Category Archives: EMR Data Security

Medical Information and Encryption

Medical Information and Encryption

We deal with a lot of medical information – and as such all of our hard drives on all our machines are encrypted.  We even encrypt our USB keys and our backups.

For a physician or clinic, the rule should be if a computer system will ‘possibly’ hold any medical related information – it should be encrypted!  No exceptions.  A few years ago we encountered a well-meaning clinic that had a portable hard drive that moved between two offices and a home office.  The issue was that it was used to contain billing information – which the clinic did not consider to be patient sensitive data.  That was until it was pointed out to them that the patient personal health numbers and billing codes in that data could indicate exactly which patients had what conditions.  They quickly moved that data to an encrypted drive – and destroyed the original.

There are stories every year in Canada about a stolen laptop, a portable hard drive that has gone missing, etc. and contained medical records that should underline to clinics how easy it is for electronic information to be compromised or stolen.  Yet, we continue to encounter situations where data is not properly encrypted or encrypted at all.  Most of these situations are due mainly to ignorance of the actual requirements and the understanding of the technology, while some are done due to a belief that it is ‘too complicated’ to comply with.

Let’s try to clear up a few issues – and then discuss what can be done to easily encrypt external hard drives…

Encryption Strength – 256 Bit and higher

In Canada, it is recommended to use at least 256 bit encryption for medical data.  This makes it harder for someone to use a ‘brute force’ attacks to see your information.  However, as well as using strong encryption – you should also use a strong password.  The best encryption is useless if you use weak passwords – like ‘password’ or your name, etc.

Level of Encryption

The simplest solution would be to go out and just purchase an encrypted drive or USB key.  However, it turns out that it is not all that ‘simple’.  There are many external drives out on the market that make the claim to be ‘encrypted’ drives – and they are.  However, the question we always have is what type of encryption is being used.  This is a concern because a fair number of the encrypted drives out on the market do not use 256 bits – but lower strength algorithms like 128 bit, etc.  We have a rule in general – if they do not publish that the manufacturer is using 256 bit encryption – they aren’t.  This means that as a physician, when you purchase these drives you have to be careful and read the labels.  In Canada, any device that stores medical information must use at least 256 bit encryption.

Encrypting your own drive/files

Another option from purchasing a drive that is already encrypted – is to use a product to encrypt it after you purchase a regular drive.  This has some advantages – as many of these types of products will allow you to encrypt individual files, create encrypted areas (allowing more than one file to be stored) as well as encrypting the entire drive.  The down side is that you have to learn how to use the product and configure it.  However, we will try to make this a little part a little easier by providing a solution we use for encrypting our USB keys and external hard drives.

What Products are Available to Encrypt your Hard Drives?

There are a few different things to consider when you are choosing a program to use to encrypt your data.   The first is which operating system are you going to be using – Windows or Apple (we won’t discuss Linux in this article).  Windows has its own program called BitLocker.  It is available on Windows Vista and later.  Apple computers also have their own program called File Vault.  There are also some other programs like PGP and Symantec Drive Encryption that offer good solutions.

The second thing for some people to consider is do you go with Close-Source systems (all the above examples are Closed-Source).  Or do you go with Open-Source systems – such as TrueCrypt, VeraCrypt, Ciphershed and others.  Some people prefer using a Closed-Source system that they purchase.  They offer better support and the backing of a recognized company.  Others prefer Open-Source systems because the source is open for inspection – and any back doors that are probably in the Close-Source systems (thank you Department of Homeland Security) are most likely not there in the Open-Source systems.  But let’s be honest – does any of that really matter to the average clinic – Probably Not.  You just want to encrypt your disk/data and show that you have taken reasonable steps to protect patient privacy.  It is all about risk mitigation – nothing more.  So if that is the case, just about any of the above products will work for you.  Note:  TrueCrypt was mysteriously discontinued last year.  It has been replaced by VeraCrypt – which is very, very similar – and compatible with versions 6.x and 7.x.  VeraCrypt is also the one we will use in this example.  We use the open source products in this article because they are free and available to everyone.

Every one of the products mentioned above can be configured to support 256 bit encryption.

Our Solution

Encryption has to be easy and quick to use if it is going to be used at all.  The initial setup may require a little technical knowledge – but the day to day usage must be straightforward or people will just not use it.

To this end we have created a very simple setup that will allow you to easily access your encrypted drives.  There is a file called “EHD.zip” file associated with this article that has the complete directory structure we note below – including all the necessary files and a sample VeraCrypt encrypted container file (1MB in size).  This will allow you to get started quickly (you just need to replace our encrypted container file with one of your own making).

Once you have download the EHD.zip file, the first step is to create your own encrypted file container.  You can use the VeraCrypt program, included in the download, to do this.  There is a PDF document attached to this article, showing how to use VeraCrypt to create an encrypted file container – (HowtoUseVeraCrypt.pdf).

