Local Encryption ... Why Not?

Dashrender

To drive my point home:

We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

Dashrender

@BRRABill said:

An even bigger problem in that scenario is things like texting.

I'm frustrated that we can't prevent texting!

Three technologies I'd love to see die:
PSTN
SMS/MMS
email

These technologies by themselves offer zero or near zero security or authentication or privacy.

BRRABill

@Dashrender said:

To drive my point home:

We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

Right. That is something I think would be fixed with @scottalanmiller 's suggestions.

Encryption does nothing for that.

Except for when that same employee who should know better does that on a laptop and it gets stolen. And the the auditors trace that. Uh-oh.

BRRABill

@Dashrender said:

@BRRABill said:

An even bigger problem in that scenario is things like texting.

I'm frustrated that we can't prevent texting!

Three technologies I'd love to see die:
PSTN
SMS/MMS
email

These technologies by themselves offer zero or near zero security or authentication or privacy.

I delved into a lot of this because we did a survey in hospitals. There was no PHI on it, but it was on an iPad. In researching, I got to learn a lot of about device security in healthcare environments.

BRRABill

@Dashrender said:

Three technologies I'd love to see die:
PSTN
SMS/MMS
email

These technologies by themselves offer zero or near zero security or authentication or privacy.

At least in their current form.

We use e-mail, but only to attach a link to a file stored on a secure service like ShareFile for Healthcare.

Jason

@Dashrender said:

Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

Dashrender

@BRRABill said:

@Dashrender said:

Three technologies I'd love to see die:
PSTN
SMS/MMS
email

These technologies by themselves offer zero or near zero security or authentication or privacy.

At least in their current form.

We use e-mail, but only to attach a link to a file stored on a secure service like ShareFile for Healthcare.

Sure, but you could just as easily use any number of IM clients that can provide end to end encryption (yeah I know email can - but you as the user don't know that it does or not).

Dashrender

@Jason said:

@Dashrender said:

Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

That only works because there is never a time that those people require access to those systems to get their job done or save a life. You have a separation of duties that allows for that kind of division. Rarely does healthcare appear to have so easily definable boundaries.

Jason

@Dashrender said:

@Jason said:

@Dashrender said:

Yes sure roles - of course, but in every situation I've seen, the roles of those who 'need' access to patient data, allow full unfettered access to every patient the hospital has on their system (with rare exception - I've seen some systems have a VIP tag for celebrities. this tag would prevent anyone but senior people to have access to those few records, but, the general public... the staff have full access.)

This is actually a bit of the opposite of the way we delegate access. For example higher ups such as Directors, C level Management, Board etc. Do not have access to modify financial data, some don't even have access to view. There is a lot of separation of roles.

That only works because there is never a time that those people require access to those systems to get their job done or save a life. You have a separation of duties that allows for that kind of division. Rarely does healthcare appear to have so easily definable boundaries.

Not really we have our own Doctors, first responders , Safety team and we even have a community college.

StrongBad

@BRRABill said:

@Dashrender said:

To drive my point home:

We have fired two people over the last several years because they logged into a health system they were granted access to because our providers work there as well. They illegally gained access to patient data that had no connection to our providers.

Why is this even possible? Obviously it doesn't need to be so.. but it is, everywhere - in every system they have a logon for, they have full or near full unfettered access to all patients in the entire system.

Right. That is something I think would be fixed with @scottalanmiller 's suggestions.

Encryption does nothing for that.

Except for when that same employee who should know better does that on a laptop and it gets stolen. And the the auditors trace that. Uh-oh.

Does strict policy protect from that? That's something that I don't know about. If you have a clear policy that this is not allowed and they choose to take that data out of the allowed systems, can it be on them not on the company? No different than any other kind of theft? I know that you can do that if you move to VDI or terminal servers.

BRRABill

@StrongBad said:

Does strict policy protect from that? That's something that I don't know about. If you have a clear policy that this is not allowed and they choose to take that data out of the allowed systems, can it be on them not on the company? No different than any other kind of theft? I know that you can do that if you move to VDI or terminal servers.

Yes, you could go after them. But technically they would be coming after you first. It's up to you to make sure that doesn't happen, or if it does, it does not get breached.

There are many levels. If they are allowed access to the data it's not a concern unless the machine they are using gets stolen. Then it is a breach.

If they are NOT allowed to access the data as part of their job, it is a breach in and of itself. Our policy dictates strict penalties for such a thing, and varies by levels ranging from a total mistake on their part to malicious theft of the data.

StrongBad

@BRRABill said:

There are many levels. If they are allowed access to the data it's not a concern unless the machine they are using gets stolen. Then it is a breach.

But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

StrongBad

@BRRABill said:

If they are NOT allowed to access the data as part of their job, it is a breach in and of itself. Our policy dictates strict penalties for such a thing, and varies by levels ranging from a total mistake on their part to malicious theft of the data.

Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

BRRABill

BTW:

I contacted Wave and asked if their software (or the drives they support) has any sort of lockout period.

They do not.

So if you happen to steal my laptop and take out the drive, you could theoretically sit and manually guess my password until the cows come home. Maybe one day you'll get it.

Even with that, I'd still like to know how this system provides the illusion of security.

BRRABill

@StrongBad said:

But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

OCR can go after individuals as well, if they were malicious in their intent. However, the employer would also be fined as it is their responsibility to protect the data.

I guess employers could sue the employee to recover the fine.

http://www.beckershospitalreview.com/healthcare-information-technology/how-employers-can-avoid-hefty-hipaa-violations.html

BRRABill

@StrongBad said:

Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

Misuse would require an assessment to be done. It would then be determined whether or not it was a breach.

Usually if it stayed in-house it would not be a breach. If you saw your neighbor in the office, looked up he was being treated for something unsavory, and then told his wife, that would be a breach.

scottalanmiller

@BRRABill said:

BTW:

I contacted Wave and asked if their software (or the drives they support) has any sort of lockout period.

They do not.

So if you happen to steal my laptop and take out the drive, you could theoretically sit and manually guess my password until the cows come home. Maybe one day you'll get it.

Even with that, I'd still like to know how this system provides the illusion of security.

Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.

scottalanmiller

@BRRABill said:

@StrongBad said:

But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

OCR can go after individuals as well, if they were malicious in their intent. However, the employer would also be fined as it is their responsibility to protect the data.

I guess employers could sue the employee to recover the fine.

http://www.beckershospitalreview.com/healthcare-information-technology/how-employers-can-avoid-hefty-hipaa-violations.html

Employers are NOT required to protect the data. They are only required to provide reasonable protection attempts. An authorized user with appropriate use deciding to misuse or steal data by putting it on their desktop would be no different than any theft. Are you saying that if any employee at your customers now just grabbed data that they were using and ran out the door with it that you would be fined for having been compromised even though no security of yours was compromised?

scottalanmiller

@BRRABill said:

@StrongBad said:

Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

Misuse would require an assessment to be done. It would then be determined whether or not it was a breach.

Usually if it stayed in-house it would not be a breach. If you saw your neighbor in the office, looked up he was being treated for something unsavory, and then told his wife, that would be a breach.

Wouldn't it be a breach the moment that someone took data and removed it from the allowed security system and exposed it? It may not have been used maliciously yet. But it has been taken already. It sounds like you only consider it a breach once it has been misused, not just when it has been removed.

Similar to saying a bank isn't robbed when the money is stolen, only when the stolen money is used to buy things.

BRRABill

@scottalanmiller said:

Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.

I feel much more than minimally secure.

Are you that certain someone can hack my SED?