Take the Security Self Audit. |
Protecting Patient Data
As increasing amounts of identifiable personal information are stored electronically and are transmitted through wireless media, calls for better ways of assuring the security of personal data are growing louder.
A number of jurisdictions have enacted privacy legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Aside from the need to comply with the law, organizations need to be aware of the consequences of a data breach, such as negative publicity and legal liability.
Compounding the issue is the fact that healthcare information is uniquely attractive to fraudsters:
- Electronic healthcare data usually contain more personal data in one record than would normally be found in other electronic databases. Social Security number (in the U.S.), date of birth, mailing address, banking information, and insurance policy details are but a few of these extra pieces of data typically found in a health card record but not found in an education database.
- The effects of personal data breaches are not limited to financial loss but could also lead to life-threatening misdiagnosis due to mixed-up data.
- Healthcare records contain information about minors and the deceased, neither of whom are likely to raise an alert that would prevent a prolonged breach.
- Given the serious consequences of a security breach, what can be done to prevent data theft in the health care environment?
Siren’s Security Features
Medusa has implemented a number of security features for you to use as part of your overall security strategy.
Security on the mobile device:
- Protected password storage: Sensitive information such as passwords are saved in the field user database using the SHA256 hashing algorithm
- Limited logon attempts: If the user fails to log on within the configured number of allowable attempts, the field application shuts down and requires the System Administrator to logon before resting the logon counter.
- Application Session Timeout: If a user is inactive for predefined period the field application requires the user to restart the application and log back in.
- Activity log: The field application records all significant user activities in an audit log.
- Encryption of patient identifiable data: As the clinician enters patient identifiable data, the field application encrypts it using the AES256 algorithm.
- Limited access to data: Field users cannot view ePCRs created by other users, nor can they view ePCRs they had created, finalized, or deleted from their tablet.
Security in data transmission:
- Siren supports server side certificates for Secure Socket Layer web applications and client/server communications. This requires the System Administrator to configure their Siren implementation accordingly for both the field users and web users
- Siren Go! supports X509 digital certificates for the field application Security on the server:
Siren ePCR provides the following industry leading security:
- Protected password storage: Sensitive information such as passwords are saved the field user database using the SHA256 hashing algorithm.
- Limited logon attempts: If the user fails to log on within the configured number of allowable attempts, the field application shuts down and requires the System Administrator to logon before resting the logon counter.
- Application Session Timeout: If a user is inactive for predefined period the field application requires the user to restart the application and log back in. • Activity log: The field application records all significant user activities in an audit log.
- Limited access to data: Field users cannot view ePCRs created by other users, nor can they view ePCRs they had created, finalized, or deleted from their tablet.
Product Independent Security Audit
QinetiQ provides research, technical advice, technology solutions and services to customers in the defence and security markets. QinetiQ independently performs security and penetration testing on each release of Siren and approval is required before Siren can be deployed as part of the National Programme for IT in The United Kingdom. Also, feedback from their testing is incorporated into our product development process, resulting in Siren ePCR being one of the most secure ePCR products in the world.
Workplace Independent Security Audit
Without a secure work environment, our product security means nothing, so we contract an outside company to audit our network and our protocols. This ensures that our staff are appropriately trained, that security procedures are being followed, and that our network remains secure.