[eClinicalWorks] Security
Posted: 06 October 2004 07:00 AM   [ Ignore ]
eClini-Senior
RankRankRank
Total Posts:  102
Joined  2005-01-18

That is what we are doing at the present time.

The questions you need to ask are:

1) Do you want the front staff to see how much the
entire practice is making or do you want only the
office manager to see that?? At the present time
everybody who has access to eClinicalWorks can see
this info.

2) Who posts the payments? If user1 posts the payment
and locks the payment user2 can go and delete the
claim associated with that payment? Do we want this
to happen???

3) Some of the administrative functions like Provider
info, staff info, facilities, can be updated or
deleted by anybody who has access to eClinicalWorks.
Recently one of our users deleted a facility by
accident and we had to resubmit all the claims.

4) Let us hypothetically say you have another physican
in your practice.. Do you want to let the other
physician see how much you are making? At the present
time you can do that by just running a report??

These are only some of our concerns and the list can
go on…

- Praveen

 

 

—- “John OConnor, M.D.” <droconnor@mapleleafmed.com>
wrote:

>
> I understand the importance in levels of security.
> However, the way
> my office runs, I can’t see how I could not allow
> all employees (3
> front office, 4 nurses, 1 office manager) full
> access. With the
> program divided into 3 parts, for various reasons,
> they all need
> access to front/mid/back office in eCW.
>
> I just don’t see me limiting my front office staff
> to only the
> scheduling module, when they answer billing
> questions and fax med
> lists and recent tests to the hospital. My nurses
> need the inurance
> info for referrals, etc.
>
> So, even if eCW puts in elaborate security, I don’t
> think I’d do
> anything different.
>
> By the way, I downloaded the new ICD-9 codes and
> installed them in a
> snap. Boy, was that easy. Clear and simple
> instructions. I’m our
> practice’s “on-site” IT guy, and I’m glad I didn’t
> have to call in
> the professional for such, what I now know is, a
> simple task.
>
> Thanks to eCW support for a smooth process.
>
> Chris
>
>
> *************************
>
>
> Password Security:
>
> The questions raised about password security levels
> for users by
> Praveen and
> Kimberly are VERY important, and to my knowledge
> have not been
> adequately
> addressed by eCW here. I have assumed (always a
> risky practice) that
> eCW was at
> least as good as most other EMRs at defining
> security levels and
> accessability
> of parts of the program to users at different
> levels; it’s pretty
> easy to define
> with a simple table, and when we had access to a
> demo I thought I
> saw such a
> table in the Adminstrative section (do not yet have
> the program on
> hand). The
> Administrator ought to be able to specify exactly
> which users have
> access to
> specific functions (e.g. types of reports); this
> capability in PMSs
> is far older
> than HIPAA.
>
> IF eCW does not have such well-defined security,
> then this is a
> serious omission
> that ought to be remedied forthwith, if necessary
> with an
> intermediate release
> (e.g. 6.5.1). Perhaps Rahul or Girish can clarify
> the situation,
> before the
> anxiety level here builds any further.
>
>
>
>

 


_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

 

Post generated using Mail2Forum (http://m2f.sourceforge.net)

 Signature 

I REALLY need to edit my signature It is mandatory to put your signature info (including your full name) in your profile so that it appears in all of your posts. I’d like to thank all the users that have been reminding those that are still lacking signatures. Those that do not complete their profile may find their access has been terminated. We’d hate to lose you so get busy with your signatures!

Profile
 
 
Posted: 08 October 2004 04:45 AM   [ Ignore ]   [ # 1 ]
eClini-Geek
Avatar
RankRankRankRank
Total Posts:  1049
Joined  2005-01-03

Eric:

Thanks for this handy guide. Some of this we’re
already doing (the VNC stuff, the antivirus, keeping
automatically updated with Microsoft patches), some
seem like a no-brainer (I’m going to look into
limiting to outbound access with the firewall), but I
have a couple of questions.

First, the email server. Seems like an excellent idea,
and I can see how it is more secure than what we’re
setting up, but what do you think is the realistic
security threat to a small medical practice if we are
using Exchange in our main server with the McAfee spam
filtering and email mal-ware/virus protection? The
idea of the second box for mail is very appealing, and
it’s not the hardware expense I’m worried about but
rather the IT setup/maintenance expense.

Second, and I’ll show my total cluelessness here,
what’s so bad about using internet based mail? I was
under the (apparently mistaken) impression that
leaving all that mail on an internet server rather
than my local network, and being extrememly careful to
only download attachments from 100% known sources, was
better. Oops?

