![[Stratford Software, Inc.]](images/Stratford_logo.gif){kind=logo}
|
|
             
|
Stratford recommended security method to meet HIPAA requirements.Before we start this we need to warn you that you alone are responsible for knowing about the HIPAA requirements. This page is nothing more than some information for you to consider. You must not and cannot accept it as 'the law' or even 'certified' information. It is our opinion and nothing more. No one at Stratford is responsible for meeting (or even helping you meet) your requirements under the HIPAA law. The information here is not even related directly to the Stratford program or patient information. It is a method that we believe will keep information secure on your computer. You could use it for your letters, files or any other information you have on your computer. Here is the procedure. 1. Go to https://www.grc.com/misc/truecrypt/truecrypt.htm and download a copy of TrueCrypt onto your PC. It is free. Extract the files and read the documentation. The documentation has some great ideas and information and most of it is written for the average computer user - not for security geeks. The documentation does have some technical information that may be hard for you to understand but you can ignore that part if you want. TrueCrypt will default to the generally accepted best security encryption and we recommend that you do not change the defaults. Note: truecrypt.org is no longer available. We believe that truecrypt is still secure. You can read more here: https://www.grc.com/misc/truecrypt/truecrypt.htm As of today (01/17/2015, the latest secure version of truecrypt that we know about is 7.1a (NOT 7.2!!) We recommend grc.com. We have used this site for years for utilities and we trust the publisher. We recommend that you download TrueCrypt from this site. Be very careful. The Internet is not a safe place. There are hackers who are extremely clever and for unknown reasons want to fool you into going into unsafe areas of the Internet. To research this you could begin by 'googling' "Truecrypt dead or alive? 2. Build an encryption file on your hard drive or wherever you are going to put the Stratford program and your data files. If you already have the Stratford program installed and you have been entering patient data for years, no problem. After you create the encryption file, you can copy your existing Stratford programs and data into the encrypted file. After you copy your data, you must be sure to delete the existing - unencrypted - information. The TrueCrypt documentation has some good information about how to delete information that is not encrypted. Did you know that it is easy to recover files that you have deleted when you use Windows? It is. Remember that. Even when you empty the Recycle bin, your information can still be recovered. This is not true for encrypted files inside the TrueCrypt encrypted file (safe/vault). When you delete files there, they are gone forever and nothing and no one can recover them. In fact, if you forget your password, even you cannot ever get access to those files. No one at Stratford or any other organization can help you. The files are lost forever. If you backup your encrypted data onto CD, you will need your password to get access to them. You do not need a password to backup the encrypted data. In fact, if you use a good password you can let your kids do the backup if you want, for example, if they are better at using computers than you are. They will have no access to any patient information after you un-mount the encrypted data file. Of course, if you forget to un-mount the encrypted file then anyone will have access to the patient information. The Stratford program is about 140 mb. Your data size is something that only you know. We believe an encryption file of 700 mb will store the information for a physician for many years. Of course this is just a guess and would depend on your volume. 700 mb is a good size if you plan to backup onto CD. If you backup onto DVD then you could initially create a file up to 4.5 gb. Don't worry, if you make the file too small or you run out of space, no problem. You can simply create a larger file and copy the information from the small file to the larger file. If you are in doubt, create a file 700 mb in size. You should copy the \Stratford directory and all the subdirectories. Do not change the structure of the directories. They will run as-is inside the TrueCrypt encrypted file exactly the same way they run on your C: drive. 3. Create a password. 8 characters are ok maybe, but we don't think so. The longer and more complex you make it, the better the security. Ideally you will make the password 64 characters in length. 64 characters will make a 256 bit encryption key. At this time no one believes that 128 bits can be compromised. 256 bits will increase the security to the level that the government uses for top secret documents. The problem, of course, is how to remember the password. The TrueCrypt documentation gives examples and you may want to do some research. One recommendation that we like is a sentence that you will never forget like: 'My first car was a red 1949 Chevrolet'. Then put in some punctuation that you can remember and remove the spaces: 'Myfirstcar=red(1949)Chevrolet.'. The alpha case is critical. You should have some upper and lower case, some numbers and some punctuation. Don't go crazy with this. You want something you can remember and you can type. If you use the file daily, then the typing will get very easy, quickly. Note the sentence above ends with a period. It has 30 characters. This is incredibly secure. If you have a sentence double that length you increase the security an incredible amount - far more than double. The password is very easy to change, so you may want to try several things. Remember, you probably will only enter this one time in the morning. Once the file is open, you can leave it open all day. If there is any possibility of unauthorized access, it is very easy to log out of the Stratford program and then 'un-mount' the file - for example, at lunch. Once the file is un-mounted, it is absolutely secure. Even if someone steals your computer, they will have no access to your data. When the computer is turned off or reset, the encryption file is automatically un-mounted. When the power is restored, there will be no possibility of access to the data. Note, in the Stratford program you can select from the main menu #7, then #12 and access a program that will create a very good password. It is doubtful that you can remember it if you make one more than 8 -10 characters. You will probably need some way to keep it in machine readable form. We have some ideas, but we suggest you read the TrueCrypt documentation. At Stratford we believe in making many backups and we are obsessed with security. We may have some workshops in the future if there is a demand. The discussion on this page is mainly about encryption. The encryption you use might be absolutely secure - impossible to break - but always keep in mind that you (and possibly others) will need access. This means there must be a 'hole' in the security - the password. That means the encryption, no matter how perfect, is only as 'perfect' as your ability to keep the password secure. There are some excellent solutions available now that are thought to be absolutely secure. We believe the so-called 'biometric security solutions' are the best. An example is a small USB device that you carry with you. You plug it in and enter a simple PIN like your ATM card. Then you press your finger on a small fingerprint reader. You can 'google' for biometric password for more information. Again, we must stress that we are not certified for security and we do not have any security related credentials, but we do deal with hundreds of megabytes of data daily and we have done a lot of research. We want you to think of Stratford as one source of information that you can use when you decide what security procedures you will implement in order to meet your requirements under the federal HIPAA law. You do have a legal obligation to maintain adequate security for any patient information in your possession. The penalty for being lazy or careless, or 'just not wanting to bother' could be severe. Simply installing the Stratford program and doing daily data entry may not be secure enough depending on your office procedures and who has access to your computer. Please send any feedback to support@stratfordsoftware.com. ********************* You do not need to read below this point ********************* Below may be more information than you want or have time to read. The only reason for putting it here is that some people want more. TrueCrypt is a great program. They have taken the best encryption algorithm and packaged it so that anyone can use it. Is it a 'no-brainer'? No it isn't. Not everyone will be able to use it. You will. You just need 30 minutes of uninterrupted 'quiet' time. TrueCrypt creates an ordinary file on your hard drive, flash memory, external drive or whatever storage you are going to use. This file is created as large as you specify, for example 700 mb. That is a good size because it will easily fit on an ordinary CD. You can use it for your backup. How great! someone could steal your backup and they would have nothing usable! Think about all those large companies who allow employees to take home thousands of social security numbers and now have a million lawsuits. They could have absolute security for no cost. If you don't have any personal liability (such as an employee in a large company), it is easy to ignore security. The company is insured, right? Forget about the clients and all the people you hurt by releasing their confidential information. There is a way to put the TrueCrypt program on the CD with your backup (traveling mode) so that you can use the files on a different computer that does not have TrueCrypt installed. For example you can use the 'active' programs at the office and take the backup home. You could easily use the backup data on your home computer. You could backup onto a flash memory stick like the 'Cruzer' (4 gb at Costco for less than $100.00) and take that stick to the hospital, put it in that computer at the nurse station (almost every computer has one or more USB ports available) and have all your patient information right there. You could look things up. You can do anything you want with the data. Maybe check something before prescribing some medication. Did you know that Stratford has an excellent scheduler, Electronic Medical Record, allergy data table? Use your imagination. Try it. Anything mentioned here would cost you less than $100.00 to test out. It could change your life and protect you from the consequences of not being in compliance with the HIPAA law. This is cheap insurance and could enhance your life at the same time. When you remove the flash memory, all your patient information goes with you. There is even a way to make TrueCrypt automatically un-mount if it is not used for some length of time like 3 minutes. So if you forget to take it, it will log itself off and your data will be absolutely secure. Of course, if an enemy sees you walk away they could have access to your data if they know what they are doing. We recommend you never leave your patient data unattended and/or unprotected at any time. So how does this work? What does an ordinary file have to do with encryption? What do we mean when we say you can run the Stratford program inside a file? Does that make sense? It does, but you need more information. TrueCrypt does a cool thing. It puts random, scrambled data inside the file. If you look at it with an editor like notepad, you will see garbage. When you run the TrueCrypt program and you put in your password, it automatically decrypts the contents of the file. Any file you put inside that encrypted file - magically is a normal file exactly like any other file on your C: drive. So how does that work? How can you get your data inside a file? You need to know more. The TrueCrypt program uses the Windows API (Application Programming Interface) to make Windows think that the file is a separate hard drive. Cool. Windows will assign a letter to it like any other hard drive - for example Y:. That allows you to copy your data from C:\Stratford to Y:\Stratford with all the subdirectories. When you un-mount the Y: drive, All your files disappear and the encrypted information is not accessible to anyone including you. You need to use some imagination here. Think about it. All your Stratford programs and your patient data inside that one file. To make a backup, you copy that one file to a CD or memory stick. If you have not worked with your computer on this level, you may need to try a few things. If you have not worked with a memory stick, go to Radio Shack or Costco and get a USB memory stick - do not get a USB1 device. You must get USB2 or 3. The guy at Radio Shack may even show you how to plug it into a computer and show you how Windows automatically recognizes it as a new storage device (like a hard drive). So lets put this together. Create the encrypted file on your hard drive and use it as your 'active' data daily. Never move it or change it. Then before going to the hospital, or in the evening before going home, un-mount the TrueCrypt encrypted file. Copy that file to a CD for a permanent backup. Copy it to a memory stick if you plan to use it. (The Stratford program cannot be started and used on a CD because a CD is read-only. Sorry, that is the way it works. Not our problem. Don't complain to us). A memory stick is like an ordinary hard drive - maybe a little slower, but not in our testing. Some comments about security methods (our opinion only. You are responsible for the method you choose to use) Q. Is WEP wireless security worthless? Q. Is WinZIP encryption worthless?
Please send any feedback to support@stratfordsoftware.com. |
|
Send mail to
webmaster@stratfordsoftware.com with
questions or comments about this web site.
|
