leveraging technology for release of information...gpu cracking graphics cards are relatively cheap...
TRANSCRIPT
Today's Agenda
Introduction to Key Terms
Delivering Records Electronically
Methods
Which is fastest?
Pros/Cons
Using an OpenSource Platform to Build Your Own Logging/Tracking
System
Extra Credit Items
Scripting
Applications and Working with HIS
Ransomware
A Primer on Encryption
● What is encryption?
● How does it work?
● What's all this about bits?
– 128 vs 256 vs 1024 vs
2048
Components of Encryption
● Password
● Container
Because one
can, and the
other can't.
Paper records used to be mailed, but
media needs to be encrypted, why?
Side Bar: Password Strength
● First line of defense
● Length matters more than Complexity
– 8 characters, full keyboard
● Complexity: ~1×10¹⁶
● Time to brute force: 49 bln/s = 2.36 days
– 20 characters, alpha only, upper/lower mix
● e.g. PorschE HavE LambO WanT
● Complexity: ~2.08x10³⁴ (2.1×10¹⁸ more complex – that's a billion billion times)
● Time to brute force: 4.9 billion billion days (4.94×10¹⁸)
● For perspective, AES128 bit container is 2^128 or 3.4×10³⁸
GPU CrackingGraphics cards are relatively cheap and a
single high end card has over 5,000 cores. A
top end CPU has 12 to 16 cores.
Delivering Records
Electronically
● Patient Portals
● Secure Email
● Non-secure email
● Non-secure email with encrypted attachments*
● CD/DVD*
● Thumbdrive*
● Cloud based file services like Owncloud*
*Requires a methodology to get password to recipient
Getting Digital
Records
Digitally
You can get records electronically out
of every* electronic system, it’s just a
matter of how.
Options:
CutePDF
BioPDF
RasterPrinter
Custom Scripts
Ways:
Server Side Central
Workstation Side
Server Server Scripting
Secure Email
● How it works.
– First time user email is sent asking to create an account.
– From then on, it's considered secure.
● Risks associated with secure email.
– Email is not secure*, an intercepted email could result in an attacker
setting up the account.
– Email may not be private (husband and wife sharing accounts) and
one or the other sets up the account.
Unsecured Email
● We clarify that covered entities are permitted to send individuals
unencrypted emails if they have advised the individual of the risk,
and the individual still prefers the unencrypted email.
– (US Department of Health and Human Services, 2013)
● We do not expect covered entities to educate individuals about
encryption technology and the [sic] information security. Rather, we
merely expect the covered entity to notify the individual that there
may be some level of risk that the information in the email could be
read by a third party.
– (US Department of Health and Human Services, 2013)
CD/DVDs
● CD/DVD Speeds: 24x 48x 52x, what does it all mean?
– 1x
● CD = 153.6 kilobytes per second
● DVD = 1,385 kilobytes per second
● Time to burn 100MB chart:
– CD @ 24x: 27s +
– CD @ 52x: 12.5s
– DVD @ 16x (fastest): 4.5s
Tools to Help Secure Files
● 7zip
– Encrypted (AES256) Self Extracting Archives (.exe)
– Encrypted zip files
● Windows Bitlocker (entire drive or disc)
● Adobe Standard
Time to Encrypt
●33s Interact with 7zip Dialog
and input password
●21s to compress 100MB
●1m27s to compress 500MB
Sidebar: Self Extracting
Archive vs. Encrypted Zip
Encrypted Zip
+ Portable to Windows, Mac
and Linux
- Windows fails on trying to
open it.
- File names are not
encrypted
- Zips can be modified
without password
Self-Extracting Archive
- Only works on Windows
+ Has software built in to
extract so works on any
Windows system.
+ All contents encrypted.
+ Can’t be modified without
password.
Actual Times
Time (100mb) Activity Time (500mb)
0s Insert CD 0s
28s CD Dialog Open 24s
34s Interaction w/ Dialog 32s
47s Finish Copying File 54s
1:07 Get to burn disc dialog 1:07
2:20 Burning Process 4:50
2:45 Disk Finalized 5:18
3:11 Reinsertion of disc to verify 5:52
Problems with CD-R and DVD-
Rs
● Reliability
– CD-R's with a high level of errors have the ability to be read, as assessed by the verification process during
burning, and considered verified.
● May pass verification now but will be corrupt later
● Writer/CD Compatability
– Ever wonder why some batches keep failing?
