HIPAA Compliance

csloan · 07-15-06, 01:30 AM

Quick question. I'm a nurse who uses an Axim X51v. The hospital that I work at is going wireless. My question is, is the password feature that comes in WM5 HIPAA compliant for security? Thanx for your help

elendil · 07-15-06, 02:48 AM

It depends. The HIPAA guidelines are very generally framed.

By "password", are you referring to (A) the option that would require a password to be entered when the PDA is turned on, or (B) the encryption password used to secure access to your wireless network?

If (A) I presume that you are keeping confidential patient info on your Axim and want to secure it in case you lose the device.

If (B), the determination of HIPAA compliance or non-compliance would be a characteristic of your wireless network rather than your PDA, and hence the responsibility of whoever is in charge of your IT infrastructure.

csloan · 07-15-06, 12:03 PM

Guess I should have been a little clearer. The password that I enter when I turn my machine on. The IT dept. needs to be confident that if I loose my machine no one will have access to the data. Not that the data will leave the hospital, that will probably be dumped before I go home, but the ability to access the data will remain. thanks for your help.

benots4 · 07-15-06, 12:14 PM

From my experience your IT department is going to say its not secure and refuse to let you connect. Mine does that. Not that its not secure, its just easier for them. How much security is always an issue. The password would keep the average guy from lifting your PDA and finding out the Evis Presley has a yeast infection. However if a determined spy wanted to extract the information then it would not stop them.

I would think your IT department already knows how secure PPC are and if they are vital for your to perform your tasks, then it should be up to them to secure them.

AKAJohnDoe · 07-15-06, 12:17 PM

Generally, HIPAA or not, a password without either at least one of these: physical security or encryption, is not secure. Physical security with a PDA is nonsense as that is the point of such a device, which leaves encyption.

As stated, the IT department policy will dictate here.

aximbigfan · 07-15-06, 01:20 PM

if it does support it, it will be vvvveeeeerrrryyyy ssllooww becouse the cpu has to work hard to encript and decript data....

chris

elendil · 07-15-06, 03:34 PM

HIPAA compliance is self-assessed by the organization (but subject to audit... just like income tax returns :-)

If you're actually storing PHI on your PDA as part of your organization's official records system, then your organization is responsible for telling what you have to do to appropriately safeguard it.

If on the other hand, you're using your PDA to access your organization's network via web or email, and PHI happens to be replicated on your PDA in your email folders or browser cache, I'd say that whatever policies your organization has for laptop computers would apply.

HIPAA (see http://en.wikipedia.org/wiki/HIPPA#The_Security_Rule) tends to be very general. For example, wireless networks carrying PHI must be secured by encryption, but the exact method is unspecified. So, if your organization wants to use WEP encryption (which is relatively easy to break), they can, as long as they give reasons why WEP is adequate for their purposes. Somebody can steal your PDA and disassemble it to extract the embedded flash memory to bypass the device password and read the PHI, but maybe your organization doesn't worry about that (on the other hand, if you dealt with the PHI for the President, maybe they would).

I assume that blackberries and laptops are rampant in your hospital. What do your techo-dweeb doctor colleagues do?

JessieLC · 07-15-06, 05:05 PM

We usesecured laptops/desktops to access secure patient information in our hospital. The MIS uses many different methods of security depending on what type of access is required and what area of our Intranet you need access to. Most is VPN access. The only access PDA's,Blackberries etc have access to is email and global contact lists within our hospital system. Everything else is by secure laptop or desktop. We are going to a new computer system within a year or so...........what changes in the above will be seen then. Plus we change passwords on a variable basis...........ie sometime 3mos or 4 mos or 6mos etc!

elendil · 07-15-06, 05:36 PM

Originally Posted by JessieLC

We usesecured laptops/desktops to access secure patient information in our hospital. The MIS uses many different methods of security depending on what type of access is required and what area of our Intranet you need access to. Most is VPN access. The only access PDA's,Blackberries etc have access to is email and global contact lists within our hospital system. Everything else is by secure laptop or desktop. We are going to a new computer system within a year or so...........what changes in the above will be seen then. Plus we change passwords on a variable basis...........ie sometime 3mos or 4 mos or 6mos etc!

I'm curious... assuming that your laptops are allowed to leave the premises, how are your laptops secured? Do they all use the encrypting file system, for example? If not, then a PDA or blackberry would have the same level of security (or lack thereof) as a laptop; PDAs support VPNs just like laptops do.

By the way, I've always thought that changing passwords regularly is LESS secure, because then people will have to write them down so they don't forget. If you have a nice & long strong password that you can commit to memory because it won't change for a long time, then you are susceptible only to the rubber hose attack.

csloan · 07-15-06, 07:57 PM

Thanks all. You have been very helpful