[ Tuesday, August 10, 2004 ]
Security Tip for the Day: Scramble your static information.
As this interesting article
from InfoWorld magazine points out, access control systems and other efforts to address the protection of PHI at input, output, and transmission are the primary focus of folks looking at HIPAA compliance from the security side. However, stop for a second and look at your static information: data bases that simply sit there with tons of PHI, waiting for someone to access them. Sure, you have access controls to make sure you keep out improper eyes. But what if someone defeats that system? Wouldn't it make sense if the information sitting there was actually encrypted*?
The analog is a locked filing cabinet or medical records room. The lock on the door is a good first-line of security. But if the records themselves were all mixed up? For example, what if there were no names on the files, only numbers, and the key for correlating numbers to names was elsewhere? Or what if the information on a particular patient was actually in several different files, and each file had information on several different patients? Or what if the information in the files was scrambled so that an intruder would not be able to make sense of it without a correlating key?
That's the idea: work hard on making sure you control access to your employees with need-to-access the particular file. That will help keep an unauthorized employee from accessing information on your systems. But you should also encrypt your static information. That won't keep out the hackers and other outsiders who might get around your access control system (and who your access control systems don't focus on), but it will keep them from being able to use any information they get.
*(nota bene: the article actually discusses various ways to manipulate information in ways that make it unviewable or unusable without decoding. I use the word "encryption" to describe all of that, but more technophilic folks like the the article author use encryption to describe just one of these procedures.
One last tip:
The author makes a pretty good point on the last page of the article: you've got to audit your systems for security problems, but while you want to keep secret the tricks you use to encrypt the data, you want your audit procedures to be very, very visible. Have you ever noticed how people pick their noses when they're alone in their cars, but not when they're in equally visible places like eating in a restaurant? The closed doors and windows, the radio playing, they all give the driver an illusion of privacy, and people will act differently when they think they're not being watched than they will when they think they're in public. It doesn't matter how often you audit your system, or even which system you audit, if your employees think you audit everything all the time. If they never think they're in the privacy of their own car, they'll never pick their nose.
Hat tip (on the article, not the nose-picking analogy): Megan Charlesworth at Cook Group
Jeff [10:03 AM]
Blogger: HIPAA Blog - Edit your Template