ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said:

      @Dashrender said:

      It's amazing.. that whole limited access thing is something I've seen no health system actually implement.

      The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.

      Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.

      In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.

      It's actually insanely easy to build. Views by role is a standard security measure in any modern product. Even Spiceworks does this.

      Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

      What I'm talking about is - nurse ratchet should only be able to see the patients that her assigned physician is seeing today - or if she's in a call center, accessing the record would require some kind of release from the patient, etc.

      Sure we have roles, but really, they are nearly pointless.

      BRRABillB J 2 Replies Last reply Reply Quote 0
      • BRRABillB
        BRRABill @Dashrender
        last edited by

        @Dashrender said:

        Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

        What I'm talking about is - nurse ratchet should only be able to see the patients that her assigned physician is seeing today - or if she's in a call center, accessing the record would require some kind of release from the patient, etc.

        Sure we have roles, but really, they are nearly pointless.

        And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          Here's an endpoint that I don't think we can get away from.

          Phones.

          My physicians all have their calendars/appointment books synced with their phones so they know where they need to be and when to be there, as well as the patient name, etc. This needs to be available in an offline manner.

          Encryption of this device is a must considering the above. But encryption alone is not enough. Enabling features like wipe after 10 tries or requiring long passwords (more than 12 characters) would be needed to really give these devices any type of real security.

          BRRABillB 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @BRRABill
            last edited by

            @BRRABill said:

            And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

            Billing people I see right in line with the medical personal - but the market research information could be pulled by a medical and reduced to a smaller subset - the researchers don't need direct access.

            BRRABillB 1 Reply Last reply Reply Quote 0
            • BRRABillB
              BRRABill @Dashrender
              last edited by

              @Dashrender said:

              Here's an endpoint that I don't think we can get away from.

              Phones.

              My physicians all have their calendars/appointment books synced with their phones so they know where they need to be and when to be there, as well as the patient name, etc. This needs to be available in an offline manner.

              Encryption of this device is a must considering the above. But encryption alone is not enough. Enabling features like wipe after 10 tries or requiring long passwords (more than 12 characters) would be needed to really give these devices any type of real security.

              A lot of e-mail systems support this. Exchange ActiveSync, for example. You can require the device has certain password rules before accepting corporate data. And you can remotely wipe the data or the device.

              An even bigger problem in that scenario is things like texting.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • BRRABillB
                BRRABill @Dashrender
                last edited by

                @Dashrender said:

                @BRRABill said:

                And outside of the roles that the actual medical professionals have, there are many more behind-the-scenes people who do everything from billing to market research.

                Billing people I see right in line with the medical personal - but the market research information could be pulled by a medical and reduced to a smaller subset - the researchers don't need direct access.

                There are 18 things that qualify as PHI.

                Even a list of names is a no-no.

                And the issue is, how do we get the billing info to the third party biller? Are they using this "no endpoint data" EHR system? Probably not.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender
                  last edited by

                  To drive my point home:

                  We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

                  Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

                  BRRABillB 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @BRRABill
                    last edited by

                    @BRRABill said:

                    An even bigger problem in that scenario is things like texting.

                    I'm frustrated that we can't prevent texting!

                    Three technologies I'd love to see die:
                    PSTN
                    SMS/MMS
                    email

                    These technologies by themselves offer zero or near zero security or authentication or privacy.

                    BRRABillB 2 Replies Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill @Dashrender
                      last edited by

                      @Dashrender said:

                      To drive my point home:

                      We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

                      Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

                      Right. That is something I think would be fixed with @scottalanmiller 's suggestions.

                      Encryption does nothing for that.

                      Except for when that same employee who should know better does that on a laptop and it gets stolen. And the the auditors trace that. Uh-oh.

                      StrongBadS 1 Reply Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill @Dashrender
                        last edited by

                        @Dashrender said:

                        @BRRABill said:

                        An even bigger problem in that scenario is things like texting.

                        I'm frustrated that we can't prevent texting!

                        Three technologies I'd love to see die:
                        PSTN
                        SMS/MMS
                        email

                        These technologies by themselves offer zero or near zero security or authentication or privacy.

                        I delved into a lot of this because we did a survey in hospitals. There was no PHI on it, but it was on an iPad. In researching, I got to learn a lot of about device security in healthcare environments.

