Or, What the ‘strong encryption’ requirement means to Psychologists (regarding Fact Sheet #16 issued by the Information Privacy Commissioner of Ontario).
Why I’m writing this: I have a number of friends and associates who are Certified Psychologists in Ontario, and have been asked, casually, what exactly this fact sheet means.
Bottom line: If you are a Psychologist providing health information to a health network provider, or a user of health information in the sense of PHIPA and its regulations, you need to secure all portable healthcare data as below. If you are NOT, you DO NOT have to. If you do, or if you aren’t sure, please keep reading…
[Inspired by a mail virus that’s going around, and the classic Strunk and White text, The Elements of Style]
DO NOT install random software from friends, links you get in email, ‘free’ screen savers, and the like. Less is better. Your systems will be faster and more secure, and you don’t need them. Even if they work, they are a waste of your time and system resources.
Here’s a longer aside for those of you who are thinking “But surely you don’t mean avoid installing anything?”
If you DO need something, do the research and get what you need for the time and money price you are willing to pay. (Free isn’t necessarily what’s best for you; the ‘more expensive’ package can easily be better for you in the long run.)
Here are a couple of relevant examples:
1) Web browsers: Firefox, Safari, and Chrome. Great web browsers, all free, and worth the minor work to keep them up to date. They all have their strengths; I use Firefox most often, but both Safari and Chrome for some other tasks. (Comments are more than welcome!) Sorry, I’ve been burned too many times by Internet Explorer to want to use it, and the other browsers support a wider range of machines, since Microsoft has dropped upgrade support for older Windows versions, and doesn’t support other operating systems. Your mileage may vary.
2) EVault data protection software. Yes, there are free alternatives, but for your business servers where you really, really have to be able to recover, these folks are really good. I’m no longer with the company, but I did run the engineering team for a year and a half, and I still happily recommend the products and services. The free/’freemium‘ alternatives are good as far as they go, but system restoration is tricky, and EVault gets it right. EVault software is owned, and the service operated, by i365, a Seagate company, so you know they’ll be around. Highly recommended.
I’d love to have comments on other ‘elements of security,’ so please feel free to chime in.
I just read a helpful article about tuning organizational password policy but I’m afraid it rubbed me the wrong way.
What it says is helpful and mostly good practice, but it fails to address the problem from the perspective of the users, and does the usual “well, this will be a pain for the users, but it’s good policy, so we’re recommending it,” which is one of many reasons why people hate IT departments. (I say this as a seasoned IT professional, and I hate us, too. 😉
IF you notice that YOUR passwords violate any of these rules, chances are that they are already broken. Change them now.
To all password users, everywhere: Make your passwords unguessable as best you can. If someone guesses your password, change it. Corollary 1: Since you can’t know if someone might have guessed your password, change it from time to time. If you feel that you have to make a list of passwords, make a list of reminders, not the actual passwords, and keep it safe (not where someone can look at it without you knowing about it). More detail below.