HIPAA privacy in the ED

mattburks · 2015-11-11T14:23:54.000Z

We’re planning to put bedside PCs in our Emergency Department in addition to a few rolling PCs. I’m struggling to find a way to secure these PCs so patients and family members will not be messing with them and potentially seeing ePHI. These PCs will need to lock anytime a nurse walks away from them. Are there any good proximity devices that will lock the screen when the user walks away? I’m not concerned with the screen unlocking when they come back, they can enter the password for that. It will have to be something sensitive because our ED isn’t that big. Bluetooth has a distance of 30ft, and it would be rare that anyone would be that far away from any of the PCs.

illixir · 2015-11-11T14:41:48.000Z

We use a single sign on solution called Imprivata that uses proximity cards. It may be a little bit of overkill for your setup, but it allows our doctors and nurses immediate access when they walk up to a station and badge in, then the ability to quickly badge out and lock the station when they leave.

tazking · 2015-11-11T14:59:38.000Z

I 2nd Imprivata. They have a pretty good system and for me the people have always been good to deal with.

mattburks · 2015-11-11T15:08:38.000Z

I’ll check that company out and see what they offer. Might be worth looking into for our Med/Surg dept too.

I’ve just been asked to get a Surface Pro for our EDP. Any advice on keeping it from “walking out the door”?

jodimurray · 2015-11-11T15:12:25.000Z

You could looking into a USB key locking system. I have used Predator ( http://www.predator-usb.com/ ) and it’s about $30 per computer but you can assign multiple keys to each computer as well as multiple computers to each key. I assume your staff already has prox cards or another form of badge so it would not be too big of a hassle to add a small usb key. It’s not perfect but cheaper than some other solutions.

tazking · 2015-11-11T15:30:13.000Z

We tried the USB key route but ended up having a bunch of issues were the key would stop working in any system or a system would stop recognizing any key. IT was a pain and we do not have an ED. In an ED it would have been even worse with the pace they have to set. Another issue we had with this was the USB being left sitting somewhere. We require ID on the uniform near the face so patients can compare the face in the picture with the persons face. Just an added level of comfort for some of our patients. The doctors did not like having to use a lanyard to attach the USB to themselves so it didn’t get lost and didn’t want to have to reach into a pocket to produce the USB. We looked at the proximity and facial recognition (because an Admin thought it would be cool) and we ended up with proximity wince everyone has to have one.

Rivitir · 2015-11-11T15:39:15.000Z

You could always use smart cards. They plug in their cards to log in, then when they leave they take their card with them and the computer immediately locks.

dennis-aston · 2015-11-11T15:57:03.000Z

Imprivata (and other vendors) also have the ability to use webcams to sense when somebody walks away. If you use that together with biometric login you get a very fast lock, unlock ability.

They also have the ability to lock the computer with x minutes of inactivity, which I can verify works. The hard part with that is that if you set it low enough for it to make a difference when your doctor or nurse walks away it needs to be something ridiculously low like 10 or 15 seconds or even less. Otherwise the moment they turn and walk away somebody could hop on and do something.

Another solution is a product called Xyloc. Take a look at it, Kaiser Permanente has implemented that.

justinmcnett · 2015-11-11T16:01:58.000Z

Rivitir:

You could always use smart cards. They plug in their cards to log in, then when they leave they take their card with them and the computer immediately locks.

This is what my doctor’s office uses. Since the smart cards are also their name tags, they are easy to remember when they leave.

mattburks · 2015-11-11T16:05:25.000Z

What infrastructure is needed for Smart Cards? I’ve heard about them for years, but never researched them. I don’t know if that will help with this implementation as we’re more concerned with the PCs locking and not the unlocking process, but this may be a possibility on the other clinical areas.

Does it just need smart cards, a reader and a service installed on my Active Directory?

What do smart cards cost? I can see them being lost/destroyed fairly often in this setting.

edwardblanchard · 2015-11-11T16:11:54.000Z

How about the Amazing secret monitor trick!

briandunbar · 2015-11-11T16:43:18.000Z

Smart cards are going to be one of the cheapest ways to add security. It’s what government and other security conscious corporations tend to use. However, there will be users (even with proximity devices) that will “forget” their cards at home or leave them in or around the computer when they walk away. It’s a lot more than just a technical solution.

dennis-aston · 2015-11-11T16:47:50.000Z

Edward_B:

How about the Amazing secret monitor trick!

https://www.youtube.com/watch?v=zL_HAmWQTgA

You know, that is slick. Honestly I can’t believe the industry hasn’t done something like that professionally yet. It beats the heck out of adding a privacy filter to the monitor itself, which the staff ALWAYS seem to take off and lose.

randystites · 2015-11-11T16:49:20.000Z

Today’s world is moving forward into the world of bio-metric security. I have worked with EyeLock w/ retinal scanner software. I like for many reasons. One a user does not have to try and remember their password, also they do not have to carry a USB or badge that can be forgotten at home or lost or worse laid down. You will never forget your eyes.

dennis-aston · 2015-11-11T16:55:27.000Z

Matt B:

What infrastructure is needed for Smart Cards? I’ve heard about them for years, but never researched them. I don’t know if that will help with this implementation as we’re more concerned with the PCs locking and not the unlocking process, but this may be a possibility on the other clinical areas.

Does it just need smart cards, a reader and a service installed on my Active Directory?

What do smart cards cost? I can see them being lost/destroyed fairly often in this setting.

You need a Certificate Authority (CA) to be able to issue certificates to users and devices in your environment, you need provisioning software to handle the formatting and provisioning of the smart card, and of course you need cards and readers. The first thing and the last two are easiest to get your hands on. I would look at whatever vendor you choose for your cards to find what software they recommend for writing out data and configuration onto the card.

patrickcasey · 2015-11-11T18:50:06.000Z

An USB smart card/token system should work well for your purposes. I had very little input into the design of the system we used at the police station but it required officers to keep their USB tokens on them at all times.

patricktierney7212 · 2015-11-12T01:08:42.000Z

We use Imprivata in my hospital. Currently, we have mainly fingerprint readers as part of 2 factor authentication. However, the larger hospital organisation we belong to uses RFID badges to tap in and tap out of computers, so we will be swapping. I think that badges can be stolen much easier than fingers, but nurses are always complaining that the frequent hand washing kills their fingerprints, so keep that in mind. I think the cost is about the same.

We have also used proximity sensors in some places to force log offs. These ones: https://www.rfideas.com/products/presence-detectors/pcprox-sonar They are USB and super easy to setup. Then can detect if a person is within a programmable range and send a command to lock the PC as soon at the person leaves or after a set amount of time. Very handy.

stevencowen1109 · 2015-11-12T10:21:23.000Z

Just get all staff to use Windows key and L, it should be in your handbook that all machines are protected by the end user.

richardarmstrong · 2015-11-12T10:51:29.000Z

May I suggest RSA with Rolling Codes - this will keep the best out but still allow the correct users access.

See:

http://www.emc.com/security/rsa-securid/index.htm

Key Fobs or an App for the iPhone/Android etc.

rhys · 2015-11-12T11:35:56.000Z

I would definitely go down the smartcard route. The NHS here in the UK use smartcards for both identity and sign on. As soon as the card is removed the PC locks. they also generally use keyboards with a reader built in.

Hope this helps.