Software HDD Encryption: Poll

scottalanmiller

@Dashrender said:

It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.

I'm still lost. Of course they can run the report from anywhere. But they don't store the data locally. If they do, that's on them 100% and has nothing to do with IT. That's data theft and a personal theft and exposure of data. IT's only role would be to provide evidence for prosecution. Nothing in this discussion prevents that in any way. Encrypted drives would have identical exposure.

A Former User

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.

How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.

It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.

How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.

Dashrender

@scottalanmiller said:

@Dashrender said:

It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.

I'm still lost. Of course they can run the report from anywhere. But they don't store the data locally. If they do, that's on them 100% and has nothing to do with IT. That's data theft and a personal theft and exposure of data. IT's only role would be to provide evidence for prosecution. Nothing in this discussion prevents that in any way. Encrypted drives would have identical exposure.

I agree FDE or file encryption could possibly still allow the user the ability to download the data locally, but the intent of HIPAA the way I read it is, the Dr has a reasonable reason to have said data local - don't ask me what that reason is, it just is - and now that he does, we need to have a way to secure it in case control of that data is lost, i.e. a USB stick is lost/stolen, a laptop is lost/stolen, etc.

Dashrender

@thecreativeone91 said:

How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.

Because I'm not talking about theft, I'm talking about legitimate download uses.

MattSpeller

@g.jacobse What have you done?

scottalanmiller

@thecreativeone91 said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Currently it can't be prevented though - most physicians use their home personal computers to access the EHRs. I know it's down in every health system in my city. While some of them go to ridiculous lengths to provide VPN access, the endpoint is still easily compromised making the efforts to me seem pointless.

How is that a concern? That IS prevented, isn't it? The data is all in the EHR, never on the physician's machine thanks to the web application being used rather than the VPN.

It's a concern because as long as the user has the rights to run a report, they can run that report from any computer anywhere.

How would that be any different than them stealing data by printing it or writing it down at work? It's a HR issue not an IT issue.

Exactly. Once doctors are stealing data, you have a breach and you need to call HR and let them deal with discipline, fines, arrests, etc.

scottalanmiller

@Dashrender said:

I agree FDE or file encryption could possibly still allow the user the ability to download the data locally, but the intent of HIPAA the way I read it is, the Dr has a reasonable reason to have said data local - don't ask me what that reason is, it just is - and now that he does, we need to have a way to secure it in case control of that data is lost, i.e. a USB stick is lost/stolen, a laptop is lost/stolen, etc.

No, the intend of HIPAA is to require data to be protected within reason. Letting a doctor keep data in a risky way isn't reasonable, in most cases. It sounds like the only reason is because "we tell them to." That's going to land IT in the hot seat in front of a hearing if there is a HIPAA violation. Being carelessly risky because you think a doctor might need access in a way they won't request isn't going to be viable justification for not following standard security procedures.

gjacobse

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.

Our only centralized 'service' is Office 365 for email.

scottalanmiller

@Dashrender said:

Because I'm not talking about theft, I'm talking about legitimate download uses.

No, in the scenario we presented, it's theft. That's the beauty of the web EHR. The data is always remote. Taking a copy for use at home on person gear IS theft, are pure and simple as it can be. There is no reason for a doctor to keep that data for himself or to remove it from the EHR.

scottalanmiller

@g.jacobse said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.

Our only centralized 'service' is Office 365 for email.

EHR?

Is this data just rogue data floating around with no controls? I'm suddenly very worried about seeing a doctor in Kentucky.

A Former User

@scottalanmiller said:

@g.jacobse said:

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

How would you propose to do such? There is no AD; No active server; and 65 mobile users who could be in any of the 14-19 counties or in trainings in or out of state.

Our only centralized 'service' is Office 365 for email.

EHR?

Is this data just rogue data floating around with no controls? I'm suddenly very worried about seeing a doctor in Kentucky.

Maybe this is what happened at Anthem.. Hmm.

scottalanmiller

I don't believe that HIPAA allows doctors to take my data home, secure or not. It's not their personal data, it's mine. There is an agreement that a hospital or medical facility gets to use it for patient care purposes. But if a doctor has my data at home, that's theft and that doctor is at fault.

gjacobse

@scottalanmiller
Differences in data. Our Clinic uses a 3rd party EHR program using a RDP connection across a dedicated VPN. The rest of the agency isn't set up this way.

We have In home specialists, Health Insurance (Kentucky KYNECT program), Veterans affairs (homeless Vet program), Housing, LIPHEAP (Low Income Heating and Energy Assistance Program), Free Tax services, Healthy Marriage and more.

Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.

scottalanmiller

@g.jacobse said:

Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.

Because they don't have Internet access at the time that the data is needed?

A Former User

@scottalanmiller said:

@g.jacobse said:

Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.

Seems like an investment in Verizon aircards would solve the issue of data being on personal computers. Though I would still issue them laptops with the aircard. If not use a web interface or a VPN and Terminal server. There still should be device policies required and Antivirus required.

gjacobse

We do not have a Server, AD, F&PS of any kind currently. So the use of a VPN is moot.

I need a security measure until that can be addressed. Until then, data is and remains at the local desktop(laptops) level.

Some areas do not have internet access - even with several of the mobile people having Verizon hotspots.

MattSpeller

Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.

Edit: may require some back end infrastructure but it's an idea at least.

Dashrender

@scottalanmiller said:

@Dashrender said:

Because I'm not talking about theft, I'm talking about legitimate download uses.

No, in the scenario we presented, it's theft. That's the beauty of the web EHR. The data is always remote. Taking a copy for use at home on person gear IS theft, are pure and simple as it can be. There is no reason for a doctor to keep that data for himself or to remove it from the EHR.

This is not true. though reading it helps me understand what you were saying above.

Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.

scottalanmiller

@Dashrender said:

This is not true. though reading it helps me understand what you were saying above.

Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.

Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?

Dashrender

@scottalanmiller said:

@Dashrender said:

This is not true. though reading it helps me understand what you were saying above.

Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.

Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?

To generate PowerPoint presentations, yes.