You can make this new encrypted file container as large or as small as you need.  I usually suggest making it about 20% larger than what you think will be the largest you need.  The reason is that you cannot enlarge it later.  If you need more space than you planned – you may have to destroy the current encrypted file container and create a new, larger one.

For the file name we usually put a .sec file extension on it – standing for secure file.  You can use whatever file extension and name you want.  We use the file TimeAcct.sec as our default.  If you change the file name, you will have to update the batch file that is used to mount the encrypted file container to a drive letter (TAMountSecureUSB.bat)

Directory structure we will need on the hard drive

The setup of our system depends on the following directory structure.

  • Root directory
  • TimeAcctSecured
  •  VeraCrypt

Where the root directory contains the batch files we will be creating

  • Where the TimeAcctSecured directory contains the VeraCrypt Encrypted Container File
  • Where the VeraCrypt directory contains the VeraCrypt program
  •           (Note: VeraCrypt is not installed – but in Portable Mode)

Now the Root Directory can be either the root of a drive, such as when you use this with an external drive or USB key – or it can be a directory anywhere on the hard drive.

The Batch Files

We have two batch files that are used.  One to mount the encrypted file container and the other is to dismount the encrypted file container.

In this example – the drive letter “H” will be mapped to the TASecDrive.sec file.  This will give the user with the standard VeraCrypt password box.  Upon entry of the correct password drive H will then point to the encrypted data.

At this point – you can now use drive T as you would any other Windows drive.  You can perform a back up to it, copy files to it or from it, etc.

In the above batch file the /d h command will dismount the Drive H from whatever encrypted file container it is associated with.

How to use

When you plug in the hard drive, you need to double click (or run) the batch file (VCMountSecureDrive.bat).  This will prompt you for the password and then add the drive letter “H” (or whatever drive letter you have set in your batch file) to your system and point it to the encrypted file container.

You can then do your backup, copy files, or whatever you want.   When you are done – you simple double click the other batch file (VCDismountSecureDrive.bat) – which will dismount the drive letter from the encrypted file container and you can safely remove the hard drive.

You can download the associated Files from here

We also have a quick overview of how to use VeraCrypt – which can be downloaded from here

 

EMR Data Security – Product Recommendations

The following are some products we use regularly – and recommend to our clients.  They are usually free to use and are very well known.

 

7Zip (http://www.7-zip.org/) – FREE

7Zip is a free program that is well known and automatically uses 256 bit encryption when you put a password on the archive.  It is easy to use – very much like WinZip that was popular years ago.  The two main things in favour of this program are that it is free and automatically uses 256 bit encryption.  It is great for encrypting small numbers of files into one file before emailing it or sharing it with others.

TrueCrypt (http://www.truecrypt.org/) – FREE

TrueCrypt is a great program for encrypting entire hard drives or creating encrypted containers on hard drives.  This is great if you want to create a large encrypted container that you can mount and store files in.  TimeAcct has easy to follow and use documentation on how to use TrueCrypt.  If you would like a copy, just contact us at info@timeacct.com and we will happily send you a document.

Eraser (http://eraser.heidi.ie/) – FREE

When you delete a file on Windows (or Mac/Linux for that matter) – it does not actually delete the file.  All it does is mark the file as deleted.  It is fairly easy to recover deleted files – sometimes even after they have been overwritten with other data.  In order to meet government requirements for properly destroying files, you need to use a program like Eraser.  It overwrites the file data up to 7 different times, following proper processes for data destruction. If you do not use a program like Eraser on a hard drive, then you are most likely not meeting your legal requirements under PIPEDA (or like legislation) in Canada.

Note – if you are dealing with removable hard drives, USB keys, etc. we would recommend using this program and then destroying the actual drive by driving nails through it, etc. before disposing of it.

EMR Data Security #3: EMAIL – The Dangers of Gmail and Other Email Technology

This is another situation we deal with far too often.  We are all so used to using email to communicate that we use it without really understanding the underlying technology.  Since we deal with doctors and clinics during the extraction and conversion process, validating their data – there are times when we need to have a copy of the original medical record to be able to compare it to what we have extracted.  In one case last year, a doctor simply exported the record and emailed it to us as free text.  It had the patient demographics and the full medical record in the text.  Now, this in itself violates Canadian law – as they have breached patient privacy by sending the record through the internet without any encryption.  However, it was made even worse by using Gmail.  Gmail will parse that email and store it on its servers, which are all based in the USA.  So, not only was it sent without encryption, it was now stored outside of Canada.  The doctor was horrified when we explained what he had done, however the damage had been done.

First of all, no medical record information should be sent via email without a very strong encryption.  See a post below for product recommendations.  Second, no medical office in Canada should use the free email services from Google (Gmail), AOL, Microsoft (Hotmail), etc. for their businesses.  These systems all host their email systems outside of Canada and will simply complicate any breach that may occur.

