Leveraging Technology for

Release of Information

Presented By

Ryan Hallman

rhallman@dmrs.net

Today's Agenda

Introduction to Key Terms

Delivering Records Electronically

Methods

Which is fastest?

Pros/Cons

Using an OpenSource Platform to Build Your Own Logging/Tracking

System

Extra Credit Items

Scripting

Applications and Working with HIS

Ransomware

A Primer on Encryption

● What is encryption?

● How does it work?

● What's all this about bits?

– 128 vs 256 vs 1024 vs

2048

Components of Encryption

● Password

● Container

Because one

can, and the

other can't.

Paper records used to be mailed, but

media needs to be encrypted, why?

Side Bar: Password Strength

● First line of defense

● Length matters more than Complexity

– 8 characters, full keyboard

● Complexity: ~1×10¹⁶

● Time to brute force: 49 bln/s = 2.36 days

– 20 characters, alpha only, upper/lower mix

● e.g. PorschE HavE LambO WanT

● Complexity: ~2.08x10³⁴ (2.1×10¹⁸ more complex – that's a billion billion times)

● Time to brute force: 4.9 billion billion days (4.94×10¹⁸)

● For perspective, AES128 bit container is 2^128 or 3.4×10³⁸

GPU CrackingGraphics cards are relatively cheap and a

single high end card has over 5,000 cores. A

top end CPU has 12 to 16 cores.

Delivering Records

Electronically

● Patient Portals

● Secure Email

● Non-secure email

● Non-secure email with encrypted attachments*

● CD/DVD*

● Thumbdrive*

● Cloud based file services like Owncloud*

*Requires a methodology to get password to recipient

Getting Digital

Records

Digitally

You can get records electronically out

of every* electronic system, it’s just a

matter of how.

Options:

CutePDF

BioPDF

RasterPrinter

Custom Scripts

Ways:

Server Side Central

Workstation Side

Server Server Scripting

Secure Email

● How it works.

– First time user email is sent asking to create an account.

– From then on, it's considered secure.

● Risks associated with secure email.

– Email is not secure*, an intercepted email could result in an attacker

setting up the account.

– Email may not be private (husband and wife sharing accounts) and

one or the other sets up the account.

Unsecured Email

● We clarify that covered entities are permitted to send individuals

unencrypted emails if they have advised the individual of the risk,

and the individual still prefers the unencrypted email.

– (US Department of Health and Human Services, 2013)

● We do not expect covered entities to educate individuals about

encryption technology and the [sic] information security. Rather, we

merely expect the covered entity to notify the individual that there

may be some level of risk that the information in the email could be

read by a third party.

– (US Department of Health and Human Services, 2013)

CD/DVDs

● CD/DVD Speeds: 24x 48x 52x, what does it all mean?

– 1x

● CD = 153.6 kilobytes per second

● DVD = 1,385 kilobytes per second

● Time to burn 100MB chart:

– CD @ 24x: 27s +

– CD @ 52x: 12.5s

– DVD @ 16x (fastest): 4.5s

Tools to Help Secure Files

● 7zip

– Encrypted (AES256) Self Extracting Archives (.exe)

– Encrypted zip files

● Windows Bitlocker (entire drive or disc)

● Adobe Standard

Time to Encrypt

●33s Interact with 7zip Dialog

and input password

●21s to compress 100MB

●1m27s to compress 500MB

Sidebar: Self Extracting

Archive vs. Encrypted Zip

Encrypted Zip

+ Portable to Windows, Mac

and Linux

- Windows fails on trying to

open it.

- File names are not

encrypted

- Zips can be modified

without password

Self-Extracting Archive

- Only works on Windows

+ Has software built in to

extract so works on any

Windows system.

+ All contents encrypted.

+ Can’t be modified without

password.

Actual Times

Time (100mb) Activity Time (500mb)

0s Insert CD 0s

28s CD Dialog Open 24s

34s Interaction w/ Dialog 32s

47s Finish Copying File 54s

1:07 Get to burn disc dialog 1:07

2:20 Burning Process 4:50

2:45 Disk Finalized 5:18

3:11 Reinsertion of disc to verify 5:52

Problems with CD-R and DVD-

Rs

● Reliability

– CD-R's with a high level of errors have the ability to be read, as assessed by the verification process during

burning, and considered verified.

● May pass verification now but will be corrupt later

● Writer/CD Compatability

– Ever wonder why some batches keep failing?