                        1 Reply Last reply Reply Quote 0
                        • BRRABillB
                          BRRABill @Dashrender
                          last edited by

                          @Dashrender said:

                          Three technologies I'd love to see die:
                          PSTN
                          SMS/MMS
                          email

                          These technologies by themselves offer zero or near zero security or authentication or privacy.

                          At least in their current form.

                          We use e-mail, but only to attach a link to a file stored on a secure service like ShareFile for Healthcare.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • J
                            Jason Banned @Dashrender
                            last edited by

                            @Dashrender said:

                            Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

                            This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @BRRABill
                              last edited by

                              @BRRABill said:

                              @Dashrender said:

                              Three technologies I'd love to see die:
                              PSTN
                              SMS/MMS
                              email

                              These technologies by themselves offer zero or near zero security or authentication or privacy.

                              At least in their current form.

                              We use e-mail, but only to attach a link to a file stored on a secure service like ShareFile for Healthcare.

                              Sure, but you could just as easily use any number of IM clients that can provide end to end encryption (yeah I know email can - but you as the user don't know that it does or not).

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @Jason
                                last edited by

                                @Jason said:

                                @Dashrender said:

                                Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

                                This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

                                That only works because there is never a time that those people require access to those systems to get their job done or save a life. You have a separation of duties that allows for that kind of division. Rarely does healthcare appear to have so easily definable boundaries.

                                J 1 Reply Last reply Reply Quote 0
                                • J
                                  Jason Banned @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  @Jason said:

                                  @Dashrender said:

                                  Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

                                  This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

                                  That only works because there is never a time that those people require access to those systems to get their job done or save a life. You have a separation of duties that allows for that kind of division. Rarely does healthcare appear to have so easily definable boundaries.

                                  Not really we have our own Doctors, first responders , Safety team and we even have a community college.

                                  1 Reply Last reply Reply Quote 0
                                  • StrongBadS
                                    StrongBad @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    @Dashrender said:

                                    To drive my point home:

                                    We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

                                    Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

                                    Right. That is something I think would be fixed with @scottalanmiller 's suggestions.

                                    Encryption does nothing for that.

                                    Except for when that same employee who should know better does that on a laptop and it gets stolen. And the the auditors trace that. Uh-oh.

                                    Does strict policy protect from that? That's something that I don't know about. If you have a clear policy that this is not allowed and they choose to take that data out of the allowed systems, can it be on them not on the company? No different than any other kind of theft? I know that you can do that if you move to VDI or terminal servers.

                                    BRRABillB 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @StrongBad
                                      last edited by

                                      @StrongBad said:

                                      Does strict policy protect from that? That's something that I don't know about. If you have a clear policy that this is not allowed and they choose to take that data out of the allowed systems, can it be on them not on the company? No different than any other kind of theft? I know that you can do that if you move to VDI or terminal servers.

                                      Yes, you could go after them. But technically they would be coming after you first. It's up to you to make sure that doesn't happen, or if it does, it does not get breached.

                                      There are many levels. If they are allowed access to the data it's not a concern unless the machine they are using gets stolen. Then it is a breach.

                                      If they are NOT allowed to access the data as part of their job, it is a breach in and of itself. Our policy dictates strict penalties for such a thing, and varies by levels ranging from a total mistake on their part to malicious theft of the data.

                                      StrongBadS 2 Replies Last reply Reply Quote 0
                                      • StrongBadS
                                        StrongBad @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        There are many levels. If they are allowed access to the data it's not a concern unless the machine they are using gets stolen. Then it is a breach.

                                        But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

                                        BRRABillB 1 Reply Last reply Reply Quote 0
                                        • StrongBadS
                                          StrongBad @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          If they are NOT allowed to access the data as part of their job, it is a breach in and of itself. Our policy dictates strict penalties for such a thing, and varies by levels ranging from a total mistake on their part to malicious theft of the data.

                                          Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

                                          BRRABillB 1 Reply Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill
                                            last edited by

                                            BTW:

                                            I contacted Wave and asked if their software (or the drives they support) has any sort of lockout period.

                                            They do not.

                                            So if you happen to steal my laptop and take out the drive, you could theoretically sit and manually guess my password until the cows come home. Maybe one day you'll get it.

                                            Even with that, I'd still like to know how this system provides the illusion of security.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 17
                                            • 18
                                            • 9 / 18
                                            • First post
                                              Last post