Personal Health Information - HIPPA

  • Thread starter Thread starter Galpersonal
  • Start date Start date
G

Galpersonal

Hello all:



We have an application that allows medial patients to log into a web page
and view thier health history from computers (Windows XP SP2) we have in the
hospital. There is concern that personal health information is stored on
the computer in cached web pages, and can be found by doing sector by sector
checking using a Hex editor (which has been done by the security department,
and has found SS#, addresses, etc stored on the computer).



Is there a way to make sure that any information viewed from a webpage would
not stick around on the computer? They are afraid that the computer could
be stolen, brought home, and searched for personal health information.



Thanks.
 
Only if your page is Secure/Encrypted and the browser (IE) has it's
advanced option "Do Not save encrypted pages to disk". But that is
a end-user setting. Personally, this is another case of "Just because
you can - doesn't mean you should". The liabilities of such an open
use of very personal data is just too risky. Keep control and don't
open a door you'll never fully close. If you do implement it, best to
increase your liability coverage and euthanize any lawyers you see
around the hospital.
 
Great advice.

We are actually thinking that it would make more sense to run a IE Browser
through Citrix onto the computers. What do you think of that?
 
While your working on the issue you might also want to consider preventing
anyone from installing a keystroke logger.

JS
 
Galpersonal said:
Hello all:

We have an application that allows medial patients to log into a web page
and view thier health history from computers (Windows XP SP2) we have in the
hospital. There is concern that personal health information is stored on
the computer in cached web pages, and can be found by doing sector by sector
checking using a Hex editor (which has been done by the security department,
and has found SS#, addresses, etc stored on the computer).

Is there a way to make sure that any information viewed from a webpage would
not stick around on the computer? They are afraid that the computer could
be stolen, brought home, and searched for personal health information.

Thanks.
Click to expand...

Unless the patients have a discrete log in to the medical
records system, then don't do it. Stick to the old-fashioned
way...written requests on paper for medical records information
and signed receipts.
 
Shouldn't you have a system that it is not viewing personal medical data
through a browser - doesn't soudn very secure to me.

Nick
 
See this article for possible help:

How to prevent caching in Internet Explorer
http://support.microsoft.com/kb/234067/en-us

You say you have an application that serves up this information. I would
talk to the vendor of said app to make sure it serves up the pages so they
cannot be cached by the user's machines. And, of course, since the pages
are displayed only on hospital-controlled machines, the IT dept. can set and
lock the IE setting (in Advanced options) of not saving encrypted pages to
disk via GP. (I take it the info is being serve up over HTTPS.)

Another solution would be to serve up such info via PDF and lock it down
even further by using something like -
http://www.softwarelabs.com/safelock/safelock.htm

(BTW, I'm a R.N. for over 20 years so I know the HIPAA headaches you must be
going through.)
 
Back
Top