ProjectSend

Dashrender

@scottalanmiller said:

Why would an employee not use secure, internal systems? How did employees come into this picture?

light bulb

Damn, thanks for bringing this back full circle.
Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.
Also, I get to choose how I release this data to you. I can choose to mail it instead of sending it electronically. So, I can demand to know the GEO IP you're going to download from if I want to before deciding if you'll be allowed to download from there or if I will fall back to using snailmail.

Yes that's extreme, but doable.

scottalanmiller

Instead of thinking about IT, treat this as other security roles:

• Would a security guard at the front desk be allowed to go into private health records and call people at home because he "felt it was good security?"
• Would the receptionist turn down calls from numbers that they personally felt should not be used by the customers?

If not, why is IT different?

scottalanmiller

@coliver said:

But the difference is you aren't recording IP addresses at the application level that can be linked to records that were downloaded. Most IPS systems won't be able link IP addresses being blocked with patients or clients/vendors.

Linked to regulated, personal health data!

Dashrender

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.

Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.

That's what I thought we were discussing.

But again, I'm not sending to patients, I'm sending to third parties on behalf of the patient.

And I'd love to see where location data is considered HPI and protected? As well as a phone number.

scottalanmiller

@Dashrender said:

Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.

Can you? Why? How do you know that? How do you determine where the IP is coming from? And WHY WHY WHY would you care?

scottalanmiller

@Dashrender said:

But again, I'm not sending to patients, I'm sending to third parties on behalf of the patient.

Who have authenticated, taken responsibility and you have no reason to interject opinion over their appropriate location. Why is IT involved here at all?

scottalanmiller

@Dashrender said:

And I'd love to see where location data is considered HPI and protected? As well as a phone number.

How will you get my phone number?

scottalanmiller

And how will you get my IP address without my HIPAA records?

dafyre

@scottalanmiller said:

@dafyre said:

You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?

I can easily answer the second question. dials phone "Hey, are you in Japan? No? Okay, that's all I need to know. hang up ... block ip

1. Really? You are going to call anyone and everyone that accesses your systems? You, in IT, are going to start pulling their HIPAA regulated data illegally to do so? This violates HIPAA very clearly. As an IT pro, you don't have a need to see my HIPAA data, which includes my location and phone number. If I get that call, I call a lawyer. This means your systems are bleeding my data and that's very bad.

I'm not accessing your HIPPA information. I am contacting an employee of my company whose username and password has been logged as coming from another country. Quick call to verify they are not in that country, and maybe their IP address (if they are working remotely from home) and then I can notify the security response team or block that IP address from the firewall if necessary.

I am speaking of, of course applications such as ownCloud or Project send that are secured with some type of username & password. If we are using 2FA, then this is much less of a concern, but it would still warrant checking with an employee, IMO.

(Baylor Hospital in Texas did this, they got in huge trouble for selling data.)

As they should have!

I'm not looking at what information was accessed. I am looking at a company employee whose username & password was used to log in to ownCloud, our VPN, or any other service we have available on the public interwebs that requires authentication. And that the logged IP address is coming from a country that we do not expect to see them connecting from.

scottalanmiller

Why IP and Phone Numbers are HIPAA Data:

“Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,

Tracking that information would record information about the provisioning of healthcare.

Dashrender

@scottalanmiller said:

@Dashrender said:

And I'd love to see where location data is considered HPI and protected? As well as a phone number.

How will you get my phone number?

That was @dafyre who would call, I wouldn't call, I'd simply block and make you call me if you want something.
Although accessing a client list - You consider that a HIPAA breach when I am part of the company who houses said data? And it is possible for IT to view demographics information without seeing any health related information, I'm not sure if that would be a HIPAA breach or not, especially if it's considered part of the job - but... that's completely off topic since I wouldn't be doing that.

dafyre

@scottalanmiller said:

And how will you get my IP address without my HIPAA records?

We're not getting your IP address. We are getting the IP address of an employee whose credentials were used to access our systems from a country where they are not expected to be. I think I'm chasing down a totally different rabbit trail than you are.

If the party is a third party and we see that the account is used by a hospital in Japan, and we get an IP address from Japan, no alert would be flagged. Even if it were, we still would not know what records they were accessing unless the application itself held an audit trail.

scottalanmiller

@dafyre said:

I'm not looking at what information was accessed. I am looking at a company employee whose username & password was used to log in to ownCloud, our VPN, or any other service we have available on the public interwebs that requires authentication. And that the logged IP address is coming from a country that we do not expect to see them connecting from.

In some cases. But what about users accessing their own data? How are you differentiating? This is an externally exposed system, not an internal system.

And as I've covered, you do not know that an IP is from another country. You are making that guess based on getting information from another system (which creates an exposure risk depending on how it is used.)

scottalanmiller

@dafyre said:

@scottalanmiller said:

And how will you get my IP address without my HIPAA records?

We're not getting your IP address. We are getting the IP address of an employee whose credentials were used to access our systems from a country where they are not expected to be. I think I'm chasing down a totally different rabbit trail than you are.

If the party is a third party and we see that the account is used by a hospital in Japan, and we get an IP address from Japan, no alert would be flagged. Even if it were, we still would not know what records they were accessing unless the application itself held an audit trail.

Remember we determined that this is not a system for employees and we are not discussing employees. This is for external users which would include medical facilities potentially outside of the US, doctors anywhere and the end users themselves.

scottalanmiller

@Dashrender said:

Although accessing a client list - You consider that a HIPAA breach when I am part of the company who houses said data?

Yes. The client list tells me that you have been provisioning services to me and if you accessed it as IT would make you the one violating security. Yes, clearly you CAN access it as the admin, but that doesn't imply that you would ever need to or have the legal right to do so. Just like a bank manager can't go into my safety deposit box but he has the keys in case they get a warrant.

dafyre

@scottalanmiller Right, which is why I felt like we were going in circles. I'll just got back to lurking for this topic, lol.

scottalanmiller

@dafyre said:

@scottalanmiller Right, which is why I felt like we were going in circles. I'll just got back to lurking for this topic, lol.

If we are talking about internal employees only, I'd have a completely different opinion of the situation. It's tracking external stuff that can be tied to a patient that is a problem. Like if you track that my doctor is always logging in from Granada, you suddenly are tracking information about my own health and I don't want my health records telling people where I have been traveling.

scottalanmiller

@Dashrender said:

And it is possible for IT to view demographics information without seeing any health related information, I'm not sure if that would be a HIPAA breach or not, especially if it's considered part of the job - but... that's completely off topic since I wouldn't be doing that.

Here is a major question... is it identifiable? if not, it's different. IP Address, Phone Number and Name are very identifiable provisioning data.

Dashrender

@scottalanmiller said:

Why IP and Phone Numbers are HIPAA Data:

“Individually identifiable health information” is information, including demographic data, that relates to:

the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,

Tracking that information would record information about the provisioning of healthcare.

let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?

scottalanmiller

@Dashrender said:

let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?

Because it is NOT your data, you DO NOT need it and it is against the law. The security to worry about here is IT getting data it does not have a right to see! The security breach here would be you.

The assumption of geo-security is an idea being pushed by IT, and to be useful would require a lot of HIPAA data that is not yours to use.