emediaPractice

A Short History of the Pass-Phrase

2011-04-28T03:25:00.000-07:00

Clearly, to protect data it should be encrypted. emediaPractice knows which data to encrypt to avoid wholesale encryption which could be costly or dangerous. If encrypting every single piece of data is to be done with software, a very flexible way then processing all that data requires CPU power. That's the cost. If encrypting is to be done at the hardware level then there is little flexibility for changing the key (pass-phrase) and quite a cost when the disk crashed and the data (encrypted) is difficult to recover.

emediaPractice encrypts onlt the Identifiable Patient Health Information (iPhi). Patient and Insurance iPhi data fields, as well as selected documents (images and PDF) are encrypted with a 32-character long key only the clinic's administrator knows and can change.

The pass-phrase itself is located in a memory table which goes away when the plug is powered off. That makes it difficult if not totally impossible to decipher the data on disk remotely.

But how do you select a good pass-phrase and remember it without writing it down? You don't :)

Spies have always used a very simple method to manage pass-phrases (codes) without transmitting anything except once. They rely on a book. You can do the same. Pick up your favorite Medical Book, probably published by your Medical Association and each month use the first sentence of a new chapter. For example, chapter I for January, chapter II for February,etc... or whatever variation you might think of.

Don't tell anyone about the book!

See us at www.emediaboard.com

TFA

2011-03-29T08:08:00.000-07:00

Tow Factor Authentication (FTA) is a HIPAA requirement even for on-site servers if they are accessed through wireless connections.

One well known and used factor is the password... something you know. But to be fully authenticated a user should provide another form (factor) of authentication: something user "has", or something user "is". The "is" factor could be finger prints, or DNA... not real easy. The "has" factor such as a USB key, a card has been resisted by users.

With the plug we found a great source of "has" factor. In our emediaPractice Plug implementation, each plug can create, using a simple PHP script a grid, like a crossword grid of 10 by 10 with 100 random combinations of 4 (or more if we want) characters (letters and digits). These grids are printed business card size and given to each authorized user.

When we present the emediaPractice authentication form it shows a random grid cell (say A6) and the user must enter the 4-character code printed in that cell on the grid he/she "has". That simple.

I have been told Swiss banks use that method to authenticate users. That's a pretty good reference to me!

See us at www.emediaboard.com

Here comes the plug

2011-03-27T03:24:00.000-07:00

Plugs have been around for several years already. Mostly used for personal home applications they look like power supplies. In fact they are powerful web servers in-hiding.

The plug we are using has a LAN connector and a USB 2.0 port to which we fit an external SATA disk drive. A drive with 500gigs can store several thousands patients' records for a lifetime.

Our emediaPractice EMR solution is now totally based on Tonido plugs.

See us at www.emediaboard.com

Background

2011-03-27T02:57:00.000-07:00

This post is a bit historical.

Last year we started a project for a group of Ophthalmologists. Ophthalmology is a medical specialty we know fairly well. Our CTO was the first CIO/CTO of the famed American Association of Ophthalmology, the AAO.

The solution we created is based on openEMR, a well respected Open Source, LAMP based EMR solution. The group needed some adaptations and many enhancements. We also needed to add some HIPAA compliance features which we did.

In September 2010 the project went life near San Diego and has been up and running since that time.

In November 2010 we started an independent work to port emediaPractice to ARM-based plugs, make the product more resilient by adding automated backup and Business Continuity without the need to either costly equipment, or costly on-going support. We also added generic forms for other medical specialties.

See us at www.emediaboard.com