Network Security for EMR’s

I was recently asked to present an opinion regarding network security for Electronic Medical Record (EMR) software.

This is most certainly a debatable subject and rather than my usual “running for the hills”, I chose to face my fears head on and address the discussion.

First and foremost the highest level of security is virtually useless if you are not protected from social hackers. One must first evaluate their current network against these basic criteria:

  • do all employees have individual accounts?
  • are passwords required to be changed once a month?
  • are passwords strong? – “Password#123” is not a strong password.
  • do employees always log-out when leaving the computer terminal?
  • can patients view the computer monitor from the waiting room?
  • is login information memorized? (not written on a sticky note and attached to the computer monitor)
  • are your computer and mobile devices password protected?
  • is the computer hard drive encrypted?
  • does your medical data remain on Canadian soil?
  • do employees practice safe disclosure practices with people outside of the clinic? (never provide data; only confirm data you are provided)
  • is your clinic and home WIFI password protected and encrypted?
  • do you work in nefarious environments?

Protecting your data with passwords such as “password”, “12345”, proper nouns, or any word found in the dictionary, is the number one threat to any level of security.

Anyone can hack poorly protected networks with software that is widely available on the internet.

Security Options

VIRTUAL PRIVATE NETWORK (VPN)

The VPN is the highest level of un-hackable network security protection available; but only if you are using the best VPN protocol such as L2TP/IPsec. Whereas older VPN protocols like PPTP are easily hackable (instructions to hack PPTP are available on the internet).

VPN security encapsulates all network communications with daunting layers of encryption.

DATA ENCRYPTION

Secure Socket Layer (SSL) – now known as Transport Layer Security (TLS) or HTTPS data encryption is very strong, secure, and impossible to de-encrypt without the encryption key.

TLS protects specific data streams such as communication with an EMR server. All other data sent over the network is not encrypted (contrary to VPN security).

There is some potential for an evil genius hacker (EGH) to intercept TLS communication and obtain or spoof your encryption key. However, the only way an EGH can intercept communication is to gain access to your network. This is most often done by intercepting your WIFI signal (kinda like an old fashion phone tap).

STREET SMARTS

I consulted at a clinic located in a busy mall near a food court. During a coffee break I discovered their unsecured WIFI broadcast, titled “bla bla Medical Clinic”, was connectable from the food court! I spilled my coffee a little while sprinting back to the clinic to protect their WIFI from lurking evil genius hackers.

This clinic essentially hung a target on their virtual front door by broadcasting their unsecured signal. We were able to mitigate attacks from the EGH by reducing the WIFI broadcast strength, obscuring their broadcast id, and securing their WIFI signal.

A strong VPN L2TP/IPsec signal cannot be intercepted and hacked. Therefore, I use a VPN exclusively because I often work in cafes, at the airport, in hotels, at insecure medical clinics, and while hanging upside-down on the monkey bars at the park – these are all places where evil genius hackers stalk their prey.

What’s Best for You

There are substantial performance trade offs from using the best highest secured VPN. You may discover that your EMR and other applications may run considerably and annoyingly slower over a VPN connection.

Implementing and maintaining a secure VPN may also come at a higher financial cost.

You may need to weigh these tradeoffs with your technician in order to set up a balanced stable and enjoyable secure environment.

In My Opinion

If you are a high risk, wild and crazy, uncontrollable, free spirited computer rebel without a cause – like me – and if you like to walk down dark virtual alley ways wearing a t-shirt that reads “exploit me”; you should insist on implementing a strong VPN.

If you choose to keep the social and evil genius hackers at a safe distance by practicing street wise safe computing you should be plenty secure with plain old TLS encryption.

Let the argument commence.