James, Are you saying that the patient login ID is used by the physicians to login to the monitoring system so that they can monitor only that specific patient? And, if they have multiple patients, then they would log out and log back in with another ID to monitor the other patient(s)? That seems a bit overboard vis-a-vis the Reasonableness requirement. How are passwords distributed to the person(s) who needs to access the system? I know that if we tried that here (550+ bed acute care facility plus numerous other outpatient/ambulatory care campuses - over 1000 physicians on-staff) I'd be chased out of town by the medical staff!! When you said that you installed VPN "lines" what are you referring to? Do the client's security systems go across the internet to monitor the activity at this other system?
Cecilia, IMHO, this is an issue to raise with Phillips/Agilent. The only way that issue can be addressed comprehensively is by Phillips/Agilent modifying system security. See what their response is, and include it in your risk analysis. As Cathy said, the risk analysis is what will drive any action required or controls to be implemented. If Phillips/Agilent refuses to do anything about it, your options are either to live with it (accept the risk), implement compensating controls (as what Mr. Holler did for his client), or get another system. Since I doubt option #3 will be viable, it would seem you have 2 options. It could be entirely reasonable within the context of the regs to accept the risk associated with docs being able to see other patients if the open model contributed significantly to increased effectiveness or efficiency of patient care - particularly with a system that isn't processing transactions and where the docs can't change data. Take as a for instance a radiology PACS system. Ideally, purely from a security perspective, the doc's login allows her/him to see only her/his patients. BUT, the admitting doc might want any of a number of consultations on a given case. If you lock physicians' access to see only their patients, then facilitating the appropriate access for other clinicians to view the relevant images could take hours or days!! Again, IMHO, that is much too much of a detriment to patient care (imagine a doc with an emergency case where 5 other specialists of different kinds need to consult - they need to see the image immediately). I would document it as such in my risk analysis, state that we are accepting the risk, and move on. Andrew S. McLetchie, CISSP Information Security Analyst Sparrow Health System Lansing, MI >>> "JFH" <[EMAIL PROTECTED]> 8/28/2003 10:35:12 AM >>> Cecelia, We had that same issue at one of my clients and the way we handled it was to issue a login ID and Password for each patient. The login ID and Password were automatically generated at the time of check-in. The patient Log-In ID is a combination of the patients name, DOB and SSN. The Password was automatically generated and could not be changed. Once the patient was discharged, the user ID and Password was deleted. We also installed secure VPN lines so that the clients security systems (Firewalls etc) could monitor all activity. James Holler www.hipaaconnection.com 713.927.2390 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 9:24 AM To: WEDI SNIP Security Workgroup List Subject: Security of Clinical Computer Equipment To Anyone that can help, I would like to know how other Hospitals are handling the security of their clinical computer equipment. Our main HIS was recently updated before the April deadline to accommodate the HIPAA regs (ability to mark patient's confidential, individual log-ins, audit trail, etc) but from the looks of things - nothing has been done to our clinical computer monitoring systems. We use GE computer systems for our MRI, Cat Scan, and Nuclear Medicine departments - the system has a password upon entry into the system, but not individual log-ins. It is not possible to tell who did what. We recently had problems with someone "messing" with our Nuclear Medicine computer - so we installed locks on all the doors and secured the room (which is always supposed to be manned - but of course it isn't!). I have a call into the Chief Privacy Officer at GE - hasn't returned it yet We also use a cardiac monitoring system by Phillips (Agilent Technologies) - it is Internet based - Doc's can get into the system (they each have their own log-in) and monitor the cardiac activity of the patient's in ICU, CCU, telemitry and ER. My problem with this is that any Doc can see any patient, not just their own. Isn't that a no no? They can't edit or make changes, just view. Does anyone have any specific references for this? Any help would be appreciated. Thanks. Cecelia Sheridan, HIPAA Privacy/Security Officer Southampton Hospital 240 Meeting House La Southampton, NY 11968 (631) 726-8576 [EMAIL PROTECTED] CONFIDENTIAL COMMUNICATION THIS TRANSMISSION IS INTENDED ONLY FOR THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS CONFIDENTIAL. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR, PLEASE DESTROY THE EMAILED MATERIAL AND CONTACT THE SENDER IMMEDIATELY AT SOUTHAMPTON HOSPITAL (631)726-8576. THANK YOU. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
