Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Flash Drive Policy 2

Status
Not open for further replies.

thegirlofsteel

IS-IT--Management
Mar 3, 2004
110
US
I was wondering if anybody has a Flash Drive, Thumb Drive policy at the organization. Our agency is a Hipaa agency and we do not allow the use of flash drives. We had a few employees backup their files onto flash drives so they can take it home to do work from home.
 
What? No nullification either? If your justice system is predictable it can't be any fun!
 
Some of this is just BOFH behavior.

At least the person copying data to removable flash is authorized to view the information, though I'm not suggesting that it implies data copying and certainly not taking data off site.

What I do wonder about is whether or not the patient data is being encrypted/decrypted at the client machines. Network and server operations staff have no business need to have this information accessible to them, and thus giving them some waiver shouldn't hold any water either. The same goes for developers and DBAs. When these people engage in bad behavior it happens on a wholesale scale.

That's the problem with these privacy regulations. The serious leaks seldom get plugged in actual implementations.
 
Well, I just got word that with our new servers we are going to be installing a program called Credant. Anyone heard of this and has anyone run into any issues with this? This should help with the flash drives....but I still have to come up with a policy.
 
Do NOT allow anyone to work at home. This will save you the trouble of whether someone saves to a flash drive, as if they do, what are they going to do with it? If they take it home, are they going to sit and watch it? If anybody questions the point, tell them about the government people who's laptops have been stolen, which in turn allows social security numbers loose on the net. Privacy is the utmost concern, especially in hipaa.

Glen A. Johnson
If you like fun and sun, check out Tek-Tips Florida Forum
[auto]Buckle up, it works<---Click here.
 
Disallow all copying to external devices and have your legal department write up a HIPAA compliance document that every employee must acknowledge and sign (like most Medical Tech companies do). Since Credant also supports a mobile solution for your data then any argument for copying should fall into a case by case basis (e.g. Conferences, outside meetings, marketing, etc.). Allow employees to use a flash/portable device because some like I will only have music. If an employee can copy files for work related testing or other such work then you should disallow any copying files outside of approved hardware (again this is for work laptops or other hardware used in marketing or presentations). If Credant cannot monitor copying of those files then disallowing all outside hardware may be prudent ( This is not a 100% answer because of cell phones with expandable memory).
 
> no written, signed slip of paper holds any weight with me if I'm a juror if the company did not also take actual precautions to prevent unauthorized data access/transfer

No matter what you make the employees sign, you are ultimately responsible for designing, implementing, and enforcing an environment with policies that will treat PHI accordingly. If you make everyone sign a paper that says "don't do this" but then look the other way when they do, you are responsible.

In the UK, you just might find yourself being directed by the judge on this; UK jurors are not allowed to make up the law to suit their views.

It's not a matter of US jurors making up the law. It's the way the law was written. HIPAA says that PHI has to be protected, that reasonable measures should be made to protect the data, that there has to be ways to restrict data so that only the people who need it to do their jobs get access to it, there has to be an officer in the company to monitor compliance, etc. It's specific in some areas, but when it comes to technological requirements it is quite vague. There's an upside and a downside to this.

The upside is that you will be required to take actions that are considered reasonable in the current environment. Many financial institutions continued to use 56-bit encryption algorithms for decades after they had been proven insecure because that was what was mandated. If the law is vague then it pretty much comes down to requiring you to implement current best practices. It would certainly be possible to take things to an even more secure/protected level, but at a cost that would make it impossible to implement in a useful mannger. So the law doesn't require the strongest security, it just wants best practices.

The downside is that there is a lot of ambiguity there, which means that there's a lot of room for interpretation by a jury (or whoever else). What might be considered industry standard best practices by a large metropolitan hospital may not be feasible in a small, rural hospital. So which standard is used?

But back to the question, at the hospital where I was responsible for data security we had a written policy, signed by the users, requiring that they treat PHI as protected and that they wouldn't transfer it outside the company except through secured/encrypted means, and only to people/ogranizations with whom the hospital had parternship agreements, and then only to people who required that information to perform their job duties.

We did not allow people to use portable storage devices (thumb drives, USB hard disk, iPods) and connect them to PCs. At first the policy was only stated and then enforced when it came to our attention that users had brought in such a device. Eventually we had to lock it down via GPO.

We did allow people to work from home, but only under limited circumstances. They could use a company provided laptop if they had one assigned to them, or they could check one out. All laptops ran with full-disk encryption so that the data was secured if the device was lost or stolen. Users could also work remotely by using a VPN connection to a terminal server that had applications installed on it. This ensured that even though they were working remotely the information was still stored on hospital-controlled systems and was encrypted in transit. Under no circumstances were people allowed to transmit PHI via email, even to another internal email address (it's too easy to forward it outside the company).
 
>It's not a matter of US jurors making up the law. It's the way the law was written. HIPAA says ...

Sure, but let's pretend I'm a juror with no experience or knowledge of HIPAA law. I'd expect the judge to direct me on it. Wouldn't you?
 
Sure, you would definitely get directions from the judge, regardless of what experience you had with HIPAA. I think we're in agreement there.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top