ProjectSend
-
@scottalanmiller said:
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
-
@JaredBusch said:
Nothing was about anything but employees until someone else, I read it as you, brought up external people.
I read it as the topic both because the topic is specifically about a product to "share files with clients" and because I pointed this out at the beginning for clarity.
-
@dafyre said:
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
You would break the law because you feel that violating HIPAA regulations protects the infrastructure? You would be the one stealing the data here and the one that the infrastructure needs to be protected from, right?
-
@dafyre said:
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
You are mixing concepts. Blocking by default is possibly very foolish and again, never an IT decision, BUT it has NO relationship to tracking people or violating data integrity laws by stealing HIPAA data for personal use (even if you feel that that personal use is to "Protect the infrastructure."
-
@dafyre said:
@scottalanmiller said:
That's very, very bad. That could easily trigger a discrimination lawsuit.
You are not erring on the side of cautious, you are erring on the side of personal control over other people's information. IT should have literally zero say in this. It should be management, legal and customers only. If IT is involved in blocking people from their medical reasons on IT's own opinion that answer is wrong, every time.
Then I would be sued out of existence. If a company has hired me to protect their infrastructure, then that is what I will do.
Turn that on its flip side for a second. What if it were an IPS system or a firewall that was actively blocking things from a list of countries by default. I didn't set it up that way. Those are the default rules. I'm not the one who said "That's a bad IP address" -- My vendor said that. Then it would be my vendor sued out of existence... Which if being so easily open to lawsuits was the case, companies that manage Snort, Alienvault, Suricata, et al, would be priced so that only Big business and large enterprises can afford to use their products.
But the difference is you aren't recording IP addresses at the application level that can be linked to records that were downloaded. Most IPS systems won't be able link IP addresses being blocked with patients or clients/vendors.
-
@scottalanmiller said:
Why would an employee not use secure, internal systems? How did employees come into this picture?
light bulb
Damn, thanks for bringing this back full circle.
Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.
Also, I get to choose how I release this data to you. I can choose to mail it instead of sending it electronically. So, I can demand to know the GEO IP you're going to download from if I want to before deciding if you'll be allowed to download from there or if I will fall back to using snailmail.Yes that's extreme, but doable.
-
Instead of thinking about IT, treat this as other security roles:
- Would a security guard at the front desk be allowed to go into private health records and call people at home because he "felt it was good security?"
- Would the receptionist turn down calls from numbers that they personally felt should not be used by the customers?
If not, why is IT different?
-
@coliver said:
But the difference is you aren't recording IP addresses at the application level that can be linked to records that were downloaded. Most IPS systems won't be able link IP addresses being blocked with patients or clients/vendors.
Linked to regulated, personal health data!
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
Employees are one thing. But this product and thread are about getting data to external people not for internal staff. While you could do that, it's not the design of the product.
Again @scottalanmiller you're right, this product is for external access. Those accessing it externally are not patients, but other vendors/hospitals/lawyers, etc who need access to some data that would often be sent via email, but we are looking for other, more secure options.
That's what I thought we were discussing.
But again, I'm not sending to patients, I'm sending to third parties on behalf of the patient.
And I'd love to see where location data is considered HPI and protected? As well as a phone number.
-
@Dashrender said:
Those that I would be sending information to via this product would be people I know, or at least that are allowed in some capacity to have the HPI in question. For the most part in my case it's going to be local hospitals and lawyers. As such I can assume that most of the time they will be local.
Can you? Why? How do you know that? How do you determine where the IP is coming from? And WHY WHY WHY would you care?
-
@Dashrender said:
But again, I'm not sending to patients, I'm sending to third parties on behalf of the patient.
Who have authenticated, taken responsibility and you have no reason to interject opinion over their appropriate location. Why is IT involved here at all?
-
@Dashrender said:
And I'd love to see where location data is considered HPI and protected? As well as a phone number.
How will you get my phone number?
-
And how will you get my IP address without my HIPAA records?
