Encryption Explained [Prime Numbers]

Posted on July 21, 2020 by Dr. David Edward Marcinko MBA MEd CMP™

End-to-End

***

***

Filed under: Information Technology | Tagged: , , , | Leave a comment »

On the lack of encryption of ePHI in transmission and at rest

Posted on November 15, 2015 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List 

Shahid N. Shah MS[By Shahid N. Shah MS]

ePHI is vulnerable to be compromised in all the states it is in. Whether it is at rest (in databases and files), or in motion (being transmitted through networks), or in use (being updated, or read), or is disposed (discarded paper files or electronic storage media).

Using encryption puts an extra layer of security to ePHI because even if someone gains access or reads ePHI, if it is encrypted then the chances of ePHI getting compromised diminishes. It makes the data unreadable and unusable by unauthorized persons. When ePHI is transmitted through networks, it is possible that it will be accessed by unauthorized persons, thus compromising ePHI. These type of unauthorized access hacking may not be immediately known, but can cause many damages.

Major Mitigation

ePHI should be encrypted and there must also be reasonable and appropriate mechanisms in place to prevent access to ePHI so that it is not accessed by persons or software programs that have not been granted access rights.

There are many different encryption methods and technologies to encrypt data in motion (SSL, VPN) or at rest. Choose the methods and technologies that best meet the physician’s office requirements.

Success criteria

The risk analysis/assessment reports will provide a clear indication of whether these type of risks exists or has been mitigated with appropriate controls.

***

secret

***

Assessment

Auditing logs that track access to ePHI can be verified periodically to check if there has been unauthorized access by persons or software programs that have not been granted access rights.

More

ABOUT 

Mr. Shahid N. Shah is an internationally recognized healthcare thought-leader across the Internet. He is a consultant to various federal agencies on technology matters and winner of Federal Computer Week’s coveted “Fed 100″ Award, in 2009. Over a twenty year career, he built multiple clinical solutions and helped design-deploy an electronic health record solution for the American Red Cross and two web-based eMRs used by hundreds of physicians with many large groupware and collaboration sites. As ex-CTO for a billion dollar division of CardinalHealth, he helped design advanced clinical interfaces for medical devices and hospitals. Mr. Shah is senior technology strategy advisor to NIH’s SBIR/STTR program helping small businesses commercialize healthcare applications. He runs four successful blogs: At http://shahid.shah.org he writes about architecture issues; at http://www.healthcareguy.com he provides valuable insights on applying technology in health care; at http://www.federalarchitect.com he advises senior federal technologists; and at http://www.hitsphere.com he gives a glimpse of HIT as an aggregator. Mr. Shah is a Microsoft MVP (Solutions Architect) Award Winner for 2007, and a Microsoft MVP (Solutions Architect) Award Winner for 2006. He also served as a HIMSS Enterprise IT Committee Member. Mr. Shah received a BS in computer science from the Pennsylvania State University and MS in Technology Management from the University of Maryland. 

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

***

  Risk Management, Liability Insurance, and Asset Protection Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners™

***

Filed under: Information Technology | Tagged: , , , , , , | 1 Comment »

Encrypt or De-identify PHI

Posted on September 28, 2009 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List

Which One Just Might Work?

[By Darrell K. Pruitt; DDS]pruitt

The United States’ advancement in Healthcare Information Technology, which has the potential to lead to wonderful money-saving cures through research using trustworthy interoperable health records, is currently stopped cold by patient security problems that are only getting worse. Our lawmakers cannot get around the security obstacle without resorting to authoritarian means using CMS’s power to withhold providers’ discounted payments and threats of obscene fines from the HHS and the FTC. History shows that tyranny is not tolerated well in this part of the world. Lawmakers can get their butts voted smooth out of office in my neighborhood.

HITECH  

Here is something nobody mentions: Despite the current hope in a thick, political fantasy called HITECH, encryption of patients’ Protected Health Information [PHI] is a non-starter in the land of the free. Everyone knows that resourceful, cynical Americans will simply never trust encryption to protect their secrets, and will reliably withhold important information from their eMRs – one way or another. Doctors as well as patients can be expected to go out of their way to sabotage technology they fear. We all intuitively know this is true, don’t we? We aren’t so naïve to think all the players will happily play by the rules, are we? And I think we can all agree that an untrustworthy digital health record in an emergency room is worse than no patient information at all. Security is a grand problem with eMRs that started with HIPAA changes in 2003 that made eHRs so slippery. And the problem is clearly not being resolved. Not yet.

