Software HDD Encryption: Poll
-
@scottalanmiller said:
@g.jacobse said:
Our In home Specialists do have a 3rd party web based application which is suppose to be encrypted. But for 90% of the remaining programs who travel and function - they will have client and personal data on their computers.
Seems like an investment in Verizon aircards would solve the issue of data being on personal computers. Though I would still issue them laptops with the aircard. If not use a web interface or a VPN and Terminal server. There still should be device policies required and Antivirus required.
-
We do not have a Server, AD, F&PS of any kind currently. So the use of a VPN is moot.
I need a security measure until that can be addressed. Until then, data is and remains at the local desktop(laptops) level.
Some areas do not have internet access - even with several of the mobile people having Verizon hotspots.
-
Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.
Edit: may require some back end infrastructure but it's an idea at least.
-
@scottalanmiller said:
@Dashrender said:
Because I'm not talking about theft, I'm talking about legitimate download uses.
No, in the scenario we presented, it's theft. That's the beauty of the web EHR. The data is always remote. Taking a copy for use at home on person gear IS theft, are pure and simple as it can be. There is no reason for a doctor to keep that data for himself or to remove it from the EHR.
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
-
@Dashrender said:
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?
-
@scottalanmiller said:
@Dashrender said:
This is not true. though reading it helps me understand what you were saying above.
Physicians, at least in our clinic, will download data so they can create reports charts, etc. I suppose we could mandate they only do that on their office PC's, but the data would still be pulled down to a local machine.
Are you saying that your EHR system doesn't produce reports? The doctors rely on local tools like maybe Excel to get reports?
To generate PowerPoint presentations, yes.
-
@Dashrender your EHR can't produce reports?
If the physicians are downloading to their personal desktops, that IT does not control, how does that not violate HIPAA?
-
@MattSpeller said:
Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.
Edit: may require some back end infrastructure but it's an idea at least.
Actually talking with my supervisor,.. the use of USB devices will be removed in the future. So the IronKey will be unusable.
-
@g.jacobse Oh geez, brutal
-
And even if they "need" to produce presentations of data, if the doctor is taking that home, that's personal use and I still feel that if they are doing so they are data thieves. Whether their goal is to be a thief to sell my data or a thief to put data at risk for personal gain through laziness (not having to work on company gear) matters not to me. My data security has been violated by a doctor taking the data for their own use outside of appropriate, legal, professional or ethical guidelines.
Am I missing something? If a doctor has patient data, in any form, on personal gear. Is that not theft? If not, how?
-
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
Just to bring this more on point, it's not really physicians that need non EHR access to this data, it's staff doing other jobs. The first example that springs to mind is tracking breaches. Our EHR does not have a solution for tracking PHI breaches. Instead they are tracked in an Excel spreadsheet, and any associated correspondence is generally created in Word.
If the EHR had the ability to track this, I'm sure we'd us it, but current it does not.
-
If I work at a bank and I manage to make a copy of customer's banking data and store a copy of that at home.... even if I am only doing it to "make my job easier", I've stolen their bank data. Black and white, no grey area. The intent might not be strictly malicious, but that doesn't change the action.
-
@Dashrender said:
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
They used to. It's not legal now. It used to be necessary. It no longer is and has not been for decades. Lots of things used to be necessary and no longer are. The need to protect personal identification and health data didn't used to be the concern that it is today. Today, those charts are very dangerous things in America, sadly. Times have changed. Both in what we can do and in what we need to do.
-
@Dashrender said:
Just to bring this more on point, it's not really physicians that need non EHR access to this data, it's staff doing other jobs. The first example that springs to mind is tracking breaches. Our EHR does not have a solution for tracking PHI breaches. Instead they are tracked in an Excel spreadsheet, and any associated correspondence is generally created in Word.
How do you track PHI breaches uses HIPAA data?
-
I think your best option is FDE and an encrypted container on the drive that will hold the data. I can't think of how else to make it work offline
-
@Dashrender said:
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
Was the paper company owned? Did they take it home and copy it over to their own paper - that would be stealing. It's really the same thing just in different ways.
-
@thecreativeone91 said:
Was the paper company owned? Did they take it home and copy it over to their own paper - that would be stealing. It's really the same thing just in different ways.
Good point. Even not encrypted it was never their personal paper or personal copy. Doctors, always being part of a questionable ethics group, probably stole or didn't properly care for data in their possession always. But just having to rely on paper itself is not a breach nor theft. It's how that data is treated.
Even if using paper, taking it home and keeping it, even if just because they are too lazy to be bothered to bring it back would still have been data theft. It doesn't require a conspiracy or intent or malice, just laziness or a lack of caring. It's just that before 2000 or so, there were few penalties for data theft, if any.
-
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
-
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
-
@scottalanmiller said:
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
It encrypts in the software FDE would be an additional protection. But, the benefit is no employees can make the data stay there. It's got a timebomb on it (24hr I think) and is uploaded to the server automatically when there is a connection.