ProjectSend

scottalanmiller

@drewlander said:

@scottalanmiller said:

@coliver said:

So if the user is liable for their own account why are you tracking IP addresses? You just said after you give them the information you are no longer responsible for how they access it.

I'd say tracking IPs is bad because there is nothing good that could come from storing that information.

Tracking IP's is not bad, but its not entirely reliable unless you make a reverse proxy connection.

I meant in a context of HIPAA data. As a HIPAA compliant facility, you want to avoid having any data that you are not required to have. Holding data equals holding liability.

drewlander

@scottalanmiller said:

Things you cannot know:

• That the IP is from Japan
• That the person is not supposed to be in Japan

You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?

I geoblock in my firewall, so I assure you any IP assigned to Japan is not making a connection to me. Therefore it is possible to know if traffic is coming from Japan. Unless of course they are going through a proxy or something.

drewlander

@Dashrender said:
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?

If I was McDonald's fast food I would not Geoblock because I would be a multinational company. Athena Healthcare however... No one in Ukraine has any business making a connection so I dont see why they wouldnt block traffic from a foreign country.

scottalanmiller

@drewlander said:

I geoblock in my firewall, so I assure you any IP assigned to Japan is not making a connection to me. Therefore it is possible to know if traffic is coming from Japan. Unless of course they are going through a proxy or something.

There was another thread just today about how @Carnival-Boy's connection is showing him as France, but he is not. There is no reliable geo-location service for IPs today even when we don't VPN or proxy. As someone outside of the US, that stuff is wrong a lot of the time and people choose to appear as different countries intentionally all of the time.

Geo-location blocking is tough because it blocks the good guys and not the bad guys.

drewlander

@Jason said:

You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.

Good point. If a customer called me however and said they cannot access a document on a secure document exchange server from their mobile device, I would probably tell them to go to a computer. No one should be storing PHI on their cellphone.

scottalanmiller

@drewlander said:

@Dashrender said:
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?

If I was McDonald's fast food I would not Geoblock because I would be a multinational company. Athena Healthcare however... No one in Ukraine has any business making a connection so I dont see why they wouldnt block traffic from a foreign country.

And that's where it's wrong. If I am an Athena healthcare customer and travel to the Ukraine and they block me getting access to my services they are likely breaking the law. The idea that people should be blocked from things that they have the right to access because our opinion of their location is that they should not be allowed to travel there is odd. Only in the US would the idea of blocking customers because they travel come up, it's so completely an American-only mindset.

scottalanmiller

@drewlander said:

@Jason said:

You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.

Good point. If a customer called me however and said they cannot access a document on a secure document exchange server from their mobile device, I would probably tell them to go to a computer. No one should be storing PHI on their cellphone.

Why is that? What if that is all that they have? Why would a medical facility get involved in determining the appropriateness of device types for customers? That seems fundamentally wrong. And what if one facility decides that only "Windows is okay" and the next that "only phones are okay" and the next says "Only Macs are secure."

We are getting into IT wanting to be in charge of everything from where customers travel, which customers are given access and from what operating systems they are allowed to access their own data.

drewlander

@scottalanmiller said:

@drewlander said:

I geoblock in my firewall, so I assure you any IP assigned to Japan is not making a connection to me. Therefore it is possible to know if traffic is coming from Japan. Unless of course they are going through a proxy or something.

There was another thread just today about how @Carnival-Boy's connection is showing him as France, but he is not. There is no reliable geo-location service for IPs today even when we don't VPN or proxy. As someone outside of the US, that stuff is wrong a lot of the time and people choose to appear as different countries intentionally all of the time.

Geo-location blocking is tough because it blocks the good guys and not the bad guys.

It's "best effort", not an exact science of course. I download CIDR's and update every night through scripts. Chances are this would not happen often, but with IPv6 catching on I cannot say what a good long term solution would be.

scottalanmiller

If you are Athena, sure you might have a right to block where someone accesses from (and maybe you don't, discrimination laws may apply) but the most important thing is why would you care? It makes absolutely zero sense for a healthcare facility or insurance company to take on additional liability potentially legal liability and certainly customer relations liability for capriciously deciding what customers "should or should not be allowed to do."

scottalanmiller

@drewlander said:

@scottalanmiller said:

@drewlander said:

I geoblock in my firewall, so I assure you any IP assigned to Japan is not making a connection to me. Therefore it is possible to know if traffic is coming from Japan. Unless of course they are going through a proxy or something.

There was another thread just today about how @Carnival-Boy's connection is showing him as France, but he is not. There is no reliable geo-location service for IPs today even when we don't VPN or proxy. As someone outside of the US, that stuff is wrong a lot of the time and people choose to appear as different countries intentionally all of the time.

Geo-location blocking is tough because it blocks the good guys and not the bad guys.

It's "best effort", not an exact science of course. I download CIDR's and update every night through scripts. Chances are this would not happen often, but with IPv6 catching on I cannot say what a good long term solution would be.

Yes, but "best effort" involving blocking your users seems odd. Which customers do you want to false positive?

drewlander

@scottalanmiller said:

@drewlander said:

@Dashrender said:
LOL, our current EHR company does ban access to their systems from most middle east and chinese based IPs. So yeah, they do deny you. Is it right? who am I to say?

If I was McDonald's fast food I would not Geoblock because I would be a multinational company. Athena Healthcare however... No one in Ukraine has any business making a connection so I dont see why they wouldnt block traffic from a foreign country.

And that's where it's wrong. If I am an Athena healthcare customer and travel to the Ukraine and they block me getting access to my services they are likely breaking the law. The idea that people should be blocked from things that they have the right to access because our opinion of their location is that they should not be allowed to travel there is odd. Only in the US would the idea of blocking customers because they travel come up, it's so completely an American-only mindset.

