Patients need only to understand that their HCO's
(health care organization's) are going to secure their systems and
infrastructure - period. No disclaimer as was suggested will have any
meaning legally. We all understand that true information security is a
moving target. However, HIPAA's Privacy Rule, and the final Security Rule
- assuming it remains fairly intact will mandate tight hardening of the HCO's
applications, systems, and infrastructure; including web applications.
Additionally, other regulations also apply, such as: HCFA Internet Security,
various FDA & ICH regs, ADA & 508c, numerous state statutes, and pending
Internet Security Acts now in congress.
While
I am not condemning those who have commented, I am constantly amazed at
discussions that apologize for poor software design or haphazard infrastructure
administration. If a customer facing application can not be designed and
deployed without real security, then don't implement one.
The bottom line is that most Health Care organizations
shouldn't be in the Web Application or Hosting business - just because an HCO
has a few programmers and a webserver, does not mean that they are capable
of creating or hosting secure, reliable, efficient web applications.
Any HCO that plans on deploying a customer facing application needs to have some
specific requirements met: Secure Hosting in a HIPAA Compliant Hosting
Facility, who has signed a BA agreement or equivalent internal hosting (Hardened
Firewalls, Network Anti-viral appliances); Strong Authentication; Server
Certificates 128bit SSL (currently used by all online banking applications);
Webserver Security Filters; Active Intrusion Detection (CounterPane
recommended); Frequent Security Audits; Load Balancing and Fail Over; not to
mention proper design in the application itself. Much of this is HIPAA
mandated, and much is just solid best practice.
Almost
anyone can write a web application now, just as almost anyone can make a medical
diagnosis - the question is should they? Just because a programmer can
code, or a network admin has an MCSE - doesn't mean they are competent for every
potential task. In as highly regulated, and risk prone area as we find
ourselves in with HIPAA - cutting corners will result in increased long term
costs.
There
are a few players in the market who understand these issues in their
bones. However, it is important to also have checks and balances here
too. My recommendation would be that you have an advisor independent from
the software developer, who can audit the software in question during
deployment, before you switch on - someone to evaluate the
vendor/developer's application while being installed, and during initial
functional testing to validate conformance with requirements for your
protection.
If
anyone is interested in further discussion or recommended developers, please
contact me.
Tim McGuinness,
Ph.D.
President,
HIPAA Help Now
Inc.
Executive
Co-Chairman for Privacy,
HIPAA Conformance
Certification Organization™ (HCCO™)
Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149
===========================================================================
IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 07, 2002 10:52 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Patient information on the Web
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 07, 2002 10:52 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Patient information on the Web
I would agree with Pam concerning the test of the patient entered data.
Another thought on patient's entering their data for a Covered Entity. Are patients fully aware of the route their medical data will take over the Internet as the information leaves their hands and travels to their physicians. The connection between to the 2 sites is not direct. There can be many snoopers along the way.
I would suggest that patients are made fully aware of this and that a consent that they would sign to share this information spell out how the Covered Entity will protect this information.
Patricia Tanner
Privacy Coordinator
DePuy Orthopaedics
700 Orthopaedic Drive
Warsaw, IN 46581
[EMAIL PROTECTED]
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
