How much access should tech guys have?

[Texashiker]

<serious thread alt="very serious">

I work for company related to the healthcare field, but the state oversees a lot of our operations.

There are some new guidelines coming down from the state that say the tech guy / network admin,,, whatever you want to call them should not have access to certain data.

One example - A lady is doing data entry on people who have a certain health problem. According to the state, I (the tech guy) should not have access to that ladies workstation. Nor should I be backing up her data where I can have access to said data.

Another example - They are talking about every office having their own fax line and fax machine. This is to make sure nobody sees a fax they are not supposed to. If this comes about I am going to have to run new phone lines to a bunch of offices.

Example three - Roaming profiles would be a big no-no. None of the ladies data is to be stored on a server. A couple of the ladies move between offices here in the building. I guess the ladies are supposed to carry their data around on an external drive?

It seems to me people are making policy who have no idea how technology works.

What would you tell a policy maker if they said you were not supposed to have access to certain data, but are responsible to make sure certain people can access to said data?

 

[DesiPower]

not sure, but for the data entry people, shouldn't they be entering data on some kind of web form that stores everything on the server directly? why should there be sensitive data on her/his workstation or the roaming profile. Looks like very old technology

 

[Ns1]

less than they want. always.

(there is never a tech guy that wants anything less than admin access)

 

[MixMasterTang]

Usually these laws / policies (like HIPAA) are quite vague and open to interpretation. Do you have any links to these new laws? I can't imagine setting up a network share that only has permissions granted to certain people wouldn't "qualify" as you having access (even though you could grant yourself permission).

 

[Texashiker]

not sure, but for the data entry people, shouldn't they be entering data on some kind of web form that stores everything on the server directly? why should there be sensitive data on her/his workstation or the roaming profile. Looks like very old technology

Its like forms, documents, anything that might contain personal information about a PT.

We have an electronic fax server. One or two people review the faxes, then route the fax to the persons fax inbox. Even that is not good enough. The fax is stored in a database on the server.

Do you have any links to these new laws?

It is not a law, it is a guideline.

 

[purbeast0]

sounds pretty retarded that the data this lady has access to but others don't is just sitting on her machine for anyone to look at who is able to be on her machine, whether logged in as her or not, and not in some other remote system that she needs to access in order to get the data.

in general though, SA's should have root access on all machines.

but also in general, that should NOT mean that the SA has access to other systems that the main person on the computer has access to.

 

[purbeast0]

Its like forms, documents, anything that might contain personal information about a PT.

all that shit should be stored on a remote server that she accesses, not on her local machine. that in itself sounds like a poor instance of security.

 

[KLin]

This would make it impossible to troubleshoot issues within EPM/EHR systems for tech support people, unless the issue can be replicated for a test patient within the system.

 

[rudeguy]

Usually these laws / policies (like HIPAA) are quite vague and open to interpretation. Do you have any links to these new laws? I can't imagine setting up a network share that only has permissions granted to certain people wouldn't "qualify" as you having access (even though you could grant yourself permission).

Yea....can you please give the name of the law?

All I could find in TX was Meaningful Use info.

 

[Texashiker]

all that shit should be stored on a remote server that she accesses, not on her local machine. that in itself sounds like a poor instance of security.

That is just it, the people are saying nothing should be stored on the server.

The way things are now, a lot of the users "my documents" folder is mapped to their home folder on the server. So almost nothing is transferred over the network except the document they are opening.

All I could find in TX was Meaningful Use info.

This is not a law, this is an operating guideline being put out.

 

[KLin]

Either HIPAA or HITECH

 

[IceBergSLiM]

Administrators are in a position of trust. Administrative access should be logged to a log server that the administrators do not have access to. Those logs of administrative access should be archived for a period of time (quarterly-yearly) reviewed by management monthly/quarterly for strange activity and inappropriate access.

Sensitive data should be encrypted in transit and if you are want to be thorough while at rest as well.(roaming profiles)

As far as fax goes, an eFax solution routed to authenticated individual/group mailboxes would be ideal and could help eliminate disclosure of faxes to unauthorized persons.

 

[Mark R]

There are a whole heap of potentially conflicting demands on data when it comes to regulatory compliance and good practice.

For example, all of the following are important assets related to good information governance:
Desktop PCs
Data files
Servers
Server room HVAC
Tech guys' availability, knowledge and skills

Whether you store data centrally as opposed to on the desktop should depend on which provides better resilience, better supervision, better physical security, better availability, etc. In most cases, it will be a no brainer to locate it on a server.

