Tim,
Always a pleasure to read your postings!
You write that:
> It does raise the issue of security for primary care systems. A PC is a
> much more desirable target for thieves than a cabinet of 5 by 8 filing
> cards, or manilla folders, or whatever pen-and-paper medical record
> system the PC replaced. Clearly medical data stored on disc (and on
> backup tapes and CD-ROMs) needs to be protected with high level physical
> security, which is rarely feasible in small clinics or practices, or it
> must be adequately encrypted (and that does not mean the piss-weak 40bit
> RC2 encryption offered by MS Access).
We are faced with exactly this problem in South Africa when developing a
District Health Information Software module that handles special types of
non-anonymised patient data (Disease notifications, Termination of Pregnancy
cases, maybe an Electronic TB register). The encryption offered by MS
Access - which we are currently using - are, as you say, very weak.
Even if we are gradually making our application independent of any specific
DBMS (many users have large Oracle, DB2 or SQL Server networks already and
would prefer to use those instead of Access), most standalone PC users will
continue to rely on Access (or MySQL / PostgreSQL if we manage to port our
software to Java/Linux next year).
I recently visited the HIV/AIDS project in the city/state of New York, which
during the last 8-9 years have developed an application for handling a huge
amount of clinical/social information about paediatric HIV/AIDS patients. It
was an SQL Server - based system with all sensitive data stored and
transferred to workstations encrypted using 128bits encryption. (Decoding
happens only at the workstation). I'm trying to find out exactly how it was
done.
Does anybody have knowledge of similar 128bits encryption tools that would
work with ANY sql-compliant DBMS (no runtime licenses, obviously), and in
particular with MS Access?
(Pls note that I'm NOT asking about systems that would also satisfy all
kinds of legal requirements etc - the crucial target is to protect patient
data against e.g. theft of PCs).
Best regards
Calle
