found himself at odds with the nature of the laptops. “Locking devices are great for desktop PCs in terms of anchoring them down, but laptops are for portability,” he says. Yarbrough was repeatedly faced with laptop theft because, although the locking devices were securing the desktop computers, the laptop computers were much easier to take. “We had cases of people coming in and actually defeating the locking device. They were prying the locking devices off the sides of desks,” he says.

In his search for a solution, Yarbrough considered the benefits of hard-tags on each individual laptop to help monitor — and hopefully deter — theft of the computers. The hard-tags, small in size, required antennas to pick up the chip's signals to determine where the laptop was located in the facility. The solution proved costly, and there were technical glitches to be considered. For instance, Yarbrough had to consider medical telemetry equipment. The use of antennas with the hard-tags could interfere with medical equipment that received similar signals from other antennas. Additionally, hard-tags would not offer adequate protection — though the tags would signal when a laptop was removed from the premises, beyond that, the chances of recovery were non-existent.

Tracking technology

With approximately 387,000 notebook computers stolen in the United States in 2000, the ability of a security system to deter the theft of laptops — and also recover them — is becoming increasingly important. With laptops being taken repeatedly from various locations of the hospital and clinic sites, Yarbrough turned to alternative computer tracking devices. In his research, he was introduced to Vancouver, Canada-based Absolute Software and its Computrace PC tracking and loss prevention service.

Absolute Software, which provides tracking and computer solution systems to 2,000 companies across North America, offers a computer security system invisible to authorized and unauthorized users.

“It's such a neat little piece of self-contained, self-reporting software,” Yarbrough says. “I don't have to plug it in, I don't have to charge it, I don't have to put it under a detector to have it read. It's sitting there, waiting on the bad guy to complete a chain that's going to link [the property] back to me.”

Computrace, relying on the computer's IP address as the main source of communication, silently and automatically contacts the Computrace monitoring center, which transmits PC status information, including IP address, phone number and an electronic serial number on an on-going basis.

So the computer — and its location — is in constant contact with the company. The data is logged and is accessible via the administrator on the company's secure Web site. By storing the data at a central location, customers can request tracking reports to determine the status of their computers.

John Livingston, CEO of Absolute Software, explains that the tracking agent flags the database and increases the calls to the monitoring center — all while keeping the address visible. “Computrace is compatible with cable modems, networks and analog dial-up systems. Tracking is available through any online connection on a daily basis, and weekly, through an analog call.”

Real-time recovery

Should a computer be reported stolen, the call frequency increases, thus providing on-going communication between the monitoring center and the location of the laptop. Asset data gathered through the process is continuously updated for accuracy. Once the Computrace monitoring center identifies the location of the missing laptop, the company's recovery team assists by documenting the laptop make, model and serial number, details of the theft and the call history, including dates, times and number of calls made from the computer after it was reported missing. From there, once the physical location of the computer is identified, Computrace teams with local and national law enforcement to process a search warrant or subpoena to recover the laptop.

“Computrace is used to locate and recover, deter theft and manage and investigate losses,” Livingston says. In a single instance, he notes that the system recovered a total of 11 computers — without compromising information or documents.

Since the installation of the Computrace software, approximately five laptops have been stolen from Ochsner Clinic. Of the five, only one was recovered.

Despite what seems to be a grim success rate, Yarbrough remains confident the system is performing on par. “The laptop that was recovered was a standard laptop,” Yarbrough says. “The other four were useless beyond the facility's perimeters and did not have Internet access, therefore, were unable to login and send a signal to the monitoring center.”

As for the computer that was recovered, Computrace was able to trace the laptop to an identifiable location — just a mile from the Clinic, at a convenience store being used by the clerk behind the counter. “After documentation and photos, [the laptop] was returned and recovered to the clinic,” Yarbrough says. “The data, which was password-protected, was also recovered.”

Protecting assets — A two-prong approach

Asset security under Yarbrough's direction requires not only physical security, but also education. “My job as a corporate security director is not to catch the bad guys — that's law enforcement,” Yarbrough says. “My job as a corporate security director is to protect the asset to begin with.”

Yarbrough believes the first line of defense must be the employee.

“We aim our program at educating the employee to take ownership of the company's equipment — whether it's a laptop, cell phone or a company credit card — and not to assume that someone will protect it for [them],” he says.

Yarbrough and his security staff have taken initial steps to institute the awareness of asset protection. He breaks his program down in three steps:

• New employee orientation. All new employees go through an initial orientation program in which asset protection, physical protection and security in the workplace are discussed.

• Annual staff orientation. Annual training programs are instituted to re-emphasize the security program and update employees of new security measures.

• Monthly poster campaign. Posters address topics from asset protection to workplace violence on a monthly basis to keep awareness of security visible.

Although Yarbrough relies on the Computrace software to deliver on its promise, he knows that it cannot be the only security measure in place.

“You can't depend solely on the software for protection,” he says. “It's got to be just one element of the total program.”

For the record

About the author

Jennifer Pero is assistant editor of iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.

Absolute Software — 96

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue