3 Replies Latest reply on May 1, 2017 10:14 AM by Ryechz

    HIPAA security

    erie774im Apprentice

      I work for a hospital and, naturally, HIPAA security is of vital importance. They already use LANDESK for their incident and change tickets and will be implementing Asset and LDMS. They are using the clients (consoles) for their service desk personnel but are worried about using the Web Desk. Occasionally tickets are entered that have patient information and they are concerned that since the Web Desk is a web interface that there is a risk of violating HIPAA compliance. Is there any assurance about LANDESK and HIPAA? Does anyone in the community have any experience with using LANDESK in a medical environment and what did you do to ensure the data was safe?

        • 1. Re: HIPAA security
          erie774im Apprentice

          I was wondering if anyone had any information regarding this?

          • 2. Re: HIPAA security

            We've had a discussion or two about potentially housing info that may fall under HIPAA in our system but I have voiced serious concerns to my management when they talk about it. I've just had too many scenarios where users were able to get into information that they shouldn't. The security and privacy features of the product are too primitive for us to put anything sensitive in it. It may be technically possible to configure it in a way that complies, but in my experience it has been one of the more painful things to configure, which isn't the way security/privacy should be.


            I've submitted a few rants about it as ERs


            Fix data partition security/privacy flaw when querying process

            More robust ticket security

            Allow raise user to view their own incidents if in a different data partition

            • 3. Re: HIPAA security
              Ryechz Apprentice

              In what respect to the data are you concerned?  Is it the viewing of it via a webpage that you have issues with or how the data is stored in the database and the requirements for logging and auditing?  You can have pass thru AD authentication or use explicit authentication, you can have security groups too.  You can make it so that customer can only enter data but not view it if you wanted.  This way only your techs / analysts would view it.  The website does have a timeout so that it does meet the automatic log off or screen lock requirement.  I know it is scary, but there are a lot of hospitals using it.  You should go to the user group meetings, normally there are some people there operating in this space.