ProjectSend
-
@scottalanmiller said:
@drewlander said:
@Jason said:
You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.
Good point. If a customer called me however and said they cannot access a document on a secure document exchange server from their mobile device, I would probably tell them to go to a computer. No one should be storing PHI on their cellphone.
Why is that? What if that is all that they have? Why would a medical facility get involved in determining the appropriateness of device types for customers? That seems fundamentally wrong. And what if one facility decides that only "Windows is okay" and the next that "only phones are okay" and the next says "Only Macs are secure."
We are getting into IT wanting to be in charge of everything from where customers travel, which customers are given access and from what operating systems they are allowed to access their own data.
Because I cannot be responsible for a system that keeps data secure and at the same time not have any control over how that data is accessed.
-
@drewlander the legalise looks really strongly like it forbids it since the only way to know how the patterns are working is to expose PHI data! So you'd violate the HIPAA regulation in the attempt to protect it.
Using IP blocking is not an accepted security practice for this sort of thing in any environment I have ever encountered. HIPAA requires reasonable security, yes, and opening up PHI data (valuable) to do IP blocking (negligible) would not constitute that IMHO.
-
@drewlander said:
Because it is NOT your data, you DO NOT need it and it is against the law.
LOL! As a doctor, don't pay your hosted EMR bill then try to get YOUR data and see how that goes.
Or try sharing it and see how quickly HIPAA rears its head.
-
@scottalanmiller said:
@drewlander the legalise looks really strongly like it forbids it since the only way to know how the patterns are working is to expose PHI data! So you'd violate the HIPAA regulation in the attempt to protect it.
Using IP blocking is not an accepted security practice for this sort of thing in any environment I have ever encountered. HIPAA requires reasonable security, yes, and opening up PHI data (valuable) to do IP blocking (negligible) would not constitute that IMHO.
I will agree that the only way to do this properly is to whitelist access to sensitive data, but without every party involved having a static IP that is not necessarily possible. In that case, filtering out the bulk of the risk with geoblocking is not for nothing.
-
@drewlander said:
I will agree that the only way to do this properly is to whitelist access to sensitive data, but without every party involved having a static IP that is not necessarily possible. In that case, filtering out the bulk of the risk with geoblocking is not for nothing.
That's the question.... you could filtering anything and say that, though. Just turn all access off and say it takes away the threat. The question becomes - when does choosing and limiting customer access become something IT even has a right to do? From the business side, I would say never, this is purely a business and/or legal decision. From a legal side, I'm not sure. When can we use a third party geolocation list, combine it with opinion and pick and choose customers to accept or block? If we are a private business, we can do that anytime that we want. For medical, I'm not sure how "right to access" laws or discrimination laws or whatever might apply.
But I don't agree that just because it reduces risk that IT would get the right to make the call nor that it is an acceptable way to do it. Because literally turning the service off would be the extreme case of that and obviously that is not acceptable. So there has to be more logic involved in the decision that just "is it more secure."
What logic needs to be applied, I am not totally sure. But it has to be more.
-
By the way, as a point of example... I have friends who were in the Ukraine for an extended period of time and were adopting a child so would have needed, as Americans, access to their PHI. This is very recent too.
And we have a lot of Ukrainians here in the community who travel to the US regularly need potential access to health care records from the US to give to doctors in Kiev.
It's a very valid use case for people there to need info from US doctors.
-
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf
Access is heavily governed. Not sure how equal access would apply, but given the amount of right to access law there is, I would not want to do anything that did not treat all customers equally as that likely would violate something in there. Have not found that specifically but because of the type of law that it is I expect that to be implicit if nothing else.
-
@scottalanmiller said:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf
Access is heavily governed. Not sure how equal access would apply, but given the amount of right to access law there is, I would not want to do anything that did not treat all customers equally as that likely would violate something in there. Have not found that specifically but because of the type of law that it is I expect that to be implicit if nothing else.
As I understand them, HIPAA laws are crafted to protect the patient, and penalize end users for the misuse of the data. Your argument is in defense of the doctors, not the patients. When data crosses borders to another country, I cannot effectively govern the use of that data outside of the United States as it pertains to HIPAA. As a host in the United States how can you apply the laws of the United States to cross-border data flows into countries that do not recognize the same laws? That's the conundrum. US laws often either do not exist or contradict laws of other countries, therefore I cannot afford to risk the PHI of dozens of practices and potentially millions of patients because one doctor is spending months in the Ukraine. That's his problem and if he wants access to that data he can use an alternate solution such as a VPN to a computer on US soil that is subject to the laws in the US. If that sounds uninviting, then I have done my job to protect that data.
