Laptops and Portable Devices | Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines | Guidelines | Statistics and Surveillance | Topics

CDC Home > HIV/AIDS > HIV/AIDS Prevention > Topics > Statistics and Surveillance > Guidelines > Technical Guidance for HIV/AIDS Surveillance Programs, Volume III

Technical Guidance for HIV/AIDS Surveillance Programs, Volume III: Security and Confidentiality Guidelines


	Contributors

	Introduction

	Attachment A

	Attachment B

	Attachment C

	Attachment D

	Attachment E

	Attachment F

	Attachment G

	Attachment H

LEGEND:


		Link to a PDF document

		Link to non-governmental site and does not necessarily represent the views of the CDC

Adobe Acrobat (TM) Reader needs to be installed on your computer in order to read documents in PDF format. Download the Reader.

Laptops and Portable Devices

Requirement 34 Laptops and other portable devices (e.g., personal digital assistants [PDAs], other hand-held devices, and tablet personal computers [PCs]) that receive or store surveillance information with personal identifiers must incorporate the use of encryption software. Surveillance information with identifiers must be encrypted and stored on an external storage device or on the laptop's removable hard drive. The external storage device or hard drive containing the data must be separated from the laptop and held securely when not in use. The decryption key must not be on the laptop. Other portable devices without removable or external storage components must employ the use of encryption software that meets federal standards. (GP-1)

Laptop computers, PDAs, and other hand-held or portable devices are becoming common tools for HIV/AIDS surveillance and may be key components of centralized surveillance systems. Unfortunately, laptops are vulnerable to theft. Although the likely target of the theft would be the device rather than the data, extreme care must be taken if the device stores HIV/AIDS surveillance data or information. If surveillance data are stored on the device's hard drive, hard drives must be removable and stored separately when the device is being transported to and from the secured area. Alternatively, a security package that uses both software and hardware protection can be used. For example, an acceptable, though not as robust, level of protection can be achieved by using a smart disk procedure. This procedure prevents the device from booting up unless an encoded smart disk is inserted when the device is first turned on and a password is entered. Such a smart disk must not be stored with the device while in transit. The smart disk must be used in conjunction with an encryption package. Using this kind of protection scheme is critical because the device is capable of containing large amounts of sensitive information (e.g., names, addresses, dates of birth). Therefore, if a device has sensitive data on either an external storage device or hard drive, it must be taken back to the secured area at the close of business (unless out of town business travel is approved). Contingency plans should be in place that outline protective steps to take in case returning to the secure surveillance area is not possible. See Requirement 24 and Requirement 25. A removable drive is worth using even if data are encrypted and the laptop employs several layers of security.

Another option to consider when using laptops is to store encrypted data on an external storage device. If the device is lost or stolen, the data are protected. Unlike the laptop's hard drive, an external storage device lacks market value and is not as likely to be stolen or reused. Nonetheless, external storage devices containing patient identifiers must be encrypted when taken out of a secure area. For more information about removable and external storage devices, refer to section Removable and External Storage Devices.

With the inception of Wireless Fidelity (Wi-Fi) products, many devices can now connect wirelessly to the Internet or a LAN. This functionality introduces risks regarding devices used to collect or store surveillance data. If these devices are not properly configured, data can be transmitted wirelessly over great distances without protection; this can result in the data being exposed to anyone with similar wireless products. Even if data are not being transmitted wirelessly but the device is capable of a wireless connection to the Internet, data stored on the device are susceptible to compromise by exposure to the Internet. For example, surveillance data may be collected in the field and stored on a laptop with Wi-Fi capability. The person collecting the data stops by a store that has a "hot spot" in order to connect to the Internet and check e-mail. The data stored on the laptop have the potential to be compromised. Any use of Wi-Fi or similar evolving wireless technologies must be given serious consideration when developing local policies. CDC strongly recommends that any local policy developed in response to Requirement 34 include explicit language regarding wireless technologies.

Last Modified: February 16, 2006
Last Reviewed: February 16, 2006
Content Source:
Divisions of HIV/AIDS Prevention
National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention


	Printer-Friendly Version




	What's New?


	HIV/AIDS A-Z Index


	VIH/SIDA en español


	CDC Responds to HIV/AIDS


	HIV/AIDS E-Publications


	Get E-mail Updates


	Order Free HIV/AIDS Publications

	RSS\| RSS Help


	Media


	Conferences and Trainings


	Key Resources


	Site Map

Home

Policies and Regulations

Disclaimer

e-Government

FOIA

Centers for Disease Control and Prevention, 1600 Clifton Rd, Atlanta, GA 30333, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348, 24 Hours/Every Day - cdcinfo@cdc.gov

Department of Health
and Human Services