|
Security
Security is the most important feature in counseling center software. Unfortunately, it often gets the least attention.
Some software products store data in easily accessible files, like an Access database, which can be vulnerable to data theft.
Titanium Software takes security seriously. Titanium Schedule uses Microsoft SQL Server to store your data. This allows users of our program
to access your center's sensitive data without them having direct access to data files. Users are thus prevented from activities like copying
data files to a disk or CD, or attaching data files to e-mail for sending off-site.
In addition to the features discussed below, we have taken additional steps to help protect your data. Even if someone
like a hacker or disgruntled employee manages to get control of one of your workstations, it would be extremely difficult for
them to get direct access to your data from outside Titanium Schedule.
|
|
HIPAA
Titanium Schedule has HIPAA (Health Insurance Portability and Accountability Act) compliant features like user names,
strong passwords, internal security levels, a login audit trail, inactivity timeout, etc.
|
|
Encryption
Most of the questions we receive about HIPAA concern encrypting data. There are several places where encryption can be a applied.
Password encryption:
Users' passwords must be encrypted, and this is done automatically inside Titanium Schedule.
Encryption of network traffic:
You can encrypt your data while it is being transmitted between the server and the workstation. This is done as a countermeasure
against packet sniffing, which is the unauthorized interception the data packets during transmission over the network.
According to HIPAA, this is optional if your network is closed (i.e. private wire) but is recommended it your network is open
(i.e. across the Internet). Most centers fall somewhere between a completely closed network and a completely open network. If you
want to encrypt your data while it is being transmitted, you should use IPSec (Internet Protocol Security) or a VPN
(Virtual Private Network). HIPAA states:
"When using open networks, some form of encryption should be employed. The utilization of less open systems/networks such as
those provided by a value-added network (VAN) or private-wire arrangement provides sufficient access controls to allow
encryption to be an optional feature."
IPSec (IP Security Protocol) is an extended IP protocol which enables secure data transfer. It provides services similar
to SSL/TLS, however, these services are provided on a network layer. IPSec can be used for creation of encrypted tunnels
between networks (VPN)—so called tunnel mode, or for encryption of traffic between two hosts—so called transport mode.
Encryption of data on the hard drive:
As a countermeasure to unauthorized access to SQL Server data files on your server, you can also encrypt
those data files. There are several third-party utilities for this, or you can also use Microsoft EFS, which is built into the Windows
operating system. The links in the panel on the right describe how to accomplish this. With a properly configured SQL Server, there is no reason for any
Titanium Schedule user to have access to the underlying SQL Server data files.
Encryption of data backup copies:
You should give careful consideration to what happens to backup copies of the data from Titanium Schedule. It is up to you to decide if the
physical security of the backup copies is sufficient. If it is not, then you can also employ one of many third party utilities to
encrypt the backup copies of your data. Make sure that encrypted backups can be decrypted if necessary on a different computer.
Do not encrypt backups using an encryption key that is generated by and stored only on the server, because that server may not be available when
you need to decrypt a backup copy. As with all backup approaches, it is best to test your technique before relying on it.
Backup your data, encrypt it, then decrypt and restore the data on another computer. Remember, if your backup encryption key is lost, your backups are useless.
|
|
|
|