ProjectSend
-
@dafyre said:
I'm not looking at what information was accessed. I am looking at a company employee whose username & password was used to log in to ownCloud, our VPN, or any other service we have available on the public interwebs that requires authentication. And that the logged IP address is coming from a country that we do not expect to see them connecting from.
In some cases. But what about users accessing their own data? How are you differentiating? This is an externally exposed system, not an internal system.
And as I've covered, you do not know that an IP is from another country. You are making that guess based on getting information from another system (which creates an exposure risk depending on how it is used.)
-
@dafyre said:
@scottalanmiller said:
And how will you get my IP address without my HIPAA records?
We're not getting your IP address. We are getting the IP address of an employee whose credentials were used to access our systems from a country where they are not expected to be. I think I'm chasing down a totally different rabbit trail than you are.
If the party is a third party and we see that the account is used by a hospital in Japan, and we get an IP address from Japan, no alert would be flagged. Even if it were, we still would not know what records they were accessing unless the application itself held an audit trail.
Remember we determined that this is not a system for employees and we are not discussing employees. This is for external users which would include medical facilities potentially outside of the US, doctors anywhere and the end users themselves.
-
@Dashrender said:
Although accessing a client list - You consider that a HIPAA breach when I am part of the company who houses said data?
Yes. The client list tells me that you have been provisioning services to me and if you accessed it as IT would make you the one violating security. Yes, clearly you CAN access it as the admin, but that doesn't imply that you would ever need to or have the legal right to do so. Just like a bank manager can't go into my safety deposit box but he has the keys in case they get a warrant.
-
@scottalanmiller Right, which is why I felt like we were going in circles. I'll just got back to lurking for this topic, lol.
-
@dafyre said:
@scottalanmiller Right, which is why I felt like we were going in circles. I'll just got back to lurking for this topic, lol.
If we are talking about internal employees only, I'd have a completely different opinion of the situation. It's tracking external stuff that can be tied to a patient that is a problem. Like if you track that my doctor is always logging in from Granada, you suddenly are tracking information about my own health and I don't want my health records telling people where I have been traveling.
-
@Dashrender said:
And it is possible for IT to view demographics information without seeing any health related information, I'm not sure if that would be a HIPAA breach or not, especially if it's considered part of the job - but... that's completely off topic since I wouldn't be doing that.
Here is a major question... is it identifiable? if not, it's different. IP Address, Phone Number and Name are very identifiable provisioning data.
-
@scottalanmiller said:
Why IP and Phone Numbers are HIPAA Data:
“Individually identifiable health information” is information, including demographic data, that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,Tracking that information would record information about the provisioning of healthcare.
let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?
-
@Dashrender said:
let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?
Because it is NOT your data, you DO NOT need it and it is against the law. The security to worry about here is IT getting data it does not have a right to see! The security breach here would be you.
The assumption of geo-security is an idea being pushed by IT, and to be useful would require a lot of HIPAA data that is not yours to use.
-
@scottalanmiller said:
@Dashrender said:
let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?
Because it is NOT your data, you DO NOT need it and it is against the law. The security to worry about here is IT getting data it does not have a right to see! The security breach here would be you.
The assumption of geo-security is an idea being pushed by IT, and to be useful would require a lot of HIPAA data that is not yours to use.
I think yours is one of opinion and not rule of law or precedence. But if you have either, I'd love links.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
let's assume that it's provisionable/provisioned data - so what? I work for the company house/managing/maintaining the data, why can't I access it for the sake of security?
Because it is NOT your data, you DO NOT need it and it is against the law. The security to worry about here is IT getting data it does not have a right to see! The security breach here would be you.
The assumption of geo-security is an idea being pushed by IT, and to be useful would require a lot of HIPAA data that is not yours to use.
I think yours is one of opinion and not rule of law or precedence. But if you have either, I'd love links.
I thought that I provided it. It was quoted right from the HIPAA page itself.
-
From hhs.gov
Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
-
Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
-
And notice that IT is not even considered a business associate:
Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
-
Access and Uses. For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
-
I would say that ANY access by IT (or facilities, or janitorial or decorating) staff is a very clear violation of the intent of the law.
-
Let's think of it in another way.... would you be happy having this conversation with a judge:
"Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."
and...
"No, I was not directly told to access this data or to secure the network in this manner."
-
If you were asked the questions that led to those answers, would you feel that the access and potential disclosure of that data was allowed or justified? In the first case, I think HIPAA is violated. In the second, I fear that the "corporate veil" would be pierced and it might become a personal liability rather than a corporate one.
-
@scottalanmiller said:
Let's think of it in another way.... would you be happy having this conversation with a judge:
"Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."
and...
"No, I was not directly told to access this data or to secure the network in this manner."
Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.
-
@Dashrender said:
@scottalanmiller said:
Let's think of it in another way.... would you be happy having this conversation with a judge:
"Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."
and...
"No, I was not directly told to access this data or to secure the network in this manner."
Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.
So you feel that the privacy of HIPAA data is okay to breach if the reason is for protecting YOUR network? I don't believe that a judge would see that in a kind light. Protecting your network, protecting any network, is not something that health data is allowed to be used for.
-
As someone with health data out there, it worries me that people who are entrusted to protect it probably routinely feel their their own security needs would justify the theft and misappropriation of my data for their own, personal uses which is not just wrong on its own, but puts my data at greater risk as it would then be being stored and used outside of HIPAA regulated systems. No one would be looking for that data to be being stored with network records, for example.