Public Lacks Trust 

Regardless of the campaign donations which follow him, there is nothing Newt Gingrich and his entrepreneurial friends in high places can do about the public’s lack of trust in encryption. It gets worse: Encryption hasn’t a chance of isolating PHI from dishonest employees in doctors’ offices, and slippery digital patient data can be moved soo easily. Everyone knows that as well, don’t they? It is estimated that two-thirds of the identities stolen in the nation are lifted from doctors’ offices. That’s us, Doc. HIPAA is not only irrelevant, it is an expensive distraction – it gives future ID theft victims a false sense of security.

HIPAA Approved 

De-identifying digital records is not mentioned in HITECH as a HIPAA-approved method of security. Yet it is the ONLY solution that promises to be even more secure than paper records. Because of heavy stakeholder stakes in hospital care, it will take longer for CEO-types to embrace patient-friendly de-identification. Other than identifiers such as names, social security numbers, birthdates, addresses and other items that have street value, NOBODY cares what is in a dental record. I actually think this opens a tremendous opportunity for someone courageous in the Texas Dental Association to discuss the feasibility of de-identification of dental records. Otherwise, instead of leading the nation in solving security problems, the TDA will look just as stupid as the ADA.

Encryption would also provide a dangerous false sense of security in eMRs – that is if it had a chance in the marketplace. But encryption will never go far because consumers simply won’t buy it. That is a marketplace fact that stoically optimistic HIT stakeholders are trying hard to avoid. They also know they are running out of time. Deadlines are quickly approaching for both HIPAA and the Red Flags Rule that providers are far from prepared for.

Former Attorney Speaks 

Bill Lappen, a former attorney and author of the ad I copied below, as well as a partner with his brother David in the de-identified health record venture says: “Since no identifying information is ever entered, a hacker can’t determine whose information is shown.”

So in addition to protecting one’s practice against dishonest or vindictive employees, de-identification of dental records would make hacking a dentist’s computer a complete waste of time, and hackers wouldn’t endanger dental patients and bankrupt dentists.

My Confidence 

I confidently tell you that soon, someone smart will come upon the unprecedented idea that the ultimate answer to our security problem in healthcare will be de-identification of medical records, not encryption. De-identification allows a compromise of privacy for only a miniscule percentage of physicians’ patients. We cannot allow that to stand in the way of better health for everyone else. Those special cases are so few that I am confident that they can be dealt with individually. We simply must move forward. I’ll have to retire some day. I may need help from Medicare.

Encryption gives us only danger and protects nobody but a thief with a key.

Assessment 

We’ve wasted enough time on HITECH and HIPAA, as well as CCHIT. It’s time to say no to stakeholders and pay attention to patients’ needs instead of those who would needlessly increase the cost of their care. Stimulus money attracts cockroaches.

In the name of Hippocrates, disregard the tainted HIPAA mandate. It is dangerous, and especially absurd in dentistry.

Link: http://www.theopenpress.com/index.php?a=press&id=58568

Life-Saving Patient Information can be Online, Anonymous and Usable

Published on: September 26th, 2009 12:19am

By: blappen

Los Angeles, CA (OPENPRESS) September 26, 2009 — Hospital Emergency Rooms need instant access to patient medical information. Allergic reactions and dangerous drug interactions can be deadly. Time is critical. Until now, privacy was a large concern. Two brothers, who have developed medical software over the past 15 years, think they have a simple first step towards moving patient information on to the internet.

“The ER doesn’t need to look up the information by patient name” said Bill Lappen, a former attorney. “We have implemented secure systems in the past, but no matter how secure we make the site, we have to assume that it will be hacked” added David Lappen, a computer design engineer from Stanford. “But providing instant access to life-saving information is too important to ignore”, he added. To protect patient privacy, their system does not know to whom the medical information belongs. Since the person’s identifying information is never on the system, it can’t be stolen. “By enabling anonymous entry, we have protected people’s privacy while allowing them to put their life-saving information in a place where it can be instantly accessed when needed”, added Bill Lappen.

www.AMCC.me is the public service website they created. It allows anyone to enter medical information anonymously. The site provides a random ID which the user carries in his/her wallet. For someone to see that user’s medical information, they merely enter the ID into the site. Unless the user has given them their ID, the information shown is meaningless. That same information, when associated with a patient, can save their life.

Since no identifying information is ever entered, a hacker can’t determine whose information is shown. “Secure patient-controlled Electronic Medical Records are now available on the internet” said David Lappen. A sample ID has been set up on the site to allow users to evaluate the concept before setting up their own free ID.