-
@scottalanmiller said:
@dafyre said:
You know neither of these things. How do you want to react with misleading information that makes you assume one thing but doesn't mean that?
I can easily answer the second question. dials phone "Hey, are you in Japan? No? Okay, that's all I need to know. hang up ... block ip
- Really? You are going to call anyone and everyone that accesses your systems? You, in IT, are going to start pulling their HIPAA regulated data illegally to do so? This violates HIPAA very clearly. As an IT pro, you don't have a need to see my HIPAA data, which includes my location and phone number. If I get that call, I call a lawyer. This means your systems are bleeding my data and that's very bad.
I'm not accessing your HIPPA information. I am contacting an employee of my company whose username and password has been logged as coming from another country. Quick call to verify they are not in that country, and maybe their IP address (if they are working remotely from home) and then I can notify the security response team or block that IP address from the firewall if necessary.
I am speaking of, of course applications such as ownCloud or Project send that are secured with some type of username & password. If we are using 2FA, then this is much less of a concern, but it would still warrant checking with an employee, IMO.
(Baylor Hospital in Texas did this, they got in huge trouble for selling data.)
As they should have!
I'm not looking at what information was accessed. I am looking at a company employee whose username & password was used to log in to ownCloud, our VPN, or any other service we have available on the public interwebs that requires authentication. And that the logged IP address is coming from a country that we do not expect to see them connecting from.
-
Why IP and Phone Numbers are HIPAA Data:
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,Tracking that information would record information about the provisioning of healthcare.
-
@scottalanmiller said:
@Dashrender said:
And I'd love to see where location data is considered HPI and protected? As well as a phone number.
How will you get my phone number?
That was @dafyre who would call, I wouldn't call, I'd simply block and make you call me if you want something.
Although accessing a client list - You consider that a HIPAA breach when I am part of the company who houses said data? And it is possible for IT to view demographics information without seeing any health related information, I'm not sure if that would be a HIPAA breach or not, especially if it's considered part of the job - but... that's completely off topic since I wouldn't be doing that. -
@scottalanmiller said:
And how will you get my IP address without my HIPAA records?
We're not getting your IP address. We are getting the IP address of an employee whose credentials were used to access our systems from a country where they are not expected to be. I think I'm chasing down a totally different rabbit trail than you are.
If the party is a third party and we see that the account is used by a hospital in Japan, and we get an IP address from Japan, no alert would be flagged. Even if it were, we still would not know what records they were accessing unless the application itself held an audit trail.
-
@dafyre said:
I'm not looking at what information was accessed. I am looking at a company employee whose username & password was used to log in to ownCloud, our VPN, or any other service we have available on the public interwebs that requires authentication. And that the logged IP address is coming from a country that we do not expect to see them connecting from.
In some cases. But what about users accessing their own data? How are you differentiating? This is an externally exposed system, not an internal system.
And as I've covered, you do not know that an IP is from another country. You are making that guess based on getting information from another system (which creates an exposure risk depending on how it is used.)
-
@dafyre said:
@scottalanmiller said:
And how will you get my IP address without my HIPAA records?
We're not getting your IP address. We are getting the IP address of an employee whose credentials were used to access our systems from a country where they are not expected to be. I think I'm chasing down a totally different rabbit trail than you are.
If the party is a third party and we see that the account is used by a hospital in Japan, and we get an IP address from Japan, no alert would be flagged. Even if it were, we still would not know what records they were accessing unless the application itself held an audit trail.
Remember we determined that this is not a system for employees and we are not discussing employees. This is for external users which would include medical facilities potentially outside of the US, doctors anywhere and the end users themselves.
-
@Dashrender said:
Although accessing a client list - You consider that a HIPAA breach when I am part of the company who houses said data?
Yes. The client list tells me that you have been provisioning services to me and if you accessed it as IT would make you the one violating security. Yes, clearly you CAN access it as the admin, but that doesn't imply that you would ever need to or have the legal right to do so. Just like a bank manager can't go into my safety deposit box but he has the keys in case they get a warrant.