Security/Encryption requirements for Psycians & Attorney's offices. Who know what?

tankman1989

Active Member
Reaction score
5
My PCP, who is a partner/branch of the local hospital ($1.5 billion company), recently switched over to computerized records and I see some major security holes with their system. All the exam rooms have physically unsecured machines, which anyone with a $30 keylogger can use to gain access to much of the rest of the system (on top of more expensive technology that can access it all remotely with physical access). So now that all patients records are accessible on any machine, what is to stop someone from using their 10-30 min wait time in the exam room from accessing records?

Anyone knows anything about exploiting machines understands the potential here.

I was reading about FIPS encryption standards required by attorney's as of (2001?) and was wondering if there are any standards required for the medical profession. I would think that a person's medical history/file would be as personal and sensitive, if not more so, than a person's legal issues.

So does anyone know what the deal would be with this issue? I found out a little about HIPAA encryption requirements:
http://hipaa-encryption.com/HIPAA-Compliance/

Here is a PDF of FIPS encryption requirements: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

I'm just trying to figure out where the physical access for the medical industry lies in either HIPAA or other regulations?
 
So are the exam rooms left with free access to the public? Do the machines have locally held patient data or is it on a server?

Encryption is generally most useful to secure the data on a drive to which there might be sustained physical access, e.g. theft.

If keyloggers are really likely then they will also record the password to the encryption scheme and so the determined attacker can use a couple of visits to gain the required password and then access to the system and any encrypted files.

I know nothing of US law so can only comment on the technical side. I'm just wondering how encrypting files is likely to help in a scenario where passwords are being captured.

Sounds like they need better physical security such as cases that limit access to ports, cameras or an authentification scheme using smartcards/tokens.
 
My PCP, who is a partner/branch of the local hospital ($1.5 billion company), recently switched over to computerized records and I see some major security holes with their system. All the exam rooms have physically unsecured machines, which anyone with a $30 keylogger can use to gain access to much of the rest of the system (on top of more expensive technology that can access it all remotely with physical access). So now that all patients records are accessible on any machine, what is to stop someone from using their 10-30 min wait time in the exam room from accessing records?

Anyone knows anything about exploiting machines understands the potential here.

I was reading about FIPS encryption standards required by attorney's as of (2001?) and was wondering if there are any standards required for the medical profession. I would think that a person's medical history/file would be as personal and sensitive, if not more so, than a person's legal issues.

So does anyone know what the deal would be with this issue? I found out a little about HIPAA encryption requirements:
http://hipaa-encryption.com/HIPAA-Compliance/

Here is a PDF of FIPS encryption requirements: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

I'm just trying to figure out where the physical access for the medical industry lies in either HIPAA or other regulations?

it would most likely be in HIPAA, maybe some in the obamacare law.

from my experience these regulations do not dictate technology etc, but more standards.

just be ready to do a ton of research if your going after this.
 
Thanks for the replies. I'm not so much concerned about my own issues (med records, as I was when posted) related to the matter. I hadn't even thought much about it until I came across the FIPS standards and wondered how it applied to HIPPA and health care vs Law profession.

It just seems that if I were in charge of 3/4 million patient records and were a $1.5 billion company, I would be concerned with physical access to systems that had secure access to the "secured network". Granted it would take some effort and possible more than one attempt to recover a password with a physical key logger, other means would be much easier. Once Admin (doctors/partners) passwords were attained I would think it easy to access the system as they all have remote access (hopefully via secured VPN as this would add another layer of security).

Part of my post was simply trying to realize the scope and magnitude of the issues related to the transition to electronic medical files.

On a different note I talked to my doctor today about his feelings towards the "new" (18-24 month old) system and the general consensus is all the doctors HATE it. It takes MUCH more time and it turns them in to secrataries where the nurses took care of a lot of the work (forms/paperwork) before. He sees 6-8 less patients a day due to the system that is used. I'm sure this effects them considerably as that is a significant number spread across 500-1,000 doctors daily! After hearing this is sounds like the doctors need some training in keyboard shortcuts to eliminate the 40-50 keyboard to mouse movements required for each patient. Setting up hotkeys or the tab sequence correctly could potentially save loads of time.
 
Back
Top