Contact:

Bill Lappen

Bill@AMCC.me

Join Our Mailing List

(818) 789-6531

Channel Surfing
Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct Details

Filed under: Ethics, Health Law & Policy, Information Technology, Op-Editorials, Pruitt's Platform | Tagged: , , , , , , , , , , , , , , , , , , , , , , | 3 Comments »

On Healthcare Intranets and Extranets

Posted on June 26, 2009 by Dr. David Edward Marcinko MBA MEd CMP™

Join Our Mailing List

A Primer for Physicians and Medical Executives

Dr. Mata

By Richard J. Mata; MD, MS, CMP™ [Hon]

According to the “Dictionary of Heath Information and Technology”,

“An intranet is a private network that uses Internet Protocols, network connectivity, and possibly the public telecommunication system to securely share part of an organization’s information or operations with its employees”.

Sometimes the term refers only to the most visible service, the internal website.  The same concepts and technologies of the Internet, such as clients and servers running on the Internet protocol suite, are used to build an intranet.

Uses in Healthcare

An intranet is commonly used to provide communication and application services.  The advantages of using an intranet in the healthcare setting include the following:

  • Medical Workforce productivity: Intranets can help employees quickly find and view information and applications relevant to their roles and responsibilities.  Via a simple-to-use web browser interface, users can access data held in any database the organization wants to make available, anytime and  subject to security provisions — from anywhere, increasing employees’ ability to perform their jobs faster, more accurately, and with confidence that they have the right information.
  • Time: With intranets, healthcare organizations can make more information available to employees on a “pull” basis (i.e., employees can link to relevant information at a time that suits them) rather than being deluged indiscriminately by e-mails.
  • Communication: Intranets can serve as powerful tools for communication within a healthcare organization; vertically and horizontally.

Vulnerability and Security Protection

Intranets, like other IT systems, need to be protected by security systems. Any intranet is vulnerable to attack by people intent on destruction or on stealing corporate data. The open nature of the Internet and TCP/IP protocols expose a corporation to attack.  Intranets require a variety of security measures, including hardware and software combinations that provide control of traffic; encryption and passwords to validate users; and software tools to prevent and cure viruses, block objectionable sites, and monitor traffic.

Multiple Lines of Defense

The first line of defense is a firewall and these are commonly set up using proxy servers, which allow system administrators to track all traffic coming in and out of an intranet. Another layer of sophistication is added by using a bastion server firewall, configured to withstand and prevent unauthorized access or services. It is typically segmented from the rest of the intranet in its own subnet or perimeter network. In this way, if the server is broken into, the rest of the intranet won’t be compromised.

Authentication Systems

Authentication systems are an important part of any intranet security scheme. They are used to ensure that anyone trying to log into the intranet or any of its resources is the person they claim to be. Authentication systems typically use user names, passwords, fingerprints and iris scans, and various encryption systems.

Protection and Monitoring

Server-based software is used to protect an intranet and its data. Virus-checking software can check every file coming into the intranet to make sure that it is virus-free, and site-blocking software can bar people on the intranet from getting objectionable material. Monitoring software tracks where people have gone and what services they have used, such as HTTP for Web access.

Filtering Systems and Routers

One way of ensuring that the wrong people or erroneous data can’t get into the intranet is to use a filtering router. This is a special kind of router that examines the IP address and header information in every packet coming into the network, and allows in only those packets that have addresses or other data, like e-mail, that the system administrator has decided should be allowed into the intranet. Increasingly, intranets are being used to deliver tools and applications, e.g., collaboration (to facilitate working in groups and for teleconferences) or sophisticated corporate directories, sales and customer relationship management (CRM) tools, project management, etc, to advance productivity. Intranets are also being used as Health 2.0 culture change platforms

Metrics

Intranet traffic, like public-facing website traffic, is better understood by using web metrics software to track overall activity, as well as through surveys of users. Intranet User experience, editorial, and technology teams work together to produce in-house sites. Most commonly, intranets are owned by the communications, HR or IT areas of large healthcare organizations, or some combination of the three.

Assessment

When part of an intranet is made accessible to customers, partners, suppliers, patients, or others outside the healthcare organization – that part becomes part of an extranet.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct DetailsProduct Details

Product DetailsProduct Details

***

Filed under: Career Development, iMBA, Inc., Information Technology, Practice Management, Recommended Books, Sponsors | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 1 Comment »