29/ from audience: It is possible to use a server-side plugin for audit logging. @LinearBlue makes one called fmDataGuard. @AntidoteSol hasn’t looked at it recently, has no opinion.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
Author: Arthur
28/ Q: How long do you keep logs?
@AntidoteSol: Never get rid of them — their backups are still around somewhere. The standard is 25 years for data, but maybe not audit logs.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
27/ Q: What standard do you use for audit trail? How long do you keep logs? what do you track?
@AntidoteSol: A solution secure today may not be secure tomorrow. Use CFR21p11 when there aren’t more specific instructions from client.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
26/ Host on client’s servers (whether they’re local or cloud). Get cyber insurance, even if you’re not hosting data. (That should make it cheaper.)
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
25/ Working with IT Sec can be *slow*. You have 2 clients – department who wants the solution, and IT Sec. Have to be friends with both. Don’t let the bureaucracy get you down.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
24/ Security questionnaire from client’s IT Sec is vital, get it early on in the process.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
23/ AWS can be HIPAA Compliant. Less expensive since May 2017.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
22/ Only sync the data the user needs from server to iPad. If user has 10 patient visits, only 10 patient records should be pulled down.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
21/ Using #FileMakerGo, add more security:
1. `Get(PersistentID)` to be sure device is approved
2. Balance PIN v username+pwd to log in
3. Use a VPN
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
20/ Mobile: DO NOT SYNC PHI TO ICLOUD.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
19/ Is Android secure? There’s no #FileMakerGo for Android, only WebDirect. Probably not as secure as an MDM-managed iPhone/iPad running FMGo.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
18/ Is Mobile Data secure? Do a risk assessment, rules vary. In @AntidoteSol’s experience,iPads & iPhones are more secure out-of-the-box than a typical laptop.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
17/ #FileMaker snapshot link doesn’t store PHI, can be attached to email to make it easy to access relevant records.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
16/ You can send email or SMS for non-PHI, like “Doctor, your OR is ready now."
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
15/ Can you email PHI? Yes & no. `Yes` within your healthcare domain. `No` to a patient; but can use an API to interface with secure email portals and remain compliant. Same rules for SMS/MMS.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
14/ Q: What defines an EMR now?@AntidoteSol: Used to be about going after public money. EMR v Health Record v Clinical Info gets blurry.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
13/ What’s the goal? Certification, or compliance? Certification not available if your solution isn’t an EMR. So to achieve Compliance, MUST get info from IT Security team about compliance standards & policies.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
12/ Restoring Data – data integrity is paramount. Encryption-at-Rest (EAR) helps to ensure that backups haven’t been modified.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
11/ Q: How long do you keep your logs?@AntidoteSol: Until they get to big, then archive (don’t throw away). Keep your logs separate from the main file.
#FileMakerDevCon #SEC05— Anchor-Buoy Software (@anchrby) August 8, 2018
10/ Sample of audit logging code by @AntidoteSol
#FileMakerDevCon #SEC05 pic.twitter.com/haTCQUIhDo— Anchor-Buoy Software (@anchrby) August 8, 2018