Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology

A case of confidentiality Dr. B employs an office manager who also does transcription and completes dialysis billing. Takes work home to complete. Home computer crash requiring repair Computer “irretrievable”; replaced. Requested “wipe the old hard drive” The phone call 3 months later…

Computer hard drive recycled to new setup and resold New purchaser finds medical transcription files stored on the hard drive, and releases to local paper. Patients involved interviewed by paper Dr. B gets a call from a lawyer or two…..

What are the issues for Dr. B and patient heath information? Limiting access to information Improving confidentiality Keeping the integrity of medical information

Who has access? Office employees with need to access medical information (e.g.: nurse, booking, billing) Office staff with no need to access medical information (e.g.: night cleaning staff) Cyberspace (i.e.: everyone)

Through what route do they have access? Single computer Server / Network within the institution or office Internet

Where/How is information stored? Fixed Server (remote) Hard drive Mobile Compact disks (CD) or DVDs Floppy, tape, jaz, or zip drives Memory sticks or data keys

When is information accessible? From office when open From outside 24/7

Methods to improve security in the office Computer access Information storage and backup Internet access

Simple things to control access or theft Password login In place on most OS Password protected files In place in most WP and accounting applications Chained computer Locked desk Locked office

Information storage Fixed storage Often can establish permissions to access folders Safer to have remote server (damage) Mobile storage Can be locked away Can removed just as easy Not generally durable storage Magnetic storage– corrupted data after 10 years with some forms such as floppies and zip Less with data keys and flash cards

Information backup Best to have a system remote from office Fire Surges Get a protector! Computer crashes Back up should be real-time Best if combined with encryption or password access

Internet access A computer with access to internet is vulnerable Broadband (cable) >> dialup Standalone >> network Monitored access / Access on demand No access (not practical)

Internet access Ways to help Firewall = a set of instructions limiting what data channels of your internet connection can be accessed from outside and in some cases, by whom AND what programs can access the internet from within your computer

Firewalls – what channels? Data incoming and outgoing is organized in channels e.g.: , Internet, DNS lookup Can allow data to flow into or out of: Any None Some

Firewalls – a checkpoint What it can do : audit What type of data ( , internet and file types) How frequently / how many attempts Where it is going (limiting internet access to certain sites) Low level data content censoring (out and ingoing)

Firewalls What it can’t do Intentional bypass of the system E.g.: Social engineering Password changes, phone numbers, credit card numbers etc. Protect against viruses entering Some can prevent multiple distributions from occurring

Firewalls Helpful if you have layered security needs to a computer/network If something is completely confidential/high sensitivity… IT SHOULD BE ISOLATED FROM THE NETWORK

Return to Dr. B – What can be done? Establish policy that patient data doesn’t leave office If it has to leave the office: Password protect/encrypt all files Delete all files when transferred back to the office Store transcription work on mobile media that comes back to the office

Within the office… Lock computer access and or password protect login Isolate patient information from internet Educate your patients and staff about your confidentiality standards

Further resources HIPAA Privacy regulations More on Firewalls Basic Primer on computer security