Messageboard

Unhappy Camper (Vol. 1, Issue 15)

I had the following two scary scenarios actually happen to me this over the past couple of weeks.  Unfortunately neither was a Halloween joke; they actually happened.

I was at a fellow physician’s office and happened to get a look at her EHR hardware set-up.  It happens that we both used the same EMR software vendor, but her hardware was rather a rather bizarre mixture of plastic, plywood, and metal cart jury-rigged to hold a tablet computer with a separate full-sized keyboard.  Certainly the set-up was physically secure—it could not walk out of her office unnoticed, for the ungainly contraption could barely make it through the exam room door.

But my attention was drawn to a flash drive (or thumb drive as some people call it) that was brightly lit and inserted into a USB port on the set-up.  “Why the flash drive?” I inquired. She proudly pointed out that if her EHR computers or network goes down, she would still be able to access the previous four years of physicals on all of her patients.  Sure, it was a good idea to have her important patient data backed-up.  The flash drive was not, however, encrypted; hell, it was not even password-protected.  Should that single flash drive had been misappropriated by someone, they would have had full and free access to all of the PHI contained on it.

Later that week I was examining a 15 year old patient who was enticed by my pen-enabled Fujitsu tablet.  Conversation quickly turned to what operating system I ran (Windows 7) and he revealed he preferred Windows XP because he could hack the passwords. I asked him to explain how, so he gave me a detailed explanation of just how he does it.  I won’t reveal the details here, of course, but it involved getting into the DOS prompt and takes him all of about 15 seconds.  I haven’t tried it yet, but this kid was very serious in his knowledge that he claimed to have attained while working in a computer repair shop.

Truly scary scenarios.

For the uninitiated, encryption technology is not just another password system. Passwords do one thing, and that is, instruct the computer device to talk (or not talk) to the person accessing the system. Don‘t get me wrong, passwords are essential to help ensure that only authorized users gain access. But even when passwords are complex there are methods that can get by them, such as a well-known program beginning with the letter e that I will not discuss further in this forum.

Encryption, on the other hand, totally scrambles the content of the computer device, which can then be unscrambled or decoded only by entering a complex key combination. The encryption key does not rest in the DOS or BIOS of the computer system waiting to be discovered by some teenaged twit desiring to wreck havoc on the establishment.  Without that precise key, the computer device is totally indecipherable, even if disassembled in a white room, then reassembled into a different computer—a more intricate method to get around password protection.

Even more important for both your financial health and your professional reputation is the fact that HHS will give a pass on HIPAA breach reporting requirements should an ENCRYPTED device be stolen or misappropriated.  Not so with mere password-protected devices.

We have been using Windows 7 Ultimate Edition with BitLocker encryption for the past 3 months and must say I’m very happy with it. Day-to-day operational use is both transparent and stable. You can also encrypt individual flash drives with it so that if you must transfer files containing PHI you’d be protected.  Converting over doesn’t come as a cheap process though (see more at: http://www.docehrtalk.org/messageboard/2010/09/11/better-save-upgrade-wi... )  There are programs out there that can encrypt Windows XP, so if you haven’t yet upgraded to Windows 7 Ultimate Edition, you might want to consider that a temporary option.  If Mercy Health Plan of Pennsylvania had encrypted their flash drive with the PHI of 280,000 patients contained on it when it was stolen they would not only have been able to rest easy, they wouldn’t even had to report it as stolen to the Feds.  But they didn’t encrypt, so we can read all the ugly details at: http://www.healthcareitnews.com/news/medicaid-data-breach-onion

Oh—Oh!  And I have a cheap security tip for this week’s readers.  For a measly 55 cents apiece you, too, can buy nifty USB port plugs that discourage office workers (and annoying teenaged twits) from accessing your computers through those 3 or 4 USB ports you have running along the sides of each of your EHR computers.  Well, at least not in a casual way, for it’d take a micro screwdriver to pry them out.  To buy these plugs see
http://bestbyte.net/merchant/merchant.mvc?Screen=PROD&Store_Code=BB&Prod... Still not satisfied? I’m told by my Air Force buddies that current protocol in their service is to jam hot epoxy into each and every USB port to render them permanently unusable.

Further reading:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru...
http://www.docehrtalk.org/messageboard/2010/10/01/hhs-presents-major-dat...