Health IT
Secure Document Storage and Sharing
Hi All,
Does anyone have experience with low cost strategies to securely share documents?
I work with a small NGO that provides adherence support to child with HIV in China. We are looking to identify a secure and inexpensive strategy to facilitate internal sharing of documents that contain identifiable health information. We have considered Google docs and Dropbox, however, to my knowledge these are not HIPPA compliant.
Has anyone else encountered this issue or a found secure solution?
Appreciatively,
Kristin Johnson
Mathias Lin
Hi Kristin,
I don't have a (low cost) solution at hand, other than http://connect.microsoft.com/LiveMesh which is a similar concept like DropBox and probably then also doesn't match your requirements.
But I'd like to point out about your other considerations: note that both Google Docs as well as Dropbox is blocked in China - at least from my experience (I am based in Guangzhou, South China). If you intent to use it in China, consider a VPN provider / accounts for the users (i.e. astrill.com) - then it works.
Regards,
Mathias
10:54 AM, 15 Apr 2011 | Permalink
Mathias Lin
You could look into Alfresco (www.alfresco.com), which is an open source (free) document management system, has probably all you need. We've been using it in the past for client's intranet and extranet.
The software itself is free, but it needs to be hosted somewhere, this is where the costs occur.
A quick google showed me one US hosting provider at http://webrulon.com/web-hosting/specialty-hosting/alfresco-hosting/ starting at $49/month, not sure if that's something in range. And also need to check about their services (what's included/excluded, server udpates and security patches, etc.?)
11:11 AM, 15 Apr 2011 | Permalink
Anup Akkihal
Kristin,
Thats an interesting question. I don't have the answer, but it might be useful to check out http://alternativeto.net/. It helps you compare software tools that are similar -- sort of like Pandora does for songs.
For example, there are almost 19 alternatives to Dropbox: http://alternativeto.net/software/dropbox/
And 9 alternatives to Alfresco: http://alternativeto.net/software/alfresco/
Anup
11:27 AM, 15 Apr 2011 | Permalink
Pablo Olmos de Aguilera C.
I'll suggest to use some free software (free as in free speech) since
it'll harder to be locked down later, indeed, virtually impossibly
because you don't make free software if you plan to do that later.
Hosting today isn't too expensive, dreamhost provides around 12 usd/mo
for unlimited hosting and bandwidth. I don't have experience
installing/configuring that platform but in the long go you're going
to probably save more money using it, that put that sensible
information on big companies hands (btw, you could read the ToS and
privacy policy of dropbox and google apps).
I suggest you don't use center cloud based solutions like the ones
mentioned before. You lose a lot of control over them so hosting it on
your own space it's recommended ;).
Regards,
--
Pablo Olmos de Aguilera Corradini - @PaBLoX
http://www.glatelier.org/
http://www.mozillachile.org/
http://friendfeed.com/pablox/
http://www.linkedin.com/in/pablooda/
Linux User: #456971 - http://counter.li.org/
6:36 PM, 15 Apr 2011 | Permalink
Kristin Johnson
Hi All,
Thanks for the feedback.
We were running to the same issue with Google docs being blocked in China. It sounds as though hosting might be the best option. Its actually more affordable that I had anticipated, and definitely worth the piece mind in terms of document security.
Best,
Kristin
9:10 AM, 18 Apr 2011 | Permalink
Mikhail Elias
Privacy is a fundamental human right. Violating the right to privacy is a very serious breach of trust as well as violation of law.
expand commentNo matter how well-intentioned the humanitarian initiative or NGO, there has to be an expectation that they will learn, adopt and adhere to professional standards for safeguarding health information.
Securing the privacy of health information records has to be priority #1 for any health IT initiative. It has to be budgeted for appropriately in any funding request, and the security and privacy role has to be properly staffed. Where necessary, staff should receive appropriate training. This is another area where professional training programs and credentialing for global health IT professionals is needed, and online offerings would lower the barrier considerably.
Privacy and security standards need to be adopted and adhered to by all grant-making or other funding organizations in the international health sector. Receiving grant funding should be contingent on demonstrating that a project team member has obtained the necessary professional credentials or can otherwise demonstrate evidence of equivalent training and experience in security and privacy. There also needs to be appropriate transparency into whether such standards are being met at the funder and the recipient ...
4:21 AM, 19 Apr 2011 | Permalink
Eduardo Jezierski
Hi Elias -
expand commentOne of the challenges we currently work with at InSTEDD is helping MOHs understand that security / data breaches tend to come from within the organizations most of the time; and to help MOHs implementing ICT systems adequately flag and track PII as it flows throughout. Even mentioning basic engineering practices like threat models gets me blank stares. (in country MOHs.. and funders and 'well seasoned international health informatics professionals' alike.. a worrisome state of affairs ).
On the other side, another thing that we see lost on many techies is the field design aspects of privacy.
Engineers easily imagine hackers are going to attack your central server.
But the largest value of privacy - and the largest impact of breaching that privacy - is at the community and personal levels.
