Transcript Computer Security in Medical Office Practice

Locking the Backdoor:
Computer Security and Medical
Office Practice
Dr. Maury Pinsk, FRCPC
University of Alberta
Division of Pediatric Nephrology
A case of confidentiality






Dr. B employs an office manager who
also does transcription and completes
dialysis billing.
Takes work home to complete.
Home computer crash requiring repair
Computer “irretrievable”; replaced.
Requested “wipe the old hard drive”
The phone call 3 months later…




Computer hard drive recycled to new
setup and resold
New purchaser finds medical
transcription files stored on the hard
drive, and releases to local paper.
Patients involved interviewed by paper
Dr. B gets a call from a lawyer or two…..
What are the issues for Dr. B and
patient heath information?



Limiting access to information
Improving confidentiality
Keeping the integrity of medical
information
Who has access?



Office employees with need to
access medical information
(e.g.: nurse, booking, billing)
Office staff with no need to
access medical information
(e.g.: night cleaning staff)
Cyberspace (i.e.: everyone)
Through what route do they
have access?



Single computer
Server / Network within the institution
or office
Internet
Where/How is information
stored?

Fixed



Server (remote)
Hard drive
Mobile



Compact disks (CD) or DVDs
Floppy, tape, jaz, or zip drives
Memory sticks or data keys
When is information
accessible?


From office when open
From outside 24/7
Methods to improve security in
the office
Computer access
 Information storage and backup
 Internet access

Simple things to control
access or theft

Password login


Password protected files




In place on most OS
In place in most WP and accounting applications
Chained computer
Locked desk
Locked office
Information storage

Fixed storage



Often can establish permissions to access folders
Safer to have remote server (damage)
Mobile storage



Can be locked away
Can removed just as easy
Not generally durable storage


Magnetic storage– corrupted data after 10 years with
some forms such as floppies and zip
Less with data keys and flash cards
Information backup

Best to have a system remote from office


Fire
Surges




Get a protector!
Computer crashes
Back up should be real-time
Best if combined with encryption or
password access
Internet access

A computer with access to internet is vulnerable
 Broadband (cable) >> dialup
 Standalone >> network
 Monitored access / Access on demand
 No access (not practical)
Internet access

Ways to help
 Firewall
= a set of instructions limiting what data
channels of your internet connection can be
accessed from outside and in some cases, by
whom
AND what programs can access the internet
from within your computer
Firewalls – what channels?

Data incoming and outgoing is organized
in channels


e.g.: E-mail, Internet, DNS lookup
Can allow data to flow into or out of:



Any
None
Some
Firewalls – a checkpoint

What it can do : audit




What type of data (email, internet and file
types)
How frequently / how many attempts
Where it is going (limiting internet access to
certain sites)
Low level data content censoring (out and
ingoing)
Firewalls

What it can’t do
 Intentional bypass of the system
 E.g.: Social engineering
 Password changes, phone numbers,
credit card numbers etc.
 Protect against viruses entering
 Some can prevent multiple distributions
from occurring
Firewalls


Helpful if you have layered security needs
to a computer/network
If something is completely
confidential/high sensitivity…
IT SHOULD BE ISOLATED FROM THE
NETWORK
Return to Dr. B – What can be
done?


Establish policy that patient data doesn’t
leave office
If it has to leave the office:



Password protect/encrypt all files
Delete all files when transferred back to the
office
Store transcription work on mobile media
that comes back to the office
Within the office…



Lock computer access and or password
protect login
Isolate patient information from internet
Educate your patients and staff about
your confidentiality standards
Further resources

HIPAA Privacy regulations


More on Firewalls


http://www.hhs.gov/ocr/hipaa/
http://www.faqs.org/faqs/firewalls-faq/
Basic Primer on computer security

http://www.cert.org/