Software HDD Encryption: Poll
-
@Dashrender said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
Do this is expensive and potentially difficult.
If I was to try to do this in my environment I'd have to start by building either RDS servers or VDI.
Pretty basic first steps if security matters, though. If data is going on our laptops, security isn't a very high focus. You do RDS or VDI or just remote into desktops long, long before you talk encryption of laptops.
-
@thecreativeone91 said:
@Dashrender said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
Do this is expensive and potentially difficult.
It's the least expensive option.
Is it?
-
@g.jacobse said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
As part of our contract with the State, we are required to.
At this time we do not have another solution.
You are contractually obligated to store sensitive data in risky places? Why would a contract mandate that?
-
@thecreativeone91 said:
@Dashrender said:
@thecreativeone91 said:
@Dashrender said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
Do this is expensive and potentially difficult.
It's the least expensive option.
How would you build your least expensive option?
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
That would be the least expensive, which is what was asked... but what stops them from copying files to disk?
-
@thecreativeone91 said:
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
I'll admit that I hadn't considered forcing uses to only save to network share. But this only works on the assumption that users can't use person devices to access the data in the first place.
With most EHRs today being web based this is simply impossible/impractical.
All of my doctors require access to the EHR from any computer they are at. The best we can hope that they are using a 'trusted' computer, but that can't be promised.
So to completely lock this down we'd have to prevent access from all web computers except the VDI/RDS ones, then have the users have a portal into our VDI/RDS solution that is web based. Then we could prevent them from downloading en masse data to whatever device they are on.
If we don't lock the EHR servers to only the VDI/RDS ones and allow them access from any machine, then they can grab whatever reports are generate able to their local machine.
-
@Dashrender said:
@thecreativeone91 said:
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
But this only works on the assumption that users can't use person devices to access the data in the first place.
Letting HIPAA data be stored on personal devices is a even bigger issue. It shouldn't be done. IMO BYOD and PHI do not go together.
-
@coliver said:
That would be the least expensive, which is what was asked... but what stops them from copying files to disk?
Might be the least expensive. Depends. Do these users ONLY have laptops?
-
@Dashrender said:
@thecreativeone91 said:
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
I'll admit that I hadn't considered forcing uses to only save to network share. But this only works on the assumption that users can't use person devices to access the data in the first place.
With most EHRs today being web based this is simply impossible/impractical.
All of my doctors require access to the EHR from any computer they are at. The best we can hope that they are using a 'trusted' computer, but that can't be promised.
So to completely lock this down we'd have to prevent access from all web computers except the VDI/RDS ones, then have the users have a portal into our VDI/RDS solution that is web based. Then we could prevent them from downloading en masse data to whatever device they are on.
If we don't lock the EHR servers to only the VDI/RDS ones and allow them access from any machine, then they can grab whatever reports are generate able to their local machine.
If their EHR is web based, what's the concern? Problem solved on its own. No encryption needed. Well there is, but on the EHR, not on the laptop.
-
@thecreativeone91 said:
@Dashrender said:
@thecreativeone91 said:
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
But this only works on the assumption that users can't use person devices to access the data in the first place.
Letting HIPAA data be stored on personal devices is a even bigger issue. It shouldn't be done. IMO BYOD and PHI do not go together.
Can't up vote enough.
-
@thecreativeone91 said:
@Dashrender said:
@thecreativeone91 said:
What additional is needed. Force users to only store files on servers and have them access via a VPN. The Servers should already be encrypted and in a secure location. HIPAA Data should never be on laptops or external drives.
But this only works on the assumption that users can't use person devices to access the data in the first place.
Letting HIPAA data be accessed on personal devices is a even bigger issue. It shouldn't be done. IMO BYOD and PHI do not go together.
Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's done in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.
-
That's a reason that we love making web-based SaaS applications. The only thing you have to protect from the end user standpoint is the login. As long as that is protected, all is well.
-
@Dashrender said:
Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.
How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.
-
@scottalanmiller said:
@Dashrender said:
Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.
How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.
It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.
-
@Dashrender said:
It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.
I'm still lost. Of course they can run the report from anywhere. But they don't store the data locally. If they do, that's on them 100% and has nothing to do with IT. That's data theft and a personal theft and exposure of data. IT's only role would be to provide evidence for prosecution. Nothing in this discussion prevents that in any way. Encrypted drives would have identical exposure.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.
How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.
It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.
How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.
-
@scottalanmiller said:
@Dashrender said:
It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.
I'm still lost. Of course they can run the report from anywhere. But they don't store the data locally. If they do, that's on them 100% and has nothing to do with IT. That's data theft and a personal theft and exposure of data. IT's only role would be to provide evidence for prosecution. Nothing in this discussion prevents that in any way. Encrypted drives would have identical exposure.
I agree FDE or file encryption could possibly still allow the user the ability to download the data locally, but the intent of HIPAA the way I read it is, the Dr has a reasonable reason to have said data local - don't ask me what that reason is, it just is - and now that he does, we need to have a way to secure it in case control of that data is lost, i.e. a USB stick is lost/stolen, a laptop is lost/stolen, etc.
-
@thecreativeone91 said:
How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.
Because I'm not talking about theft, I'm talking about legitimate download uses.
-
@g.jacobse What have you done?
-
@thecreativeone91 said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.
How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.
It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.
How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.
Exactly. Once doctors are stealing data, you have a breach and you need to call HR and let them deal with discipline, fines, arrests, etc.
-
@Dashrender said:
I agree FDE or file encryption could possibly still allow the user the ability to download the data locally, but the intent of HIPAA the way I read it is, the Dr has a reasonable reason to have said data local - don't ask me what that reason is, it just is - and now that he does, we need to have a way to secure it in case control of that data is lost, i.e. a USB stick is lost/stolen, a laptop is lost/stolen, etc.
No, the intend of HIPAA is to require data to be protected within reason. Letting a doctor keep data in a risky way isn't reasonable, in most cases. It sounds like the only reason is because "we tell them to." That's going to land IT in the hot seat in front of a hearing if there is a HIPAA violation. Being carelessly risky because you think a doctor might need access in a way they won't request isn't going to be viable justification for not following standard security procedures.