Third. I know you’re not satisfied with our solutions,
but I was curious what you thought about the way Greg
and I and I’m sure others are handling our wireless
network security? In other words, changing the default
network naming and password to keep out the 30 second
hacks, but sticking with 128 bit WEP as our main
security. This is in a single location small office.
If it would take about a week’s worth of traffic to
break that encryption, aren’t we world’s safer than we
were with paper charts, where a crowbar and 60 seconds
have always been all that’s required to hack the
security in the past?

Thanks for your participation. It’s amazing what a
variety of useful stuff I’ve gotten from this list.

Craig


—- “Robinson, Eric” <eric@nvipa.com> wrote:

>
>
> Hi Group,
>
>
>
> For several years I was the chief network analyst
> for the State of
> Nevada Dept. of Transportation. I was responsible
> for various aspects of
> network and server security for our 1000-node
> statewide WAN, but mostly
> for issues related to our perimeter (firewall and
> DMZs), VPN, and
> intrusion detection.
>
>
>
> It is possible to have tight, smart security without
> great expense or
> burdensome infrastructure. Here at PSM, we now have
> eCW securely
> deployed to 9 geographically diverse sites in
> Northen Nevada. eCW has
> inherent security vulnerabilities, but they can me
> mitigated by a strong
> perimeter and wise practices.
>
>
>
> It is not necessary to open ANY inbound ports in
> your firewall or
> perimter router.
>
>
>
> 1. When you install VNC, make sure to install ONLY
> the server portion,
> not the viewer or documentation. Do NOT allow it
> register as a system
> service or load at startup.
>
>
>
> 2. Select “Launch VNC Server.” On the initial setup
> screen, give it a
> strong password and uncheck the option to listen for
> socket connections.
>
>
>
> 3. Configure your firewall to allow only HTTP and
> HTTPS outbound for all
> users to any address, and FTP for only certain
> critical users. This may
> annoy gamers, chatters, and video watchers. If you
> have the authority to
> do so, tell them it is a HIPAA requirement. (It is,
> if you kind of
> squint.) Allow outbound TCP ports 6000-9999 from any
> inside address to
> each of the five Class C subnets that eCW
> technicians use. They are:
>
>
>
> 202.164.102.0
>
> 69.3.9.0
>
> 66.189.29.0
>
> 66.189.11.0
>
> 68.184.37.0
>
>
>
> 4. When an eCW technician needs into your computer,
> select Launch VNC
> Server. This puts the VNC icon in your system tray.
> Right-click the icon
> and say “Add New Client.” Enter the IP address the
> technician gives you.
> Viola! Now they are controlling the machine, but you
> initiated the
> connection. There is no vulnerability or “listening
> port” that people
> can see from the outside.
>
>
>
> 5. When the session is over, the technician will end
> the VNC session.
> Since the machine does not have a socket listening,
> nobody else can
> connect to the machine, even if you forget to exit
> VNC.
>
>
>
> 6. Do NOT use VNC for your own remote control
> purposes within your
> organization. Use the DameWare Mini Remote Control
> tool, which is more
> secure, easier to use, and ever-so-slightly more
> expensive than free.
> (You don’t have to license it for all of your
> computers. Buy one copy
> for about $100.00 and you can use it to support an
> unlimited number of
> desktops.) This point goes to ease of administration
> and support, not
> strictly to security. I often use a DameWare remote
> control session to
> start VNC and give eCW access. DameWare e-mails me
> whenever someone
> attempts to controls a PC. Very cool.
>
>
>
> 7. The above steps will secure your perimeter pretty
> well. However, the
> ABSOLUTE BEST STEP YOU CAN TAKE TO SECURE YOUR
> NETWORK after correctly
> configuring your firewall is to:
>
>
>
> A. Install your own e-mail server in a
> DMZ, and install a
> malware scanner on that server. A malware scanner
> strips such things as
> worms and other dangerous file attachments from
> e-mail messages. A
> tech-saavy person can set up an adequate linux
> server running postfix,
> spamassassin, and anomy sanitizer for under $150.00.
> Our DMZ mail server
> is a Dell 450MHz Optiplex purchased on eBay for
> $95.00. (We have a
> dual-processor Dell running Microsoft Exchange
> server inside the
> firewall, but such is not strictly necessary.) If
> you’re not a linux
> fan, you can still do the same thing with a Windows
> server for under
> $500.00.
>
>
>
> B. Block access to web-based e-mail
> services such as Yahoo
> Mail, Hotmail, Juno, etc.
>
>
>
> 8. Make sure any Windows NT, 2000, or XP machines
> are set to
> automatically download and apply security patches
> from Microsoft.com.
>
>
>
> 9. Make everybody store their shared files on an
> actual file server.
> Turn off file shares on all other machines.
>
>
>
> 10. And of course, keep your antivirus scanner
> updated on all machines.
>
>
>
> Follow these 10 simple steps and you will be almost
> 100% safe from the
> sort of hackers who scan the Internet looking for
> targets of
> opportunity. (In 6 years of operation, we have not
> had a single
> intrusion incident or virus outbreak.) The remaining
> issues with regard
> to weak eCW passwords and unencrypted data are much
> less worrisome, and
> will be addressed in due time.
>
>
>
>—
>
> Eric Robinson
>
> Director of Information Technology
>
> Physician Select Management
>
> 775.720.2082
>
>
>
>
=== message truncated ===


