Can AlertBoot provide individual login credentials to a shared computer resource? Yes HIPAA / HITECH violation if passwords are shared Plug: Free webinar for encryption users and channel partners on HIPAA / HITECH compliance I was in a meeting with potential clients when they asked if AlertBoot data encryption software would allow multiple logins on a shared, encrypted computer. Our answer is yes. The clients are in the medical field, and as such, have workstations that are shared resources. Think, for example, of computers in a hospital's nurse's station (for those who haven't been inside a hospital, it's where you can find the nurses). The station is permanent but obviously the nurses are not. They have rotating shifts, with nurses at the station 24 hours a day. Under the circumstances, the computers have to be shared at least between three people (8-hour shifts). This presents something of a conundrum under HIPAA / HITECH. On the one hand, the computers may require the use of full disk encryption to protect the PHI stored inside them. On the other, though, if the encryption software employed does not support multiple users, it means that passwords for accessing the computers must be shared.
I was in a meeting with potential clients when they asked if AlertBoot data encryption software would allow multiple logins on a shared, encrypted computer. Our answer is yes.
The clients are in the medical field, and as such, have workstations that are shared resources. Think, for example, of computers in a hospital's nurse's station (for those who haven't been inside a hospital, it's where you can find the nurses). The station is permanent but obviously the nurses are not. They have rotating shifts, with nurses at the station 24 hours a day. Under the circumstances, the computers have to be shared at least between three people (8-hour shifts).
This presents something of a conundrum under HIPAA / HITECH. On the one hand, the computers may require the use of full disk encryption to protect the PHI stored inside them. On the other, though, if the encryption software employed does not support multiple users, it means that passwords for accessing the computers must be shared.
The sharing of passwords is a violation of HIPAA rules (access control), so depending on one's particular choice of encryption software, he or she has to violate one HIPAA mandate in order to fulfill another one. As the above shows, choosing the correct tools to be in compliance with HIPAA / HITECH is not as straightforward as "buying encryption." And it's not just a matter of access controls, either. For example, the biggest reason many HIPAA covered-entities are earmarking funds for encryption lies in the safe harbor clause under the Breach Notification Rule found under HITECH. If encryption is used, a covered-entity doesn't have go public with a data breach of PHI, protected health information. If encryption is not used, notice has to be sent no later than 60 calendar days to disaffected patients. But, there's a catch. For the safe harbor to kick in, strong encryption (such as AES-256, which is used in AlertBoot) must be used. If a weak form of encryption is used -- weak enough that no respectable information security specialist will vouch for it -- you still have a data breach in your hands and you will have to send out those notification letters.
The sharing of passwords is a violation of HIPAA rules (access control), so depending on one's particular choice of encryption software, he or she has to violate one HIPAA mandate in order to fulfill another one.
As the above shows, choosing the correct tools to be in compliance with HIPAA / HITECH is not as straightforward as "buying encryption." And it's not just a matter of access controls, either. For example, the biggest reason many HIPAA covered-entities are earmarking funds for encryption lies in the safe harbor clause under the Breach Notification Rule found under HITECH.
If encryption is used, a covered-entity doesn't have go public with a data breach of PHI, protected health information. If encryption is not used, notice has to be sent no later than 60 calendar days to disaffected patients. But, there's a catch.
For the safe harbor to kick in, strong encryption (such as AES-256, which is used in AlertBoot) must be used. If a weak form of encryption is used -- weak enough that no respectable information security specialist will vouch for it -- you still have a data breach in your hands and you will have to send out those notification letters.
If you'd like to learn more about HIPAA / HITECH and the appropriate use of encryption and other requirements in a medical setting (or as a partner or associate to a covered-entity), you're welcome to join free webinars being conducted by eGestalt and AlertBoot. For medical practitioners and related businesses: HIPAA/HITECH Compliance: Data Privacy and Security best practices for medical practitioners and small businesses. The topics that are covered include data privacy and security-related best practices, developing necessary documentation, potential liabilities, and other areas where medical providers and small medical business might have an interest. For prospective and existing channel partners, and anyone else interested in providing better support to clients that are HIPAA-covered entities: Learn an easy way to help your clients meet the new HIPAA/HITECH compliance rules!. This webinar is geared towards healthcare compliance personnel, managed service providers, security VARs, auditors, among others. Register today by clicking on the preferred link above. First webinar starts tomorrow!
If you'd like to learn more about HIPAA / HITECH and the appropriate use of encryption and other requirements in a medical setting (or as a partner or associate to a covered-entity), you're welcome to join free webinars being conducted by eGestalt and AlertBoot.
Register today by clicking on the preferred link above. First webinar starts tomorrow!