September 1, 2004
by Craig Wilson
Hopefully all offices have also taken any steps suggested by their Colleges regarding computer usage. Many offices are also wondering if there is anything else that they need to do with their computer systems and electronic documents to comply with the act. Interestingly, in regards to the actual deployment and use of computers in a dental office, not much, if anything has really changed because of PIPEDA.
Before and after the introduction of the act, every dental professional in Canada was and is required to comply with the laws, rules, and codes of ethics that are appropriate to the region in which they practice. Whether it’s a provincial ‘Regulated Health Professions Act’, a ‘Dentists Act’, legislation of another name, or simply rules from the governing College, each region requires that dentists adhere to certain codes of conduct. In most (all?) cases a dentist in Canada had a responsibility to protect patient privacy long before the introduction of PIPEDA.
What the introduction of PIPEDA has done, however, is to help refocus many on the fact that patient privacy is very important, and protecting it is the responsibility of every member of the dental office team. As a result, many offices have taken another look at their computers and electronic documents in light of the PIPEDA and realized that there is more that they can do to ensure their patient’s privacy.
We’ll assume here that your office is using relatively new versions of Microsoft’s Windows operating systems. If you are using a Mac OS, UNIX, or Linux, you’ll need to adjust some of the details here to reflect your situation, but the principles remain the same. Also, if you are using Windows 95/98, you will need some third party software to be able to implement some of the items listed here.
These operating systems were intended primarily for home users, and did not include many security features. If you’re not sure, consult your computer experts. Also, keep in mind that patient privacy is your responsibility, and by extension, the security of the data on your computer network is also your responsibility. If some of what follows is a little technical don’t be afraid to ask for help. Simply pass the technical parts along to whoever it is that is responsible for the administration of your computer network.
The first line of defense in your data security plan is the physical security of your computers and network.
All of your important data is (or should be) stored on your ‘server’. This may be a dedicated computer called ‘the server’, or it may be a workstation (usually at the front desk) that also acts as ‘the server’ to the other workstations. If you have a dedicated server, it is likely situated somewhere out of the way and hopefully out of sight. From a data security point of view, it’s not important if one of your workstations is stolen or damaged (because they don’t hold any data); only whether something happens to your server. If you don’t have a dedicated server, then you obviously can’t hide it away.
Additionally, the network that connects the computers together must be secured physically. This means that you know where all of your network data drops are located and you make sure that no unauthorized computers can be connected to them without your knowledge. Don’t, for example, allow patients to connect their laptops directly to your network.
A note about wireless networks
There are only two common reasons to use a wireless network in a dental office.
1) Use of mobile devices such as tablet PCs or palm PCs
If one or more mobile devices are in use in the office, they will require a connection to a network, which follows them around. By definition, this is going to require a wireless network.
2) Difficult or impossible wiring
Some offices, especially those in converted houses might be constructed in such a way that it is difficult or nearly impossible to get cables installed in the required locations. In these situations, a wireless network might be appropriate.
Wireless networks are slower, potentially less reliable and less secure, and usually more expensive than their wired counterparts. Given the choice, it’s always best to use a cabled network.
If you are using, or plan to use, a wireless network, it’s very important that you ensure that the network is secured against access by unauthorized computers or users. Since you have only limited control over the range of a wireless network, a computer outside the office, possibly in a vehicle on the street, could potentially access your data. You must therefore encrypt the data which passes over your wireless network, and restrict access to only those machines that should have it. This is commonly done by providing an alphanumeric security ‘key’ to each authorized computer. This ‘key’ then allows authorized computers the ability to decrypt and access the resources and traffic on the network.
Most wireless routers and hubs do not have any encryption enabled by default, but all good quality ones have the ability to implement it. Make sure that whoever is responsible for the configuration of the network understands that the network should be secured, and make sure that no unauthorized computers can connect to it.
The second line of defense in your data security plan is the controlled access to your system by specific users. Requiring a userid/password combination for access limits the availability of your data to only those individuals who know a valid userid/password. In a corporate environment, all users are given their own userid/password, and it is uncommon for users to share them. In many dental offices, staff share workstations and functions, and also share userids/passwords. This is probably acceptable, as long as access control can be maintained, and at all times only legitimate users of the system can gain access to the data.
If certain users do not require access to certain data, they should not be given access to that data. Do this by giving them a different userid/password combination with different privileges. Many practice management applications make use of userids/passwords to allow various types of system access to individual users. It is therefore possible to restrict access to the entire system and access to various applications at the Windows userid/password level, and also restrict access to specific pieces of data within an application at the application level.
Don’t make the userid/password scheme so complicated that it causes problems for the users, but make sure that your scheme allows the ability to ensure that only those people who are authorized are able to access data appropriate to their job functions.
Screen savers and locked workstations
The most sophisticated password system in the world won’t help if a logged-in computer is left unattended. Locking the workstation either manually or with a screen saver after a period of inactivity prevents unauthorized access to a logged in machine.
To make changes to your ‘screen saver’ settings:
– Minimize or close all applications.
– Right-click on the background of your desktop.
– A menu appears. Select ‘Properties’ (always the last item on the list).
– You will be presented with the ‘Display Properties’ window.
– Left-Click on the ‘Screen Saver’ tab.
You are now able to make whatever changes you’d like your screen saver settings, including the length of time it takes for the screen saver to activate.
In windows NT/2000 make sure that you ‘check-off’ the option to require a password to ‘unlock’ the computer after the screen saver has blanked the screen. In most versions the option states simply ‘Password Protected’. In Windows XP, since several users could be logged in to the computer at the same time, the choice is: ‘On resume, display Welcome screen’. In all cases, the user will be required to enter their Windows password before they can use the computer again after a screen saver event.
