Staying Independent...Together

Print Message

   RE: HIPAA Security Rules
 From: Jim Bloomer
 To: Member Forum
 Posted: 07-17-2017 16:20
 Message:

Should have posted this rather than reply on email...here it is.  Thanks Peter.

Hi Jim, If it's ok w you, we should put this on the public discussion board so others can benefit.  Your connection with your cloud server will be "HTTPS," not "HTTP."  HTTPS alone gives you credit-card level security in your connection.  The folks that issue a security certificate confirm the identity of the site to a more than reasonable degree, and the 'handshaking" uses public key encryption to secure your connection.  (Google ' public key encryption'.) Ask your IT guy about how much security you get with HTTPS.  It's a reasonable way of gauging how expert he is.  If he doesn't understand HTTPS gives you

  • secure encryption and
  • confirmation of the site's identity

then you absolutely need another IT person.  Seriously.   What would you think about a doctor who told you to get your appendix taken out, 'just in case'?  The risk in an HTTPS connection is orders of magnitude less.  https://www.healthit.gov/providers-professionals/faqs/what-does-https-web-address-mean How much security do you need? https://www.youtube.com/watch?v=Oo9k83jhFf4  (Click the link.)

"There are various reasons for wanting to use free VPN (virtual private network) software, but the two main ones are to hide who you are, or to hide where you are. Why might you want to do either of these things? "

The important thing about the security rule is you need to do an assessment, and have it in writing.  The Hitech site has a free security risk assessment (SRA) tool that's boring but complete.   Don't overthink the process when you do it-good enough is...good enough!  The CMS site has info about email and texting, neither of which is very secure, but may be adequate.  The Signal app gives you encrypted texting.  PGP can give you encrypted email, but IMO, it's not worth the bother.  Most "secure email" poratl applications are just plain cumbersome.  You should definitely use a password manager like KeePass, http://keepass.info    and a passphrase generator like Readable Passphrase Generator  http://readablepassphrase.codeplex.com/  though you can shorten the passwords for most applications.  50 bits is enough for all except banking. Read about password reuse and password crackers. https://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/   https://arstechnica.com/security/2014/04/stanfords-password-policy-shuns-one-size-fits-all-security/ Peter



------------------------------
Jim Bloomer
------------------------------
-------------------------------------------
Original Message:
Sent: 07-14-2017 15:28
From: Jim Bloomer
Subject: HIPAA Security Rules

Hello,

Am switching from a server based EMR to a cloud based EMR.  Do those on the cloud have any special in-house security measures etc.  An IT person is suggesting that a "windows domain" or "windows work group" is not HIPAA compliant.  Do practices have a  HIPAA security rules document in place? Does anyone know of a template? There is an article in the FPM Journal recently...looks fairly onerous....

 

Tx

Jim Bloomer, Exeter, NH.







Copyright 2016 Ideal Medical Practices. All rights reserved.