210 likes | 423 Views
Locking the Backdoor: Computer Security and Medical Office Practice. Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology. A case of confidentiality. Dr. B employs an office manager who also does transcription and completes dialysis billing.
E N D
Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology
A case of confidentiality • Dr. B employs an office manager who also does transcription and completes dialysis billing. • Takes work home to complete. • Home computer crash requiring repair • Computer “irretrievable”; replaced. • Requested “wipe the old hard drive” • The phone call 3 months later…
Computer hard drive recycled to new setup and resold • New purchaser finds medical transcription files stored on the hard drive, and releases to local paper. • Patients involved interviewed by paper • Dr. B gets a call from a lawyer or two…..
What are the issues for Dr. B and patient heath information? • Limiting access to information • Improving confidentiality • Keeping the integrity of medical information
Who has access? • Office employees with need to access medical information (e.g.: nurse, booking, billing) • Office staff with no need to access medical information (e.g.: night cleaning staff) • Cyberspace (i.e.: everyone)
Through what route do they have access? • Single computer • Server / Network within the institution or office • Internet
Where/How is information stored? • Fixed • Server (remote) • Hard drive • Mobile • Compact disks (CD) or DVDs • Floppy, tape, jaz, or zip drives • Memory sticks or data keys
When is information accessible? • From office when open • From outside 24/7
Methods to improve security in the office • Computer access • Information storage and backup • Internet access
Simple things to control access or theft • Password login • In place on most OS • Password protected files • In place in most WP and accounting applications • Chained computer • Locked desk • Locked office
Fixed storage Often can establish permissions to access folders Safer to have remote server (damage) Mobile storage Can be locked away Can removed just as easy Not generally durable storage Magnetic storage– corrupted data after 10 years with some forms such as floppies and zip Less with data keys and flash cards Information storage
Information backup • Best to have a system remote from office • Fire • Surges • Get a protector! • Computer crashes • Back up should be real-time • Best if combined with encryption or password access
Internet access • A computer with access to internet is vulnerable • Broadband (cable) >> dialup • Standalone >> network • Monitored access / Access on demand • No access (not practical)
Internet access • Ways to help • Firewall = a set of instructions limiting what data channels of your internet connection can be accessed from outside and in some cases, by whom AND what programs can access the internet from within your computer
Firewalls – what channels? • Data incoming and outgoing is organized in channels • e.g.: E-mail, Internet, DNS lookup • Can allow data to flow into or out of: • Any • None • Some
Firewalls – a checkpoint • What it can do : audit • What type of data (email, internet and file types) • How frequently / how many attempts • Where it is going (limiting internet access to certain sites) • Low level data content censoring (out and ingoing)
Firewalls • What it can’t do • Intentional bypass of the system • E.g.: Social engineering • Password changes, phone numbers, credit card numbers etc. • Protect against viruses entering • Some can prevent multiple distributions from occurring
Firewalls • Helpful if you have layered security needs to a computer/network • If something is completely confidential/high sensitivity… IT SHOULD BE ISOLATED FROM THE NETWORK
Return to Dr. B – What can be done? • Establish policy that patient data doesn’t leave office • If it has to leave the office: • Password protect/encrypt all files • Delete all files when transferred back to the office • Store transcription work on mobile media that comes back to the office
Within the office… • Lock computer access and or password protect login • Isolate patient information from internet • Educate your patients and staff about your confidentiality standards
Further resources • HIPAA Privacy regulations • http://www.hhs.gov/ocr/hipaa/ • More on Firewalls • http://www.faqs.org/faqs/firewalls-faq/ • Basic Primer on computer security • http://www.cert.org/