Computer Encryption With Multiple Logins For Proper Access Control In A Medical Setting.

  • Can AlertBoot provide individual login credentials to a shared computer resource?  Yes

  • HIPAA / HITECH violation if passwords are shared

  • Plug: Free webinar for encryption users and channel partners on HIPAA / HITECH compliance

I was in a meeting with potential clients when they asked if AlertBoot data encryption software would allow multiple logins on a shared, encrypted computer.  Our answer is yes.

The clients are in the medical field, and as such, have workstations that are shared resources.  Think, for example, of computers in a hospital’s nurse’s station (for those who haven’t been inside a hospital, it’s where you can find the nurses).  The station is permanent but obviously the nurses are not.  They have rotating shifts, with nurses at the station 24 hours a day.  Under the circumstances, the computers have to be shared at least between three people (8-hour shifts).

This presents something of a conundrum under HIPAA / HITECH.  On the one hand, the computers may require the use of full disk encryption to protect the PHI stored inside them.  On the other, though, if the encryption software employed does not support multiple users, it means that passwords for accessing the computers must be shared.

Violating One Rule for Another

The sharing of passwords is a violation of HIPAA rules (access control), so depending on one’s particular choice of encryption software, he or she has to violate one HIPAA mandate in order to fulfill another one.

As the above shows, choosing the correct tools to be in compliance with HIPAA / HITECH is not as straightforward as “buying encryption.”  And it’s not just a matter of access controls, either.  For example, the biggest reason many HIPAA covered-entities are earmarking funds for encryption lies in the safe harbor clause under the Breach Notification Rule found under HITECH.

If encryption is used, a covered-entity doesn’t have go public with a data breach of PHI, protected health information.  If encryption is not used, notice has to be sent no later than 60 calendar days to disaffected patients.  But, there’s a catch.

For the safe harbor to kick in, strong encryption (such as AES-256, which is used in AlertBoot) must be used.  If a weak form of encryption is used — weak enough that no respectable information security specialist will vouch for it — you still have a data breach in your hands and you will have to send out those notification letters.

Free Webinar

If you’d like to learn more about HIPAA / HITECH and the appropriate use of encryption and other requirements in a medical setting (or as a partner or associate to a covered-entity), you’re welcome to join free webinars being conducted by eGestalt and AlertBoot.

Register today by clicking on the preferred link above.  First webinar starts tomorrow!

Comments (0)

Let us know what you think