Software HDD Encryption: Poll
-
@Dashrender your EHR can't produce reports?
If the physicians are downloading to their personal desktops, that IT does not control, how does that not violate HIPAA?
-
@MattSpeller said:
Something like this might be an option - it'll keep your stuff secure without having to worry about HDD encryption.
Edit: may require some back end infrastructure but it's an idea at least.
Actually talking with my supervisor,.. the use of USB devices will be removed in the future. So the IronKey will be unusable.
-
@g.jacobse Oh geez, brutal
-
And even if they "need" to produce presentations of data, if the doctor is taking that home, that's personal use and I still feel that if they are doing so they are data thieves. Whether their goal is to be a thief to sell my data or a thief to put data at risk for personal gain through laziness (not having to work on company gear) matters not to me. My data security has been violated by a doctor taking the data for their own use outside of appropriate, legal, professional or ethical guidelines.
Am I missing something? If a doctor has patient data, in any form, on personal gear. Is that not theft? If not, how?
-
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
Just to bring this more on point, it's not really physicians that need non EHR access to this data, it's staff doing other jobs. The first example that springs to mind is tracking breaches. Our EHR does not have a solution for tracking PHI breaches. Instead they are tracked in an Excel spreadsheet, and any associated correspondence is generally created in Word.
If the EHR had the ability to track this, I'm sure we'd us it, but current it does not.
-
If I work at a bank and I manage to make a copy of customer's banking data and store a copy of that at home.... even if I am only doing it to "make my job easier", I've stolen their bank data. Black and white, no grey area. The intent might not be strictly malicious, but that doesn't change the action.
-
@Dashrender said:
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
They used to. It's not legal now. It used to be necessary. It no longer is and has not been for decades. Lots of things used to be necessary and no longer are. The need to protect personal identification and health data didn't used to be the concern that it is today. Today, those charts are very dangerous things in America, sadly. Times have changed. Both in what we can do and in what we need to do.
-
@Dashrender said:
Just to bring this more on point, it's not really physicians that need non EHR access to this data, it's staff doing other jobs. The first example that springs to mind is tracking breaches. Our EHR does not have a solution for tracking PHI breaches. Instead they are tracked in an Excel spreadsheet, and any associated correspondence is generally created in Word.
How do you track PHI breaches uses HIPAA data?
-
I think your best option is FDE and an encrypted container on the drive that will hold the data. I can't think of how else to make it work offline
-
@Dashrender said:
Talking about traveling data - physicians who travel to do their job have carried paper charts with them since the beginning of paper charts. This is less necessary now as long as you have internet access at all locations to access said data.
Was the paper company owned? Did they take it home and copy it over to their own paper - that would be stealing. It's really the same thing just in different ways.
-
@thecreativeone91 said:
Was the paper company owned? Did they take it home and copy it over to their own paper - that would be stealing. It's really the same thing just in different ways.
Good point. Even not encrypted it was never their personal paper or personal copy. Doctors, always being part of a questionable ethics group, probably stole or didn't properly care for data in their possession always. But just having to rely on paper itself is not a breach nor theft. It's how that data is treated.
Even if using paper, taking it home and keeping it, even if just because they are too lazy to be bothered to bring it back would still have been data theft. It doesn't require a conspiracy or intent or malice, just laziness or a lack of caring. It's just that before 2000 or so, there were few penalties for data theft, if any.
-
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
-
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
-
@scottalanmiller said:
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
It encrypts in the software FDE would be an additional protection. But, the benefit is no employees can make the data stay there. It's got a timebomb on it (24hr I think) and is uploaded to the server automatically when there is a connection.
-
@thecreativeone91 said:
@scottalanmiller said:
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
It encrypts in the software FDE would be an additional protection. But, the benefit is no employees can make the data stay there. It's got a timebomb on it (24hr I think) and is uploaded to the server automatically when there is a connection.
Oh I see.
-
@scottalanmiller said:
@thecreativeone91 said:
@scottalanmiller said:
@thecreativeone91 said:
Also why does your EHR not have an offline mode? Even the software we used for Rescue would so data was only temporarily stored (software encrypted) on the local laptop until they had a connection, then it would upload it to the server and verify it, then delete all local copies. this was an offline connector component they made in addition to the web interface.
Well, to be fair, if it had that then we'd be back to needing encryption again.
It encrypts in the software FDE would be an additional protection. But, the benefit is no employees can make the data stay there. It's got a timebomb on it (24hr I think) and is uploaded to the server automatically when there is a connection.
Oh I see.
I don't know of any EHR that has an offline mode, but my exposure is very limited, so there might be offline modes for it now.
-
Uhm - wow - I didn't expect it to be this much of a heated debate - but one that has been a learning experience...
But I have to again ask for a single get it done now because we are out of compliance type answer.
Of the four options that 'fix' the issue now (McAfee, Symantec, Sophos, Replace HDD) which is the (as sad as I have to say) lesser of the evils?
And I could toss in one more,.. Dump the desktops completely and go with a RDP / VPN connection to a (self) hosted server running Server 2k12 or other. Eliminate the 'local computer' preventing ANY data on the local computer using Deepfreeze or such....(longer harder more costly solution).
-
Hard to say, I'm going to guess that Sophos is the way to go.
