Protecting Patient Data in Excel

[jk7958]

I work for a pharmacy in a state that requires all prescriptions to be written specifically for each patient. It used to be that a doctor could order hundreds of syringes for us to perform eye procedures but now the doctor has to order a syringe for each patient. So we have been trying to figure out the best way to get all the patient information over confidentially instead of requiring hundreds of little script pads.

Anyway . . . my Excel question . . . one method we were considering was having the doctor just export his patients to an excel spreadsheet, apply some sort of encryption/protection on the information, and email the document. We looked at email encryption solutions but thought it would be better to protect the information actually in the spreadsheet. I found this solution for excel http://www.iri.com/products/cellshield but was really unfamiliar with add-ins. Does anyone have any advice or have used anything like this add-in for data protection?

[abousetta]

Hello and welcome to the forum,

First, let's lay out the background...

1) Excel's internal security is easily broken (won't go into details, but it's easily done). Password protection to open the workbook, alter the sheets, etc. is all not very secure as we would have hoped.

2) There is question as to whether Excel's security meets HIPPA regulations (http://community.spiceworks.com/topi...ipaa-compliant)

3) The information within the worksheet can be encrypted at one end and decrypted at the other end using a cipher (e.g. replace all letter A with Z, etc.). Even this can be 'hacked'.

The whole point is that if someone really wants to get at this information they can. At the same time, I don't think anyone would go through all this trouble over which patient is receiving which syringe. That would probably be in a mystery novel. My bigger concern is the HIPPA compliance.

You should talk to your HIPAA enforcement office and make sure what you can and can't do with Excel. Once you know then there are many options available.

Hope this helps.

abousetta

[jk7958]

Thanks abousetta for the quick reply. I will check out that link. The HIPAA enforcement was a concern which is why we did not feel just encrypting the file or the email would be enough protection to meet the standards. We are just looking at this so we do need to conduct more research on our end with this specific method of obtaining mass levels of prescriptions.

Do you have any experience with the types of protection I referenced? Is it better just trying to write and develop my own macro or something to protect the data or would this type of protection method have some value in your experience?

[abousetta]

99.99% of the population wouldn't try to hack any file, regardless of content. My concern is more about the regulations, rather than enforcement. Excel is simple to use and most professionals can work with it. It's also available in some form in most computers and so it's a good program to use. It's just not the kind of program that you will save your company's financial records, etc. without more protection.

Without knowing more about the HIPPA regulations can tell you this from experience:

1) You have to make it as simple as possible for the user. Asking them to run a series of macros is probably not a good idea. Set up the workbook to encrypt, password protect, etc on closing the file.

2) VBA is easily hacked and therefore you shouldn't be mailing the encryption code with the file. You can have an add-in installed on the physician's computers that does all the encryption, etc. and saves the output to a macro-free file (e.g. xlsx) for emailing.

3) Before writing your cipher, check online. I'm sure there a lot of turn-key solutions available (some for money, some for free). I personally like ones that are open sourced so that I can modify according to my needs.

4) If you need additional protection, there are programs available (for money) that can add additional protection to the Excel file. That will cut down the number of people who can 'hack' the file.

There are lot of ideas about security and I'll be honest I'm not a security expert

[jk7958]

abousetta - thanks for the link. There was some good information there to at least shape some ideas around basic requirements. It looks like the encryption would need to be at least AES-256 and FIPS compliant which this company, IRI claims is in CellShield. Obviously this will take some more research but thank you for the link - it was helpful in this research.

[abousetta]

No worries. Let me know how it works out.

Good luck.

abousetta

[jk7958]

abousetta - completely understand your position and certainly not taking it as direction from a security expert. Just not knowing your expertise, I was not sure how familiar you might be with this type of stuff. I will definitely though take your statements under advisement as we continue to figure out a solution we are going to use. And we also still need to verify the compliance issues as well and confirm the nature of HIPAA compliance and these methods. Thanks again for your help and insight.

[abousetta]

I met someone a long time ago right before HIPAA was about to be enforced and she told me that a lot of people didn't understand the regulations and were scrambling at the last minute to be compliant. It's good that you are starting to ask these questions sooner than later.

Good luck.

abousetta

P.S. Disclaimer: I'm not a hacker either