To deal with inappropriate access, then you should apply appropriate encryption and access restrictions to the server. For example, with windows file-level encryption, admins may not be able to read confidential files, without first taking ownership of the files, and invoking a data recovery process - these events will leave a trail, as they will lock the original user out of the files. Similarly files, could be backed up to encrypted media, or some backup software may be able to preserve the encryption and keys.

The point is that often the regulations are not prescriptive and are open to interpretation and there is often a limit to what is practical on some systems. Another is that the people responsible for implementing them, may not understand the technology themselves, hence you get strange guidance.

 

[Texashiker]

As far as fax goes, an eFax solution routed to authenticated individual/group mailboxes would be ideal and could help eliminate disclosure of faxes to unauthorized persons.

We have an efax solution, Castelle faxpress to be exact.

From what I was told, if anyone sees a fax besides the intended recipient, we have to report it as a data breach.

 

[IceBergSLiM]

We have an efax solution, Castelle faxpress to be exact.

From what I was told, if anyone sees a fax besides the intended recipient, we have to report it as a data breach.

Maybe I don't understand, is everyone sharing the same fax number?

 

[Texashiker]

Maybe I don't understand, is everyone sharing the same fax number?

Yes, we all share the same fax number.

This is the way our upstairs fax works:

Fax comes in, is converted to electronic format.
Fax goes to group inbox.
Only 2 people can access this group inbox, me and the administrative assistant lady.
One of those people open the fax (pdf foramt), see who it is going to.
Fax is routed to users inbox.
User uses Castelle software that opens only their inbox.
Users can not see group inbox.
The Castelle fax system comes with its own software, efax server and security.

Its kinda like email, but it never leaves the internal network.

Downstairs, all the faxes go to a fax machine and are printed out.

 

[slatr]

<serious thread alt="very serious">

What would you tell a policy maker if they said you were not supposed to have access to certain data, but are responsible to make sure certain people can access to said data?

As the data custodian, you are responsible for backing up and maintaining those systems.

The state may require you to encrypt that data OR to put a control or check in place to prevent you from accessing it's contents.

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html

 

[KLin]

We have an efax solution, Castelle faxpress to be exact.

From what I was told, if anyone sees a fax besides the intended recipient, we have to report it as a data breach.

Whoever told you that doesn't know what they are talking about.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

Look at the 3 exceptions.

 

[IceBergSLiM]

Yes, we all share the same fax number.

This is the way our upstairs fax works:

Fax comes in, is converted to electronic format.
Fax goes to group inbox.
Only 2 people can access this group inbox, me and the administrative assistant lady.
One of those people open the fax (pdf foramt), see who it is going to.
Fax is routed to users inbox.
User uses Castelle software that opens only their inbox.
Users can not see group inbox.
The Castelle fax system comes with its own software, efax server and security.

Its kinda like email, but it never leaves the internal network.

Downstairs, all the faxes go to a fax machine and are printed out.

That's about as good as you can can get without assigning individual numbers. Do you have logs for these systems to prove in an audit situation who accessed which fax?

 

[zinfamous]

HIPPA.

deal with it.

by the way, this isn't new, at all. I think what you are seeing is that with data moving from paper files to electronic databases, you are now seeing adjustments to make sure there are no HIPAA violations. You are probably only seeing this now because the paradigm is shifting (for good reason).

Though, I doubt you are new to HIPAA, if you work in healthcare for any capacity. I worked in a hospital for 2 years at one point, but simply because our lab was in the hospital. One particular corner of the hospital that is nothing but research--no patients, no medicine, no human samples or anything. The only "patients" I saw at that time were zebrafish, and the occasional mouse. Regardless, I had to go through primary HIPPA training.

 

[Texashiker]

Whoever told you that doesn't know what they are talking about.

That is what I am starting to wonder.

Someone has been hired that does not know what they are doing, does not understand technology, or is trying to justify their job

 

[ImpulsE69]

Sounds similar. I work for a bank and they get their panties in a bunch in a similar fashion. What no one seems to understand is that we work at the hardware/software level. We have access to everything, like it or not. There needs to be some level of trust or well...quit using technology. I swear that there is some company out there pushing products or making money off "risk/safety" ideas and have no clue how technology actually works. If it needs configured, someone other than the user needs to have access to it for when they screw it up.

 

[jaedaliu]

Do you have an EMR vendor? or are you designing your own stuff in house? I would imagine that it's most cost effective to have the EMR vendor tweak the software so that you can manage the computers to follow the rules.

The EMRs I'm familiar with have you remote in, all data stored on server, and all access is logged.

Oh, and you should have no access to the data. At most you should have access to a dummy database to test from.

 

[KLin]

Every office requiring their own fax number and machine is a laughable HIPAA solution.

 

[sourceninja]

You should have the least amount of access required to do your job. You should also run as the least privileged user required to do the task at hand.