ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said:

      @Dashrender said:

      It's amazing.. that whole limited access thing is something I've seen no health system actually implement.

      The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.

      Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.

      In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.

      I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.

      Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.

      But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • BRRABillB
        BRRABill @Jason
        last edited by

        @Jason said:

        Encrypting data doesn't prevent authorized people from accessing or using data in an unauthorized manor.

        I just looked up the breach report.

        https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

        It's interesting to note that a majority of the early cases were all from theft. Now they are interspersed with "unauthorized access" which if I had to bet, was due to more healthcare systems encrypting their endpoints. As we discussed, they do not look at an encrypted lost endpoint as a breach.

        Are there potential holes in endpoint encryption? Sure. There are holes in anything.

        Since we were discussing it, here is an article that states the OCR does not consider the loss of an encrypted endpoint a breach.
        http://www.icemiller.com/MediaLibraries/icemiller.com/IceMiller/PDFs/publications/Healthcare-Protect-Confidentiality-Guide.pdf?ext=.pdf

        1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill @scottalanmiller
          last edited by

          @scottalanmiller said:

          But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.

          They don't need to address the issues.

          People can keep working as they are used to, with the tools they need, and are protected by the encryption.

          Why reinvent the entire wheel, best practice or not?

          J scottalanmillerS 3 Replies Last reply Reply Quote 0
          • J
            Jason Banned @BRRABill
            last edited by

            @BRRABill said:

            @scottalanmiller said:

            But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.

            They don't need to address the issues.

            People can keep working as they are used to, with the tools they need, and are protected by the encryption.

            Why reinvent the entire wheel, best practice or not?

            Because that is the easiest way to steal data. It's the simplest to protect against also. The current way is about giving an image of security without actual security.

            BRRABillB 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @BRRABill
              last edited by

              @BRRABill said:

              @scottalanmiller said:

              But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.

              They don't need to address the issues.

              People can keep working as they are used to, with the tools they need, and are protected by the encryption.

              Why reinvent the entire wheel, best practice or not?

              You reinvest the wheel when the existing wheel isn't a good design. Why use the square wheel when the round one could be invested?

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @BRRABill
                last edited by

                @BRRABill said:

                @scottalanmiller said:

                But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.

                They don't need to address the issues.

                People can keep working as they are used to, with the tools they need, and are protected by the encryption.

                Why reinvent the entire wheel, best practice or not?

                Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.

                BRRABillB 1 Reply Last reply Reply Quote 0
                • BRRABillB
                  BRRABill @Jason
                  last edited by

                  @Jason said:

                  The current way is about giving an image of security without actual security.

                  It still hasn't been explained to me how an encrypted hard drive is just an image of security.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.

                    So out of the 100% of hospitals in the US ... how many do you think are fully following best practice?

                    And what percentage would benefit from just encrypting their endpoints?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said:

                      @Jason said:

                      The current way is about giving an image of security without actual security.

                      It still hasn't been explained to me how an encrypted hard drive is just an image of security.

                      We've explained it quite a bit. It's not as secure as the standard "wheel". It encourages lower than normal security and makes it increasingly likely to be insecure.

                      BRRABillB 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said:

                        @scottalanmiller said:

                        Technically, encryption is reinventing the wheel. It only helps when companies are not following standard industry security practices. Not that it is uncommon, but it is the less common. The wheel exists because it is useful.

                        So out of the 100% of hospitals in the US ... how many do you think are fully following best practice?

                        And what percentage would benefit from just encrypting their endpoints?

                        Almost all, Because the majority always do things poorly.

                        1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          It encourages lower than normal security and makes it increasingly likely to be insecure.

                          In no way am I suggesting we throw caution to the wind because we are using a SED.

                          It is the final security check, and as has been mentioned prevents you from even having to report a breach in HIPAA settings.

                          Even if I store all my data in the cloud for my personal machine, I'd still like to have the safety net of the SED, juuuuuuuuuust in case one of my programs isn't working quite the way it supposed to. Now I know all of our programs and products work exactly as they should, and there is no chance of there being any sensitive data on there. (<= DEEP DEEP SARCASM.)

                          1 Reply Last reply Reply Quote 1
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @Dashrender said:

                            It's amazing.. that whole limited access thing is something I've seen no health system actually implement.

                            The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.

                            Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.

                            In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.

                            It's actually insanely easy to build. Views by role is a standard security measure in any modern product. Even Spiceworks does this.

                            Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

                            What I'm talking about is - nurse ratchet should only be able to see the patients that her assigned physician is seeing today - or if she's in a call center, accessing the record would require some kind of release from the patient, etc.

                            Sure we have roles, but really, they are nearly pointless.

                            BRRABillB J 2 Replies Last reply Reply Quote 0
                            • BRRABillB
                              BRRABill @Dashrender
                              last edited by

                              @Dashrender said:

                              Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

                              What I'm talking about is - nurse ratchet should only be able to see the patients that her assigned physician is seeing today - or if she's in a call center, accessing the record would require some kind of release from the patient, etc.

                              Sure we have roles, but really, they are nearly pointless.

                              And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender
                                last edited by

                                Here's an endpoint that I don't think we can get away from.

                                Phones.

                                My physicians all have their calendars/appointment books synced with their phones so they know where they need to be and when to be there, as well as the patient name, etc. This needs to be available in an offline manner.

                                Encryption of this device is a must considering the above. But encryption alone is not enough. Enabling features like wipe after 10 tries or requiring long passwords (more than 12 characters) would be needed to really give these devices any type of real security.

                                BRRABillB 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @BRRABill
                                  last edited by

                                  @BRRABill said:

                                  And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

                                  Billing people I see right in line with the medical personal - but the market research information could be pulled by a medical and reduced to a smaller subset - the researchers don't need direct access.

                                  BRRABillB 1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    Here's an endpoint that I don't think we can get away from.

                                    Phones.

                                    My physicians all have their calendars/appointment books synced with their phones so they know where they need to be and when to be there, as well as the patient name, etc. This needs to be available in an offline manner.

                                    Encryption of this device is a must considering the above. But encryption alone is not enough. Enabling features like wipe after 10 tries or requiring long passwords (more than 12 characters) would be needed to really give these devices any type of real security.

                                    A lot of e-mail systems support this. Exchange ActiveSync, for example. You can require the device has certain password rules before accepting corporate data. And you can remotely wipe the data or the device.

                                    An even bigger problem in that scenario is things like texting.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      @BRRABill said:

                                      And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

                                      Billing people I see right in line with the medical personal - but the market research information could be pulled by a medical and reduced to a smaller subset - the researchers don't need direct access.

                                      There are 18 things that qualify as PHI.

                                      Even a list of names is a no-no.

                                      And the issue is, how do we get the billing info to the third party biller? Are they using this "no endpoint data" EHR system? Probably not.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender
                                        last edited by

                                        To drive my point home:

                                        We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

                                        Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

                                        BRRABillB 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          An even bigger problem in that scenario is things like texting.

                                          I'm frustrated that we can't prevent texting!

                                          Three technologies I'd love to see die:
                                          PSTN
                                          SMS/MMS
                                          email

                                          These technologies by themselves offer zero or near zero security or authentication or privacy.

                                          BRRABillB 2 Replies Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            To drive my point home:

                                            We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

                                            Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

                                            Right. That is something I think would be fixed with @scottalanmiller 's suggestions.

                                            Encryption does nothing for that.

                                            Except for when that same employee who should know better does that on a laptop and it gets stolen. And the the auditors trace that. Uh-oh.

                                            StrongBadS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 17
                                            • 18
                                            • 8 / 18
                                            • First post
                                              Last post