in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Computer Encryption With Multiple Logins For Proper Access Control In A Medical Setting

  • Can AlertBoot provide individual login credentials to a shared computer resource?  Yes
  • HIPAA / HITECH violation if passwords are shared
  • Plug: Free webinar for encryption users and channel partners on HIPAA / HITECH compliance

I was in a meeting with potential clients when they asked if AlertBoot data encryption software would allow multiple logins on a shared, encrypted computer.  Our answer is yes.

The clients are in the medical field, and as such, have workstations that are shared resources.  Think, for example, of computers in a hospital's nurse's station (for those who haven't been inside a hospital, it's where you can find the nurses).  The station is permanent but obviously the nurses are not.  They have rotating shifts, with nurses at the station 24 hours a day.  Under the circumstances, the computers have to be shared at least between three people (8-hour shifts).

This presents something of a conundrum under HIPAA / HITECH.  On the one hand, the computers may require the use of full disk encryption to protect the PHI stored inside them.  On the other, though, if the encryption software employed does not support multiple users, it means that passwords for accessing the computers must be shared.

Violating One Rule for Another

The sharing of passwords is a violation of HIPAA rules (access control), so depending on one's particular choice of encryption software, he or she has to violate one HIPAA mandate in order to fulfill another one.

As the above shows, choosing the correct tools to be in compliance with HIPAA / HITECH is not as straightforward as "buying encryption."  And it's not just a matter of access controls, either.  For example, the biggest reason many HIPAA covered-entities are earmarking funds for encryption lies in the safe harbor clause under the Breach Notification Rule found under HITECH.

If encryption is used, a covered-entity doesn't have go public with a data breach of PHI, protected health information.  If encryption is not used, notice has to be sent no later than 60 calendar days to disaffected patients.  But, there's a catch.

For the safe harbor to kick in, strong encryption (such as AES-256, which is used in AlertBoot) must be used.  If a weak form of encryption is used -- weak enough that no respectable information security specialist will vouch for it -- you still have a data breach in your hands and you will have to send out those notification letters.

Free Webinar

If you'd like to learn more about HIPAA / HITECH and the appropriate use of encryption and other requirements in a medical setting (or as a partner or associate to a covered-entity), you're welcome to join free webinars being conducted by eGestalt and AlertBoot.

Register today by clicking on the preferred link above.  First webinar starts tomorrow!

 
<Previous Next>

Data Encryption Software: UNLV Announces 2008 Data Breach In 2011

Data Encryption: Tallaght Hospital In Dublin Says It Doesn't Have A Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.