Yep, Greg, that is very much the issue these days on the healthcare side. I can't disagree at all accordingly. As long as the practice/DR's are signing that they assume the risk/liability, you are basically off the hook.
Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: [email protected] [mailto:[email protected]] Sent: Monday, December 06, 2010 9:55 PM To: NT System Admin Issues Subject: RE: IPAD vs Android tablets Not to worry, my customers beat me up much harder Z. You have very good points regarding the security. A simple enough method to mitigate it is not install Email on the device and require them to use Outlook via the Terminal Server. RDP would be the method, and yes if they stole the device, implanted a root kit, keylogger etc on it they could obtain the information. We are looking at Authentication tokens required to TS into it, but the vendors are small. Wyse has an app, but we have not tested two-factor yet. Good thing its available on Droid or Ipad. Doctors do get what they want, they drive the money to the practice, but for all their yelling and complaining when the Practice Admin says fine, this is what you now get paid, they start back pedaling.. J In the end we can simply as we always do define the risks/benefits, remind them of compliance and offer them software/hardware to meet that compliance..but in the end its their decision. Not mine. Some practices enforce those policies, others choose not too. When it hits the fan it will hit them in the pocketbook and I will waive my signed document of disclosure and release of liability and help them clean up the mess. Greg Sweers CEO ACTS360.com <http://www.acts360.com/> P.O. Box 1193 Brandon, FL 33509 813-657-0849 Office 813-758-6850 Cell 813-341-1270 Fax From: Ziots, Edward [mailto:[email protected]] Sent: Monday, December 06, 2010 10:58 AM To: NT System Admin Issues Subject: RE: IPAD vs Android tablets Is the traffic between the EMR site and the tablet encrypted? ( Proves Confidentiality of the information being transferred between the client and the EMR)? (IPSEC or TLS/SSLv3) If emails get stored on the devices, then electronic communications within the non-encrypted emails, could contain PHI/PII or other sensitive company communications that if divulged to the public or a malicious third party could bring about information disclosure, or breach notification laws. Not trying to beat you up Greg, but just because you say the users aren't sending information with HIPAA related information anymore, doesn't mean they still aren't doing it. ( We all know folks are ignorant of policies, and/or circumvent them for various reasons) Also, I am not sure there is any forensically sound data wiping utilities for the IPAD/Iphone/ ( Other mobile device) therefore if they obtain the device itself ( Physical Theft) its only a matter of time that all the information on the device will be obtained. Either that or a more sinister plot is to plant a rootkit on the device, or a backdoor as a legit application, and re-introduce it back to the users and monitor all the information crossing said device and gleam the information form afar, thus having complete control over the device and obtaining multiple different sets of information, credentials, to conduct more nefarious deeds. There has been plenty of attacks against RDP accordingly ( MITM, namely) that could be brought to bear, but I would assume that's a low risk type of attack, if they got the network between you and the EMR, you basically toasty anyways. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: [email protected] [mailto:[email protected]] Sent: Monday, December 06, 2010 9:42 AM To: NT System Admin Issues Subject: RE: IPAD vs Android tablets Heard and being addressed. The main function is for RDP back into their server farm to access their EMR applications while on rounds in hospitals and doing clinics/on call. Email would be the only thing to get stored on the devices and they do not send anything Hipaa within emails anymore. Greg Sweers CEO ACTS360.com <http://www.acts360.com/> P.O. Box 1193 Brandon, FL 33509 813-657-0849 Office 813-758-6850 Cell 813-341-1270 Fax From: Ziots, Edward [mailto:[email protected]] Sent: Sunday, December 05, 2010 4:55 PM To: NT System Admin Issues Subject: RE: IPAD vs Android tablets Honestly the security features on a lot of things Tablets are lacking, and probably will not satisify MASS CMR 201.17 for data encryption of EPHI/PII, along with leaving you open for more issues within HIPAA and the HItech Act, therefore you might want to seriously reconsider using these to view store EPHI/PII. If they get lost without that data encrypted, you have a breach on your hands and all the nasties that come along with it. So for those in the healthcare/medical areas, be very very careful, Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Gary Slinger [mailto:[email protected]] Sent: Sunday, December 05, 2010 3:42 PM To: NT System Admin Issues Subject: Re: IPAD vs Android tablets iPad. It just works. "The cost is ridiculous"? That's subjective. Either accept it, or wait three to five years for market commoditization. There's no right or entitlement to the tech and service being available now. Redefine the need, scope and phasing, and go with what works. (Not an Apple fan per se, btw. /all/ my "full" computing needs are non-Apple. But 3G/Wifi tablet? Apple). ________________________________ From: "Mike Gill" <[email protected]> Date: Sun, 5 Dec 2010 12:38:43 -0800 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: IPAD vs Android tablets Really take a close look and spend some time with the Android devices. As someone else mentioned, they may not have the official Android Market Place available on that device. I purchase a smaller screen Cruz Micro reader from Borders (Android 2.2) and it was a complete joke. Not even Beta quality. The Cruz market only had hundreds of apps, and many that I downloaded didn't work or told me they worked best using the roller ball of the phone. Search of the market was non-functional, alarms could not be unset once set, the resistive touch screen worked 2/3rd the time. I could go on. At least they took it back. This is a good read: http://liliputing.com/2010/09/google-android-isnt-designed-for-tablets-y et.html So there are a couple tablets out there that may have potential, but my guess is most will leave people shaking their heads. -- Mike Gill From: [email protected] [mailto:[email protected]] Sent: Saturday, December 04, 2010 8:25 PM To: NT System Admin Issues Subject: IPAD vs Android tablets We are being asked to look for a tablet that is close to an IPAD. 10 inch screen, 6 to 8 hours of battery, 3G/Wifi, decent speed, 2.2 OS, mainly being used for remote desktop to servers for Dr's in hospitals and clinics. The keyboard on the IPAD is really good, and the Bluetooth add on KB works pretty decent. The Doctors like the IPAD, but the practice does not want to spend 800 a device. Swappable battery would be HUGE! Anyone have comparisons or used alternatives that might meet this application. The Verizon tablet may be a good fit, but the smaller screen is not high up there with the DOCS. Thx Greg Sweers CEO ACTS360.com <http://www.acts360.com/> P.O. Box 1193 Brandon, FL 33509 813-657-0849 Office 813-758-6850 Cell 813-341-1270 Fax ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