However, it is not just email systems that may cause you issues.  There are other ‘personal’ technologies that people use without understanding the consequences that they may bring.   Take for example various Cloud services that synchronize data between your computer and your phone and other devices (iCloud from Apple for example).  These services are usually hosted outside of Canada.  This means that even if you have taken care to use a Canadian hosted email address, by syncing with your phone or tablet, second computer, etc., you may be storing email data outside of Canada and therefore violating Canadian laws without realizing it.

Summary:

1.  Do not use foreign email hosts for your office work.  Exmples woud be GMail, HotMail, Yahoo Mail, etc.

2. Becareful of what technologies you use, as there may be un-intended consequences.

3. Always encrypt anything regarding patients that you must send via email.

EMR Data Security #2: Removable Storage – Must be Encrypted

We deal with this situation more often than I would like to admit and it takes many forms.  Some examples are:

–          The IT staff performs regular backups of the server on which the EMR is installed.  These backups are then taken off site on a regular basis

–          IT staff take a backup of the data and ship it to a vendor for extraction/conversion

–          Old data is stored on external drives to save space

There are various other situations, but they all have the same issue – patient identifiable data is stored on removable storage that is easily transported or stolen without any encryption.  This is simply illegal.  It does not matter that it is part of a nightly backup, it doesn’t matter that it will only be on the drive for a short period of time, it doesn’t matter that it is ‘old’ data.  All that matters is that it is encrypted and that the patient data is protected.

We have two great examples of the above situations.  The first was a clinic in Nova Scotia that had a locally installed EMR and they faithfully backed up their server every night – and even had a five drive backup rotation schedule for the best protection.  Each night a drive was taken home by a staff member and the next day they brought back a drive.  So – there was always at least one drive off site at the home of a staff member.  This is a decent IT practice to help protect the clinic from data loss.  The clinic had even hired an IT Consultant to set it up for them – the same company that took care of all their IT needs.  The problem was that none of the drives where encrypted and the ‘backup’ was a clear copy of the data drive on the server.  So – each drive contained easily accessible (dBase files) that contained all the patient information in the clinic.  And to make matters worse – it was being taken out of the business environment to the home of one of the staff.  What would have happened if that staff member’s home had been broken into?  I would not want to be the doctor making the report to the RCMP about exposing all his medical data because someone stole a drive from the home of a staff member.

Just like the first example this next one shows how, even with good intentions, you can expose yourself when you are simply trying to protect the data.  Another clinic had data from an older EMR that they wanted to hold onto.  They got the data scanned into PDFs and held it on a special external hard drive device.  This device contained four hard drives in what is called a Raid 5 configuration – which really just means that if one drive fails, you don’t lose your data.  The problem was that, like many smaller doctors’ offices, the spouse did the accounting from home – and this drive constantly went back and forth between the doctor’s office and their home.  They had purchased it to protect the data, but had not thought to encrypt it.  The problem they ran into was that they could not just simply move the data to a new drive, encrypt the old drive and copy it back.  The information on the old drive would first need to be purged in a secure fashion using a program like Eraser (see Recommended Tools in another post below) – in order to meet legal requirements.  As this was a fairly large drive – it was going to take time and effort to solve their problem correctly and reduce their liability moving forward.

Summary:

1.  Never put data on removable media, unless it is encrypted with a minimum of 256 Bit encryption.

2. Make sure your backups are encrypted and well protected.

3. When you destroy the data, take special care to make sure you have done it properly.

EMR Data Security #1: I will just take my old EMR home for Reference

We dealt with this situation few years ago, where a doctor was converting from one EMR to another.  He wanted to keep his old system for reference, but did not want it taking up space in the office.  So his solution was to take it home with him.  We mentioned to him that doing so would expose him to a lot of liability if he did not first encrypt the disks on the computer he was going to bring home – due to it containing medical records.  His response was that he only used to the old EMR for billing and therefore it only contained the patient billing information, which did not, in his opinion, violate patient privacy.

This response showed his total lack of understanding of what he was dealing with.  First, the term “just billing information” is anything but.  The Billing information in Canada uses ICD9 codes – and a direct link to patients.  This means that the billing information, the doctor was referring to, contains the diagnosis for all his patients!  As well, the tie to the patient was a direct link to the entire patient demographics (name, address, phone, birthdate, sex, health card number, social insurance number, etc.).  Billing data is anything but ‘just billing information’!

Aside from diagnosis information in the above example, which would make any privacy breach just that much worse, the demographics information alone is considered personally identifiable information and is protected by both Federal and Provincial legislation.

Another point to consider is that the doctor was moving a business asset out of the business environment and into his home.  Would his insurance company have covered any loss of that hardware or liability if the breach occurred outside of the business premises?  The risks associated with this action far exceed any possible gains on the part of the physician.  Thankfully, once we pointed out these issues, the physician chose to leave the server in his office and over a period of a year and then decommissioned the entire older EMR.

Summary:

1.  Almost all data in an EMR should be kept private.

2. Do not take data outside of your business environment unless you have a very good reason.