● The reason for poor performance may be related to a number of factors: Early drives do not have the

laser power to calibrate on later types of discs; Drives designed fordye based discs cannot write, and

often cannot read, rewritable discs; Software issues, aging parts, particularly lasers, and particular

implementations may all produce inadequate results; The calibration information encoded into the

polycarbonate substrate may not necessarily be precisely accurate. However, even taking these issues

into account, a significant number of failures occur which are only explained as technical

incompatibilities. The equipment manufacturers’ slightly varied implementation of the disc read

standard and the variation in the discs quality mean that a situation can occur where discs and drives

are incompatible to the extent that the particular combination may produce failed discs on a

particular brand, or batch, of discs.

Risks Associated with the Use of Recordable CDs and DVDs as

Reliable Storage Media in Archival Collections - Strategies and

Alternatives . UNESCO, Paris 2006. http://unesdoc.unesco.org/images/0014/001477/147782E.pdf

CopySecure Encrypted

Thumb Drives

● Approx. $3 to $5 per piece.

● Drive becomes read-only after writing files

– This makes it secure to use at other providers*

● Can be hospital branded

● Time to Load Files

– 10s Insert USB and Windows Recognizes it

– 20s Open CopySecure, set parameters and password

– 46s Copy 100MB file

– 93s to copy 500MB file

OwnCloud

Owncloud File Share

● Can be hospital branded

● Supports storage level encryption

● Has policies to force password on shared files and max expiration date.

● Supports files larger than 10MB

● Time to Load Files

– 8s copy file by drag and drop (100 MB)

– 41s copy file by drag and drop (500 MB)

– 21s to click share, set password and copy link

– Total Time: 29s (100MB), 62s (500MB)

Results

Size Media Type Time to

Prep/Encrypt

Time to

Make Media

Total Time*

100MB CD 54s 3m 11s 4m 5s

100MB CopySecure

Thumb Drive

30s 46s 1m 16s

100MB Owncloud 21s 8s 29s

500MB CD 2m 5m 52s 7m 52s

500MB CopySecure

Thumb Drive

30s 1m 33s 2m 3s

500MB Owncloud 21s 41s 1m 2s

Creating Your Own

Logging/Tracking

System

Repurposing open source projects for HIM

Components of a Tracking

System

● Enter requests

– Capture date, user, status, assigned to, requester

– Generate unique ID

● Complete requests

– Attach invoices and/or letters

– Close status

– Identify delivery method

● Log Notes

Types of Open Source

Systems Suitable

● ERP

– Enterprise Resource Planning

● Ticketing Systems

● CRM

– Customer Relationship Management

Repurposing SugarCRM

● SugarCRM has modules, such as:

– Tasks

– Accounts

– Contacts

– Targets

– Users

● Data is relational

● Nearly everything is configurable with a few clicks of a button.

Let's get Started

● https://sourceforge.net/projects/sugarcrm/files/latest/download?source=files

1) Download SugarCRM

2) Install

3) Go to studio

1) Cases

1) Fields

1) Add MRN

2) Patient First Name

3) Patient Last Name

4) Requester ID

4) Click on user profile, Advanced Layout Options

1) Hide unnecessary modules and toggle Module Menu Filters

5) Settings

1) Rename Modules→Change Cases to Releases

Getting Started

Windows:

Easiest: Microsoft Web Platform

Method 2: Using IIS Walkthrough

Method 3: Walkthrough using WAMP

Mac OS X/Linux using LAMP

Notes on Customizing

SugarCRM

Click on user profile, Advanced Layout Options

Hide unnecessary modules and toggle Module Menu Filters

Settings

Rename Modules→

Change Cases to Releases

Accounts to Requesters

StudioEdit Releases Type

Studio->Fields->Type->EditAdd the following:

Attorney, subpoena, disability, Patient (Self), COntinuingCare, Insurance Claims, Insurance General.

SaveGo back and make Continuing Care the defaultChange Subject to MRNChange Case to Request Number

Add FieldsFirst Name (Text 50)Last Name (Text 50)Due Date (Datetime - default tomorrow @ 5:00pm -

requireed field)Delivery Method - New Drop Down

Fax, email, mail, portal, pickup, blankDefault: blank

Delivery Info (text 50)

Requester ID (text 50)Modify Status Drop Down List

Change Closed to FulfilledWaiting for Offsite Storage

Layouts -> EditViewCheck off SynctoDetailAdd New Panel - Fulfillment Info

Layouts -> List View

Change Accounts to Requesters