Software HDD Encryption: Poll
-
@Dashrender said:
I agree FDE or file encryption could possibly still allow the user the ability to download the data locally, but the intent of HIPAA the way I read it is, the Dr has a reasonable reason to have said data local - don't ask me what that reason is, it just is - and now that he does, we need to have a way to secure it in case control of that data is lost, i.e. a USB stick is lost/stolen, a laptop is lost/stolen, etc.
No, the intend of HIPAA is to require data to be protected within reason. Letting a doctor keep data in a risky way isn't reasonable, in most cases. It sounds like the only reason is because "we tell them to." That's going to land IT in the hot seat in front of a hearing if there is a HIPAA violation. Being carelessly risky because you think a doctor might need access in a way they won't request isn't going to be viable justification for not following standard security procedures.
-
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.
Our only centralized 'service' is Office 365 for email.
-
@Dashrender said:
Because I'm not talking about theft, I'm talking about legitimate download uses.
No, in the scenario we presented, it's theft. That's the beauty of the web EHR. The data is always remote. Taking a copy for use at home on person gear IS theft, are pure and simple as it can be. There is no reason for a doctor to keep that data for himself or to remove it from the EHR.
-
@g.jacobse said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.
Our only centralized 'service' is Office 365 for email.
EHR?
Is this data just rogue data floating around with no controls? I'm suddenly very worried about seeing a doctor in Kentucky.
-
@scottalanmiller said:
@g.jacobse said:
@scottalanmiller said:
Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?
How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.
Our only centralized 'service' is Office 365 for email.
EHR?
Is this data just rogue data floating around with no controls? I'm suddenly very worried about seeing a doctor in Kentucky.
Maybe this is what happened at Anthem.. Hmm.
-
I don't believe that HIPAA allows doctors to take my data home, secure or not. It's not their personal data, it's mine. There is an agreement that a hospital or medical facility gets to use it for patient care purposes. But if a doctor has my data at home, that's theft and that doctor is at fault.
-
@scottalanmiller
Differences in data. Our Clinic uses a 3rd party EHR program using a RDP connection across a dedicated VPN. The rest of the agency isn't set up this way.We have In home specialists, Health Insurance (Kentucky KYNECT program), Veterans affairs (homeless Vet program), Housing, LIPHEAP (Low Income Heating and Energy Assistance Program), Free Tax services, Healthy Marriage and more.
Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.
-
@g.jacobse said:
Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.
Because they don't have Internet access at the time that the data is needed?
-
@scottalanmiller said:
@g.jacobse said:
Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.
Seems like an investment in Verizon aircards would solve the issue of data being on personal computers. Though I would still issue them laptops with the aircard. If not use a web interface or a VPN and Terminal server. There still should be device policies required and Antivirus required.
-
We do not have a Server, AD, F&PS of any kind currently. So the use of a VPN is moot.
I need a security measure until that can be addressed. Until then, data is and remains at the local desktop(laptops) level.
Some areas do not have internet access - even with several of the mobile people having Verizon hotspots.
-
Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.
Edit: may require some back end infrastructure but it's an idea at least.
-
@scottalanmiller said:
@Dashrender said:
Because I'm not talking about theft, I'm talking about legitimate download uses.
No, in the scenario we presented, it's theft. That's the beauty of the web EHR. The data is always remote. Taking a copy for use at home on person gear IS theft, are pure and simple as it can be. There is no reason for a doctor to keep that data for himself or to remove it from the EHR.
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
-
@Dashrender said:
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?
-
@scottalanmiller said:
@Dashrender said:
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?
To generate PowerPoint presentations, yes.
-
@Dashrender your EHR can't produce reports?
If the physicians are downloading to their personal desktops, that IT does not control, how does that not violate HIPAA?
-
@MattSpeller said:
Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.
Edit: may require some back end infrastructure but it's an idea at least.
Actually talking with my supervisor,.. the use of USB devices will be removed in the future. So the IronKey will be unusable.
-
@g.jacobse Oh geez, brutal
-
And even if they "need" to produce presentations of data, if the doctor is taking that home, that's personal use and I still feel that if they are doing so they are data thieves. Whether their goal is to be a thief to sell my data or a thief to put data at risk for personal gain through laziness (not having to work on company gear) matters not to me. My data security has been violated by a doctor taking the data for their own use outside of appropriate, legal, professional or ethical guidelines.
Am I missing something? If a doctor has patient data, in any form, on personal gear. Is that not theft? If not, how?
-
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
Just to bring this more on point, it's not really physicians that need non EHR access to this data, it's staff doing other jobs. The first example that springs to mind is tracking breaches. Our EHR does not have a solution for tracking PHI breaches. Instead they are tracked in an Excel spreadsheet, and any associated correspondence is generally created in Word.
If the EHR had the ability to track this, I'm sure we'd us it, but current it does not.
-
If I work at a bank and I manage to make a copy of customer's banking data and store a copy of that at home.... even if I am only doing it to "make my job easier", I've stolen their bank data. Black and white, no grey area. The intent might not be strictly malicious, but that doesn't change the action.