=====
C R A I G B R A D L E Y , M D

f a m i l y m e d i c i n e , i n c l u d i n g o b s t e t r i c s

w e b l o g : http://www.drbradley.com/blog
p a t i e n t s i t e : http://www.drbradley.com

e m a i l : .(JavaScript must be enabled to view this email address)

N A C O G D O C H E S

T E X A S


+ > i < j o h n 3 : 3 0

Post generated using Mail2Forum (http://m2f.sourceforge.net)

 Signature 

I REALLY need to edit my signature It is mandatory to put your signature info (including your full name) in your profile so that it appears in all of your posts. I’d like to thank all the users that have been reminding those that are still lacking signatures. Those that do not complete their profile may find their access has been terminated. We’d hate to lose you so get busy with your signatures!

Profile
 
 
Posted: 08 October 2004 04:45 AM   [ Ignore ]   [ # 2 ]
eClini-Geek
Avatar
RankRankRankRank
Total Posts:  1049
Joined  2005-01-03

Eric:

Thanks for this handy guide. Some of this we’re
already doing (the VNC stuff, the antivirus, keeping
automatically updated with Microsoft patches), some
seem like a no-brainer (I’m going to look into
limiting to outbound access with the firewall), but I
have a couple of questions.

First, the email server. Seems like an excellent idea,
and I can see how it is more secure than what we’re
setting up, but what do you think is the realistic
security threat to a small medical practice if we are
using Exchange in our main server with the McAfee spam
filtering and email mal-ware/virus protection? The
idea of the second box for mail is very appealing, and
it’s not the hardware expense I’m worried about but
rather the IT setup/maintenance expense.

Second, and I’ll show my total cluelessness here,
what’s so bad about using internet based mail? I was
under the (apparently mistaken) impression that
leaving all that mail on an internet server rather
than my local network, and being extrememly careful to
only download attachments from 100% known sources, was
better. Oops?

Third. I know you’re not satisfied with our solutions,
but I was curious what you thought about the way Greg
and I and I’m sure others are handling our wireless
network security? In other words, changing the default
network naming and password to keep out the 30 second
hacks, but sticking with 128 bit WEP as our main
security. This is in a single location small office.
If it would take about a week’s worth of traffic to
break that encryption, aren’t we world’s safer than we
were with paper charts, where a crowbar and 60 seconds
have always been all that’s required to hack the
security in the past?

Thanks for your participation. It’s amazing what a
variety of useful stuff I’ve gotten from this list.

Craig


—- “Robinson, Eric” <eric@nvipa.com> wrote:

>
>
> Hi Group,
>
>
>
> For several years I was the chief network analyst
> for the State of
> Nevada Dept. of Transportation. I was responsible
> for various aspects of
> network and server security for our 1000-node
> statewide WAN, but mostly
> for issues related to our perimeter (firewall and
> DMZs), VPN, and
> intrusion detection.
>
>
>
> It is possible to have tight, smart security without
> great expense or
> burdensome infrastructure. Here at PSM, we now have
> eCW securely
> deployed to 9 geographically diverse sites in
> Northen Nevada. eCW has
> inherent security vulnerabilities, but they can me
> mitigated by a strong
> perimeter and wise practices.
>
>
>
> It is not necessary to open ANY inbound ports in
> your firewall or
> perimter router.
>
>
>
> 1. When you install VNC, make sure to install ONLY
> the server portion,
> not the viewer or documentation. Do NOT allow it
> register as a system
> service or load at startup.
>
>
>
> 2. Select “Launch VNC Server.” On the initial setup
> screen, give it a
> strong password and uncheck the option to listen for
> socket connections.
>
>
>
> 3. Configure your firewall to allow only HTTP and
> HTTPS outbound for all
> users to any address, and FTP for only certain
> critical users. This may
> annoy gamers, chatters, and video watchers. If you
> have the authority to
> do so, tell them it is a HIPAA requirement. (It is,
> if you kind of
> squint.) Allow outbound TCP ports 6000-9999 from any
> inside address to
> each of the five Class C subnets that eCW
> technicians use. They are:
>
>
>
> 202.164.102.0
>
> 69.3.9.0
>
> 66.189.29.0
>
> 66.189.11.0
>
> 68.184.37.0
>
>
>
> 4. When an eCW technician needs into your computer,
> select Launch VNC
> Server. This puts the VNC icon in your system tray.
> Right-click the icon
> and say “Add New Client.” Enter the IP address the
> technician gives you.
> Viola! Now they are controlling the machine, but you
> initiated the
> connection. There is no vulnerability or “listening
> port” that people
> can see from the outside.
>
>
>
> 5. When the session is over, the technician will end
> the VNC session.
> Since the machine does not have a socket listening,
> nobody else can
> connect to the machine, even if you forget to exit
> VNC.
>
>
>
> 6. Do NOT use VNC for your own remote control
> purposes within your
> organization. Use the DameWare Mini Remote Control
> tool, which is more
> secure, easier to use, and ever-so-slightly more
> expensive than free.
> (You don’t have to license it for all of your
> computers. Buy one copy
> for about $100.00 and you can use it to support an
> unlimited number of
> desktops.) This point goes to ease of administration
> and support, not
> strictly to security. I often use a DameWare remote
> control session to
> start VNC and give eCW access. DameWare e-mails me
> whenever someone
> attempts to controls a PC. Very cool.
>
>
>
> 7. The above steps will secure your perimeter pretty
> well. However, the
> ABSOLUTE BEST STEP YOU CAN TAKE TO SECURE YOUR
> NETWORK after correctly
> configuring your firewall is to:
>
>
>
> A. Install your own e-mail server in a
> DMZ, and install a
> malware scanner on that server. A malware scanner
> strips such things as
> worms and other dangerous file attachments from
> e-mail messages. A
> tech-saavy person can set up an adequate linux
> server running postfix,
> spamassassin, and anomy sanitizer for under $150.00.
> Our DMZ mail server
> is a Dell 450MHz Optiplex purchased on eBay for
> $95.00. (We have a
> dual-processor Dell running Microsoft Exchange
> server inside the
> firewall, but such is not strictly necessary.) If
> you’re not a linux
> fan, you can still do the same thing with a Windows
> server for under
> $500.00.
>
>
>
> B. Block access to web-based e-mail
> services such as Yahoo
> Mail, Hotmail, Juno, etc.
>
>
>
> 8. Make sure any Windows NT, 2000, or XP machines
> are set to
> automatically download and apply security patches
> from Microsoft.com.
>
>
>
> 9. Make everybody store their shared files on an
> actual file server.
> Turn off file shares on all other machines.
>
>
>
> 10. And of course, keep your antivirus scanner
> updated on all machines.
>
>
>
> Follow these 10 simple steps and you will be almost
> 100% safe from the
> sort of hackers who scan the Internet looking for
> targets of
> opportunity. (In 6 years of operation, we have not
> had a single
> intrusion incident or virus outbreak.) The remaining
> issues with regard
> to weak eCW passwords and unencrypted data are much
> less worrisome, and
> will be addressed in due time.
>
>
>
>—
>
> Eric Robinson
>
> Director of Information Technology
>
> Physician Select Management
>
> 775.720.2082
>
>
>
>
=== message truncated ===


=====
C R A I G B R A D L E Y , M D

f a m i l y m e d i c i n e , i n c l u d i n g o b s t e t r i c s

w e b l o g : http://www.drbradley.com/blog
p a t i e n t s i t e : http://www.drbradley.com

e m a i l : .(JavaScript must be enabled to view this email address)

N A C O G D O C H E S

T E X A S


+ > i < j o h n 3 : 3 0

Post generated using Mail2Forum (http://m2f.sourceforge.net)

 Signature 

I REALLY need to edit my signature It is mandatory to put your signature info (including your full name) in your profile so that it appears in all of your posts. I’d like to thank all the users that have been reminding those that are still lacking signatures. Those that do not complete their profile may find their access has been terminated. We’d hate to lose you so get busy with your signatures!

Profile