● The reason for poor performance may be related to a number of factors: Early drives do not have the
laser power to calibrate on later types of discs; Drives designed fordye based discs cannot write, and
often cannot read, rewritable discs; Software issues, aging parts, particularly lasers, and particular
implementations may all produce inadequate results; The calibration information encoded into the
polycarbonate substrate may not necessarily be precisely accurate. However, even taking these issues
into account, a significant number of failures occur which are only explained as technical
incompatibilities. The equipment manufacturers’ slightly varied implementation of the disc read
standard and the variation in the discs quality mean that a situation can occur where discs and drives
are incompatible to the extent that the particular combination may produce failed discs on a
particular brand, or batch, of discs.
Risks Associated with the Use of Recordable CDs and DVDs as
Reliable Storage Media in Archival Collections - Strategies and
Alternatives . UNESCO, Paris 2006. http://unesdoc.unesco.org/images/0014/001477/147782E.pdf
CopySecure Encrypted
Thumb Drives
● Approx. $3 to $5 per piece.
● Drive becomes read-only after writing files
– This makes it secure to use at other providers*
● Can be hospital branded
● Time to Load Files
– 10s Insert USB and Windows Recognizes it
– 20s Open CopySecure, set parameters and password
– 46s Copy 100MB file
– 93s to copy 500MB file
OwnCloud
Owncloud File Share
● Can be hospital branded
● Supports storage level encryption
● Has policies to force password on shared files and max expiration date.
● Supports files larger than 10MB
● Time to Load Files
– 8s copy file by drag and drop (100 MB)
– 41s copy file by drag and drop (500 MB)
– 21s to click share, set password and copy link
– Total Time: 29s (100MB), 62s (500MB)
Results
Size Media Type Time to
Prep/Encrypt
Time to
Make Media
Total Time*
100MB CD 54s 3m 11s 4m 5s
100MB CopySecure
Thumb Drive
30s 46s 1m 16s
100MB Owncloud 21s 8s 29s
500MB CD 2m 5m 52s 7m 52s
500MB CopySecure
Thumb Drive
30s 1m 33s 2m 3s
500MB Owncloud 21s 41s 1m 2s
Creating Your Own
Logging/Tracking
System
Repurposing open source projects for HIM
Components of a Tracking
System
● Enter requests
– Capture date, user, status, assigned to, requester
– Generate unique ID
● Complete requests
– Attach invoices and/or letters
– Close status
– Identify delivery method
● Log Notes
Types of Open Source
Systems Suitable
● ERP
– Enterprise Resource Planning
● Ticketing Systems
● CRM
– Customer Relationship Management
Repurposing SugarCRM
● SugarCRM has modules, such as:
– Tasks
– Accounts
– Contacts
– Targets
– Users
● Data is relational
● Nearly everything is configurable with a few clicks of a button.
Let's get Started
● https://sourceforge.net/projects/sugarcrm/files/latest/download?source=files
1) Download SugarCRM
2) Install
3) Go to studio
1) Cases
1) Fields
1) Add MRN
2) Patient First Name
3) Patient Last Name
4) Requester ID
4) Click on user profile, Advanced Layout Options
1) Hide unnecessary modules and toggle Module Menu Filters
5) Settings
1) Rename Modules→Change Cases to Releases
Getting Started
Windows:
Easiest: Microsoft Web Platform
Method 2: Using IIS Walkthrough
Method 3: Walkthrough using WAMP
Mac OS X/Linux using LAMP
Notes on Customizing
SugarCRM
Click on user profile, Advanced Layout Options
Hide unnecessary modules and toggle Module Menu Filters
Settings
Rename Modules→
Change Cases to Releases
Accounts to Requesters
StudioEdit Releases Type
Studio->Fields->Type->EditAdd the following:
Attorney, subpoena, disability, Patient (Self), COntinuingCare, Insurance Claims, Insurance General.
SaveGo back and make Continuing Care the defaultChange Subject to MRNChange Case to Request Number
Add FieldsFirst Name (Text 50)Last Name (Text 50)Due Date (Datetime - default tomorrow @ 5:00pm -
requireed field)Delivery Method - New Drop Down
Fax, email, mail, portal, pickup, blankDefault: blank
Delivery Info (text 50)
Requester ID (text 50)Modify Status Drop Down List
Change Closed to FulfilledWaiting for Offsite Storage
Layouts -> EditViewCheck off SynctoDetailAdd New Panel - Fulfillment Info
Layouts -> List View
Change Accounts to Requesters