You can have the most iron clad server in the world, but then you send out e.g. patient reminders, health tips, CHW notifications etc ... and don't realize that periodically the village leader coerces the CHW into surrendering their phone and "interesting... see who is lined up for ARTs!".
Or, send out pregnancy tips without a clear opt-in process to an early mother still figuring out her situation, and the ...
5:58 AM, 19 Apr 2011 | Permalink
A/Prof. Terry HANNAN
This is an interesting and perceptive comment. "On the other side,
another thing that we see lost on many techies is the field design
aspects of privacy. Engineers easily imagine hackers are going to attack
your central server. But the largest value of privacy - and the largest
impact of breaching that privacy - is at the community and personal
levels."
It has been put in other ways by other authors and which I documented in
another on line discussion this week.
1. By one estimate, 85 percent of all computer security problems involve
employees in the organization."R.L.Simpson, 1996. Security threats are
usually An inside job. Nursing management 27(December);43
Security of medical Information:The threat from within. J Anderson,Maria
Brann. MD Computing. March/April 2000. 15-17
2. "The major vulnerabilities are related to inappropriate use of
patient-specific information by health workers who have access to those
data as part of their regular work. Such risks are greater when data are
stored in paper charts."(The evolution of health-care records in the era
of the Internet. EH Shortliffe. Semi-Plenary. MEDINFO Seoul, August
1998)
Terry Hannan
7:46 AM, 19 Apr 2011 | Permalink
Eduardo Jezierski
These sound like excellent references Terry, thanks!
Will be sure to read them when online and use them in the future.
~ej
8:07 AM, 19 Apr 2011 | Permalink
Yaw Anokwa
sorry to be late to the convo.
if you aren't a computer security expert, i don't think self-hosting will be a good idea -- you'll have very little idea if your system is safe or not.
https://spideroak.com/ and http://www.wuala.com/ both offer secure dropbox like file sharing. a cursory glance suggests that spideroak is the more secure of the two.
10:25 AM, 19 Apr 2011 | Permalink
Michelle Kiprop
Wow! What a great discussion. The point about the need for security to be
built in to every system is so critical and true. But it is also true that
we need to be aware on the community level how best to protect our
patients. I work in a small village where everyone tends to know everyone
else's business.
In the past we have worked to really do education with every staff member
about the importance of patient confidentiality. And then we have visiting
medical professionals from the west come. Sometimes these professionals
want to put all of the details of their patient encounters up on their
public websites. It is important for us as providers in the third-world to
also educate our visitors on the need to seek the patient's approval before
sharing their cases.
Thank you for bringing up this issue as it is a great one!
--
Michelle Kiprop, RN MSN
Family Nurse Practitioner
Empowering Lives International
11:43 AM, 20 Apr 2011 | Permalink
Heather Zornetzer
Hi Kristin,
I imagine this is a challenge for many similar groups right now.
Not sure about HIPPA compliance (or how we'd actually figure that out for
some of these first-time-use cases for those kinds of tools/services, but
you could try box.net with password protected access? An internal local
network for file sharing is the other obvious answer if you have the server
space to set that up.
Not sure if helpful, but looking forward to hearing more from others in the
community as this is a common issue.
cheers,
Heather
--
Heather Zornetzer, MS, MPH
Coordinadora de Programa, TIC para Salud | Program Coordinator, ICT for
Health
Instituto de Ciencias Sostenibles | Sustainable Sciences Institute
Managua, Nicaragua
Tel/Fax Oficina: +505 2254.7266
Cel Nicaragua (CLARO): +505.8630.7755
Cel Nicaragua (MOVISTAR): +505.8373.3647
Voicemail USA: +1.530.564.0134
Skype: hzornetzer
Email:
1:44 PM, 20 Apr 2011 | Permalink
Kristin Johnson
Hi Michelle,
Sorry- I pressed enter a bit to early on my prior post.
Your point about patient privacy also including staff training is critical. Thank you for bringing this up.
I have had similar field experiences- particularly, in terms of obtaining permission to use clinical data for monitoring and reporting purposes. Our NGO uses queries of its clinical database to inform internal quality improvement initiatives. We obtain permission from program participants (or their guardians) to use their information for these internal purposes. However we are also looking into what steps would be required to share de-identified, aggregate data externally via conferences or publications. We are currently seeking IRB approval in China and the US to so.
What approaches have others taken on this issue?
2:02 PM, 20 Apr 2011 | Permalink
Patricia Mertes
Michelle,
I am an FNP from Massachusetts and will be traveling to Bongoma District for the first time, next month. I will be with a friend who is from Kenya, but now lives in the US. She will be bringing me to Lukhuna and some other villages. Would love to talk with you some more about what you are doing in Kenya. Can you contact me?
Thank you!!
Patti Mertes
10:15 AM, 20 Jun 2011 | Permalink
Om Goeckermann
Patty and Michelle,
I and perhaps more here are vitally interested in lessons learned and how implementation works out for many unique situations.
I hope you can keep this thread alive from time to time with what you find out.
Cheers :)
Om
om
10:32 AM, 20 Jun 2011 | Permalink