-
@scottalanmiller said:
@Dashrender said:
Agreed.
When it comes to direct patient access, I probably wouldn't care where they access it from, and if I could skip all tracking of that I might consider it. That said who's to blame if a patients account is accessed using their credentials and the account holder didn't authorize it? The Covered Entity (CE)?
Is that true even if they have their own account and someone authenticated as them? I'm am unaware of any such liability when proper precautions are taken.
This was a question, perhaps a leading one.. but one none the less. From your post it appears you think there would be no liability if the proper precautions are taken.
-
@drewlander said:
As I understand them, HIPAA laws are crafted to protect the patient, and penalize end users for the misuse of the data. Your argument is in defense of the doctors, not the patients.
Oh no, I didn't mean it to be. ALL of that was about getting customers equal access to their own data. Not doctors getting data. At least that is what I intended.
-
@drewlander said:
When data crosses borders to another country, I cannot effectively govern the use of that data outside of the United States as it pertains to HIPAA.
I understand that. But my point is that it isn't yours to govern, it is the patients. So once a patient has taken that data the IT people have nothing to do with it.
-
Scott's entire purpose of his perspective has been from the patient side. Really this whole thread needs to be scrapped and started over when looking at sending data not to patients, because my intention for the use of something like Project Send isn't patient-centric, it's inter community communication with other health related entities (most of them being Business Associates or other Covered Entities).
-
I'll agree that the point was never to block a patient from access to their files from anywhere they happen to be - though the idea of blocking China and other known parts of the world to be providing the majority of the hacks around the world is extremely desirable in my mind.
As an aside, my email filtering company is set to GEO block all emails that come from outside the USA. This does present the occasional issue, but by and large it blocks 80-90% of the spam email we get (well at least it used to, spam levels for us seem to be on the decline).
-
@Dashrender Right. So scrap the thread and lets start over. Basically this being written in PHP with a MySQL backend is great. So simple to modify and tailor as needed. Also I think it can be easily integrated into other projects if that ever came up.
-
@Dashrender said:
This was a question, perhaps a leading one.. but one none the less. From your post it appears you think there would be no liability if the proper precautions are taken.
Right, if proper precautions are taken to protect the client data and to provide equitable access, the liability would not be with the IT department.
-
@Dashrender said:
Scott's entire purpose of his perspective has been from the patient side. Really this whole thread needs to be scrapped and started over when looking at sending data not to patients, because my intention for the use of something like Project Send isn't patient-centric, it's inter community communication with other health related entities (most of them being Business Associates or other Covered Entities).
That would be rather different, I agree.
-
@Dashrender said:
I'll agree that the point was never to block a patient from access to their files from anywhere they happen to be - though the idea of blocking China and other known parts of the world to be providing the majority of the hacks around the world is extremely desirable in my mind.
The question becomes... how many false positives are okay?
-
@Dashrender said:
...because my intention for the use of something like Project Send isn't patient-centric, it's inter community communication with other health related entities (most of them being Business Associates or other Covered Entities).
How does it work if your patients go to a different medical center and legitimate doctors from outside of your area need access?
-
@scottalanmiller said:
@Dashrender said:
I'll agree that the point was never to block a patient from access to their files from anywhere they happen to be - though the idea of blocking China and other known parts of the world to be providing the majority of the hacks around the world is extremely desirable in my mind.
The question becomes... how many false positives are okay?
LOL you know that that is an arbitrary number, each situation will have it's own answer. Instead of blocking, I could forward all email to myself and spend my day deciding what was spam and what wasn't, but I don't do that either.
Our false positive rate on Spam and non US IP based messages is well below 1%, probably below 0.0001%. When one is discovered, they are added to the whitelist. Our whitelist is pretty small, less than 50 items on it.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I'll agree that the point was never to block a patient from access to their files from anywhere they happen to be - though the idea of blocking China and other known parts of the world to be providing the majority of the hacks around the world is extremely desirable in my mind.
The question becomes... how many false positives are okay?
LOL you know that that is an arbitrary number, each situation will have it's own answer. Instead of blocking, I could forward all email to myself and spend my day deciding what was spam and what wasn't, but I don't do that either.
Our false positive rate on Spam and non US IP based messages is well below 1%, probably below 0.0001%. When one is discovered, they are added to the whitelist. Our whitelist is pretty small, less than 50 items on it.
Let's think of it as phone calls. How many calls from non-US numbers would you take? At what point do you block any and all communications from non-American parties and/or addresses?
If you knew that people were outside the US it would be one question, if you are just using geo location it is another. In one case you are making a decision around location. In the other you are allowing a third party to list "location-ish."