Machines in hallways or operatories which are accessible to patients but will be left unattended should be ‘locked’ manual
ly when the operator leaves, rather than simply relying on the screen saver to lock the screen after a number of minutes. To do this in Windows NT, 2000 or XP, press CTRL-ALT-DEL and then select ‘Lock Computer’ from the window that appears. You will then be required to enter the password to ‘unlock’ the computer again.
Even when computers are in use, it’s sometimes possible for a patient or some other unauthorized person nearby to see information over the shoulder of the operator. Make this difficult to do by carefully positioning computer monitors and workstations. Front desk screens, for example, should be positioned to allow easy viewing by the front desk staff, but to not allow viewing by persons in the patient areas as well.
Workstations in hallways can be problematic. In these kinds of problem areas, the use of LCD flat panel screens instead of CRT monitors can help, since some LCD screens are difficult to see from an angle. You can also purchase ‘privacy filters’ or ‘privacy screens’ which fit over LCD or CRT screens, or even laptops. They allow a user directly in front of the screen to see it clearly, but those viewing on an angle see only a black, blank display.
In operatories, it is common that certain items are meant to be displayed to a patient on the computer display (intra-oral camera images, digital radiography images, patient education programs, etc.) while others are not (the schedule, etc.). In most cases, if both types of information will be accessed while the patient is in the room, either two display screens will be required (one for the patient and one for the operator) with different items showing on each, or a single movable display will be used (to swing between a position where the patient can see it, and where the patient can not).
Doing more to protect your data
Once all of the basic precautions have been taken as discussed above, there are a few other fairly simple things that should be done to prevent problems.
When a file server (the computer that stores all the data) is setup, the Windows user has two ‘file system’ choices available. Hard-drive partitions (the places where your programs and data are stored) can be formatted with either the FAT32 or NTFS ‘file systems’. Most of the differences are not important for the purposes of this discussion, except for the fact that NTFS volumes are far more secure. In an NTFS volume, you can control the access of specific files to specific users. You cannot do that with FAT32. If possible, store all of your data in an NTFS volume. FAT32 is fine for system files, program files, or any other files, which are not relevant to your privacy protection plan.
A backup copy of your data that leaves your office daily is an important element in your data-protection scheme. Not only would the loss of data make it very difficult to maintain normal operations in a dental office, the dentist also has a legal obligation to be able to retrieve data. However, the fact that data is leaving the office on a removable media of some kind, whether it’s a diskette, CD-ROM, DVD-ROM, tape, or hard-drive creates a potential problem from a privacy point of view.
A backup must therefore satisfy two competing requirements. 1) The backup must be easy to recover date from, and 2) the backup must be secure enough that unauthorized individuals cannot recover data from it. Unfortunately, many of the low-end backup software packages used in dental offices don’t provide data encryption natively. A solution is to package and compress your data into an encrypted file before backup, then backup the single file. A reasonably knowledgeable computer user can use some readily available utilities to create a simple routine that encrypts and backs up the data daily, with limited user intervention.
Some dentists carry a laptop with them that has a fully functional version of the applications and data which they use in their office. This allows them to not only work from home, but also use the laptop as a backup in the office if something serious prevents the use of the main computer system. All laptops have the ability to create a startup password, which disables the unit unless the operator knows the password. Be sure to use this feature. This is normally enabled by accessing the setup routine when the laptop is first turned on. Press the setup key sequence shown on the screen and follow the menus.
Craig Wilson is CEO of Compudent Systems Inc., an IT company specializing in customized computer installations for dental offices.
Where did PIPEDA come from?
Interestingly, the principles and most of the substance of the new federal PIPEDA legislation have been with us for quite some time.
On September 23, 1980 the Organization for Economic Co-operation and Development (OECD) published the ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.’
The ‘Guidelines’ contained the principles that would eventually be used to create the PIPEDA legislation in Canada. The section which relates most to the current discussion is titled the ‘Security Safeguards Principle’, and stated that ‘Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.’
Canada committed itself to privacy protection in 1984 by signing the ‘(OECD) Guidelines.’
The Canadian Standards Association (CSA) began work on a ‘Model Code for the Protection of Personal Information’ at that time, and it was completed in 1996. The OECD Guidelines were used as the basis for the development of this Standard.
The ‘CSA Model Code for the Protection of Personal Information’ contains privacy principles that address the challenges faced by businesses in accommodating the personal information protection concerns of customers and employees and the varying circumstances under which personal information is collected and used for commercial purposes. It is based on the contents of the OECD ‘Guidelines’.
THE SECTION OF INTEREST IS:
Section 4.7 Principle 7 – Safeguards
4.7.3 The methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption.
The federal government used the ‘CSA Model Code’ to draft their PIPEDA legislation, and in many cases simply copied the ‘CSA Model Code’ verbatim. The act was fully phased in by January 1, 2004.
The area of interest, Section 4.7.3 is identical in the PIPEDA as in the ‘CSA Model Code’.
Some provinces are now working on their own provincial privacy legislation. Currently, Quebec is the only province to have enacted private sector privacy legislation, but others have it in the draft stage. Regardless, as of this moment, the privacy of all Canadians is protected in one of two ways – by the federal legislation or by provincial legislation that is “substantially similar” to the federal legislation.
In addition, all dentists practicing in Canada must adhere to legislation that is specific to their particular region. Each province and territory requires that dentists adhere to certain rules and codes of conduct. In all cases, the dental professional is bound to adhere to strict guidelines regarding the privac
y of their patients personal and health information.