I beg to differ. If a doctor travel's out of the country and data on PHI is being sent out of the country, then chances are the doctor traveling is breaking the law. We have all sorts legalese when dealing with Canadian doctors hosted on servers in the US, to the point that its probably cheaper to get a host up in Canada. Thats just one example.

scottalanmiller

Or risk false positiving, of course.

scottalanmiller

As someone who gets geoblocked by people who claim they would like me as a customer and don't understand that I work for an American company but am based outside of the US, I can tell you that geoblocking capriciously sends a very, very strong message about not wanting people as customers. It is literally the same as telling them that you don't like they country and their choice of location is so bad to you that you'd like them to go away. It's not the same as telling them that you don't like them personally, exactly, but it is blocking people based on where they are which is often something that they cannot control.

There are services that do this for legal reasons like Netflix and they generally go to great lengths to not block entirely but only block what they must and have lots of explanations about how they are legally required to do so and why and by whom to make sure that customers realize that it is not their snubbing them.

drewlander

@scottalanmiller said:

@Dashrender said:

let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?

Because it is NOT your data, you DO NOT need it and it is against the law. The security to worry about here is IT getting data it does not have a right to see! The security breach here would be you.

The assumption of geo-security is an idea being pushed by IT, and to be useful would require a lot of HIPAA data that is not yours to use.

LOL! As a doctor, don't pay your hosted EMR bill then try to get YOUR data and see how that goes. I see this happen all the time. Vendors argue they cannot separate the intellectual property from the records without doing a "Conversion", which ends up costing tens of thousands depending on the system. You are basically paying an ETF for your contract because no conversion costs that much money.

This has nothing to do with ProjectSend tho. I do think the IP is good for tracking because it can show a trend or indicate unusual activity. Google does this with gmail and it works pretty well overall. If its required by HIPAA, I dont know. I doubt it specifically says you must tracking logins by IP. Chances are the legalese is much more generic like "The covered entity will make every reasonable effort to ensure only authorized users and or devices may be granted access to PHI" or something.

drewlander

@scottalanmiller said:

@drewlander said:

@Jason said:

You have to do a lot of tracking to determine what is normal. IPs change. People move around a lot. People use Cellular devices. Heck the actual IP address for Celluar devices will often show different states.

Good point. If a customer called me however and said they cannot access a document on a secure document exchange server from their mobile device, I would probably tell them to go to a computer. No one should be storing PHI on their cellphone.

Why is that? What if that is all that they have? Why would a medical facility get involved in determining the appropriateness of device types for customers? That seems fundamentally wrong. And what if one facility decides that only "Windows is okay" and the next that "only phones are okay" and the next says "Only Macs are secure."

We are getting into IT wanting to be in charge of everything from where customers travel, which customers are given access and from what operating systems they are allowed to access their own data.

Because I cannot be responsible for a system that keeps data secure and at the same time not have any control over how that data is accessed.

scottalanmiller

@drewlander the legalise looks really strongly like it forbids it since the only way to know how the patterns are working is to expose PHI data! So you'd violate the HIPAA regulation in the attempt to protect it.

Using IP blocking is not an accepted security practice for this sort of thing in any environment I have ever encountered. HIPAA requires reasonable security, yes, and opening up PHI data (valuable) to do IP blocking (negligible) would not constitute that IMHO.

scottalanmiller

@drewlander said:

Because it is NOT your data, you DO NOT need it and it is against the law.

LOL! As a doctor, don't pay your hosted EMR bill then try to get YOUR data and see how that goes.

Or try sharing it and see how quickly HIPAA rears its head.

drewlander

@scottalanmiller said:

@drewlander the legalise looks really strongly like it forbids it since the only way to know how the patterns are working is to expose PHI data! So you'd violate the HIPAA regulation in the attempt to protect it.

Using IP blocking is not an accepted security practice for this sort of thing in any environment I have ever encountered. HIPAA requires reasonable security, yes, and opening up PHI data (valuable) to do IP blocking (negligible) would not constitute that IMHO.

I will agree that the only way to do this properly is to whitelist access to sensitive data, but without every party involved having a static IP that is not necessarily possible. In that case, filtering out the bulk of the risk with geoblocking is not for nothing.

scottalanmiller

@drewlander said:

I will agree that the only way to do this properly is to whitelist access to sensitive data, but without every party involved having a static IP that is not necessarily possible. In that case, filtering out the bulk of the risk with geoblocking is not for nothing.

That's the question.... you could filtering anything and say that, though. Just turn all access off and say it takes away the threat. The question becomes - when does choosing and limiting customer access become something IT even has a right to do? From the business side, I would say never, this is purely a business and/or legal decision. From a legal side, I'm not sure. When can we use a third party geolocation list, combine it with opinion and pick and choose customers to accept or block? If we are a private business, we can do that anytime that we want. For medical, I'm not sure how "right to access" laws or discrimination laws or whatever might apply.

But I don't agree that just because it reduces risk that IT would get the right to make the call nor that it is an acceptable way to do it. Because literally turning the service off would be the extreme case of that and obviously that is not acceptable. So there has to be more logic involved in the decision that just "is it more secure."

What logic needs to be applied, I am not totally sure. But it has to be more.

scottalanmiller

By the way, as a point of example... I have friends who were in the Ukraine for an extended period of time and were adopting a child so would have needed, as Americans, access to their PHI. This is very recent too.

And we have a lot of Ukrainians here in the community who travel to the US regularly need potential access to health care records from the US to give to doctors in Kiev.

It's a very valid use case for people there to need info from US doctors.