Computer Security in Medical Office Practice
Download
Report
Transcript Computer Security in Medical Office Practice
Locking the Backdoor:
Computer Security and Medical
Office Practice
Dr. Maury Pinsk, FRCPC
University of Alberta
Division of Pediatric Nephrology
A case of confidentiality
Dr. B employs an office manager who
also does transcription and completes
dialysis billing.
Takes work home to complete.
Home computer crash requiring repair
Computer “irretrievable”; replaced.
Requested “wipe the old hard drive”
The phone call 3 months later…
Computer hard drive recycled to new
setup and resold
New purchaser finds medical
transcription files stored on the hard
drive, and releases to local paper.
Patients involved interviewed by paper
Dr. B gets a call from a lawyer or two…..
What are the issues for Dr. B and
patient heath information?
Limiting access to information
Improving confidentiality
Keeping the integrity of medical
information
Who has access?
Office employees with need to
access medical information
(e.g.: nurse, booking, billing)
Office staff with no need to
access medical information
(e.g.: night cleaning staff)
Cyberspace (i.e.: everyone)
Through what route do they
have access?
Single computer
Server / Network within the institution
or office
Internet
Where/How is information
stored?
Fixed
Server (remote)
Hard drive
Mobile
Compact disks (CD) or DVDs
Floppy, tape, jaz, or zip drives
Memory sticks or data keys
When is information
accessible?
From office when open
From outside 24/7
Methods to improve security in
the office
Computer access
Information storage and backup
Internet access
Simple things to control
access or theft
Password login
Password protected files
In place on most OS
In place in most WP and accounting applications
Chained computer
Locked desk
Locked office
Information storage
Fixed storage
Often can establish permissions to access folders
Safer to have remote server (damage)
Mobile storage
Can be locked away
Can removed just as easy
Not generally durable storage
Magnetic storage– corrupted data after 10 years with
some forms such as floppies and zip
Less with data keys and flash cards
Information backup
Best to have a system remote from office
Fire
Surges
Get a protector!
Computer crashes
Back up should be real-time
Best if combined with encryption or
password access
Internet access
A computer with access to internet is vulnerable
Broadband (cable) >> dialup
Standalone >> network
Monitored access / Access on demand
No access (not practical)
Internet access
Ways to help
Firewall
= a set of instructions limiting what data
channels of your internet connection can be
accessed from outside and in some cases, by
whom
AND what programs can access the internet
from within your computer
Firewalls – what channels?
Data incoming and outgoing is organized
in channels
e.g.: E-mail, Internet, DNS lookup
Can allow data to flow into or out of:
Any
None
Some
Firewalls – a checkpoint
What it can do : audit
What type of data (email, internet and file
types)
How frequently / how many attempts
Where it is going (limiting internet access to
certain sites)
Low level data content censoring (out and
ingoing)
Firewalls
What it can’t do
Intentional bypass of the system
E.g.: Social engineering
Password changes, phone numbers,
credit card numbers etc.
Protect against viruses entering
Some can prevent multiple distributions
from occurring
Firewalls
Helpful if you have layered security needs
to a computer/network
If something is completely
confidential/high sensitivity…
IT SHOULD BE ISOLATED FROM THE
NETWORK
Return to Dr. B – What can be
done?
Establish policy that patient data doesn’t
leave office
If it has to leave the office:
Password protect/encrypt all files
Delete all files when transferred back to the
office
Store transcription work on mobile media
that comes back to the office
Within the office…
Lock computer access and or password
protect login
Isolate patient information from internet
Educate your patients and staff about
your confidentiality standards
Further resources
HIPAA Privacy regulations
More on Firewalls
http://www.hhs.gov/ocr/hipaa/
http://www.faqs.org/faqs/firewalls-faq/
Basic Primer on computer security
http://www.cert.org/