Related content

• Computer security at home
• Computer security at work

Computer security on the move

Modern portable computing devices come in a variety of forms -- including personal digital assistants (PDAs); palmtop, notebook and laptop computers; smart cell phones and messaging systems like the Blackberry.  High-capacity portable storage media include optical media (CDs, DVDs), solid-state "flash" drives, and portable external hard drives. 

Such devices require many of the same protective measures as "non-portables," but also some steps unique to them.  If you don't understand at least the basics of protecting a portable, you shouldn't be using one.

What's different about portables?

Increasing capabilities, and risk.  Portables are now very powerful, and have the capacity to process and/or store large quantities of information.  This makes them very useful.  It also makes their loss potentially both a personal and an organizational problem of great magnitude.

Offices are relatively safe places (though rarely 100 percent secure).  Unfortunately, portables don't usually stay in the office.  Portables are attractive targets for thieves, and it can take only seconds to steal one in an unprotected environment.  (They're not just portable for you.)  While theft is always a worry, accidental damage and simple loss are even more likely.  Make sure your security measures take all the risks into account.

Defense in depth for your portable.  Nothing can make a portable as secure as an office machine that never leaves the desk.  But there are many steps you can take to improve the odds of keeping them and the data they contain secure. 

While better than nothing, one type of protection strategy is rarely enough.  It is equally rare to need all the protections we list here.  Unfortunately, there is no fixed rule about how much security is needed for a portable.  It depends on the vulnerability of the device, given how you use it, and how sensitive the information on it is considered to be.

We focus on portable computers here, but many of the same security measures apply to high-capacity portable storage media .

Protection measures for portables

1. Minimize sensitive data storage.  The less sensitive data you keep on a portable, the less you need to worry about sensitive data exposure if the device is lost or stolen, and the fewer security measures you'll need to put in place. 

If you must have portable/remote access to sensitive data, consider using your organization's network file capabilities, such as the medical campus' network file services.  On balance, this is almost always a more secure option than keeping the data on the portable itself.  (If you can't follow this advice, pay particular attention to #8 and #9 below.) 

Remember that you must protect the things that grant remote access to the network-stored files, such as your Medical-ID password.  And you must attend to securing the communication link between your portable and the network (see #11 below).

2. Keep your portable in physically secure spaces whenever possible.  The most important defense is a secure physical space, like a protected office environment.  Taking a portable out in the world is always risky.  Millions of insurance claims each year for damaged, lost or stolen computing devices are the proof.

3. When you take it out, always assess the environment.  The reason you have a portable is so you can take it with you, of course.   When you do, always be aware of the security of the environment into which you take it.  Not sure about the environment?  Apply the "Ben Franklin Test":  If you wouldn't leave a $100 bill unattended in a particular place, you probably shouldn't leave your portable there either.

4. Attend to secure storage and transit.  When it's not in use, keep your portable locked up.  On the road, keep it close -- and when you can't, keep it as locked up as possible, and as hidden as possible.  (For example, put it in the trunk, not on the seat of your car.  Forego the fancy laptop case in favor of a generic-looking carrying container.)

5. Protect it with locks and alarms,  Physical locks (typically using steel cables) and alarm devices (that activate when the device is moved or gets too far away from you) are relatively cheap and can provide a measure of protection for larger devices like laptops in an otherwise insecure physical space.

6. Protect it with labels and engraving,  Permanent labels and/or engraving can facilitate return of a lost device, and make it a less attractive target for theft.

7. Protect it with passwords (or biometrics if available).  If you keep sensitive information on a portable, passwords and other access protections should be used whenever the portable device allows it.  The usual password security issues apply.   If the devices allows a biometric authenticator like a fingerprint, use that too.

8. Protect it with encryption.  Encryption tools can provide a virtually impenetrable barrier for particularly sensitive data on a portable, but at the price of some inconvenience.  Some devices come with this capability built in.  For others, you must purchase/add encryption software.  (This is essential if you can't follow rule #1 above, both for your portable computing devices and any portable storage media that travels with you.)

9. Protect it with tracking and "remote destruct" systems.  Tracking software can be installed to report a stolen portable's location when it connects to the Internet.  Such software usually also provides the capability for remote lockdown and/or file deletion.  (This is probably also essential if you can't follow rule #1 above.)

10. Keep secure backup copies.  To make sure that you have access to your data, it is essential to keep secure backup copies of all the data on a portable.  Be sure you securely dispose of those backup copies, and the device itself, when they are no longer needed.  (Another advantage of using network files is that we keep backup copies for you.)

11. Attend to communications security.  A portable device is usually a wireless device.  If your portable has Wi-Fi/Airport (802.11a/b/g/n) and/or Bluetooth capabilities, be sure they're configured securely.  If you're accessing sensitive data from off-site, attend to secure end-to-end communications too -- e.g., by using a VPN connection method approved by your organization.

12. Be sure to report the loss of any sensitive data to appropriate authorities in your organization.  Make a report even if the device is recovered. The confidentiality of the information may have been compromised while the device was out of your control.  (In Florida, we have a statutory reporting requirement for some kinds of personal data exposure.)

13. Be mindful of the insecurities of "borrowed" systems.  If you do decide to rely on others' computers, rather than toting yours around, be aware of the security perils of borrowed systems.  You can leave a lot of "footprints" (trace information) behind even on an infection-free system if you're not careful; and you can leave everything behind on one that is infected with spyware.

14. Remember the computer security basics.  Portable computing devices require many of the same basic security measures as a non-portable computer.   For details on that, see Medical IT's guides to computer security at work and at home.

Sound like a lot to do?  Well, it can be, though with time and practice many of these will become second nature.  (And remember that we said it's rare to need all of these protections.)  But it is critical that you not leave this to chance.  Always keep in mind how much damage you can do to yourself and your organization with careless use of a portable. 

If you're not sure what's appropriate for your circumstances, contact the Medical Information Technology Help Desk or Information Security group.

Learn more

Protecting Portable Devices: Physical Security and Protecting Portable Devices: Data Security (US-CERT)
Basic steps for keeping safe your portables and the data on them

Cybersecurity for Electronic Devices (US-CERT)
More basic steps for protecting portables and the data on them