Resource Search Results

Encrypting Data at Rest on Servers: Implications for Health Centers (2016). Resource Type: Publication. Description: It is common practice today to encrypt data at rest, that is, data stored on servers. This is especially applicable to health centers who are less frequently actively transporting data across disparate networks. Like many smaller healthcare organizations, Health Centers are particularly vulnerable to potential attack and infiltration by data hackers for several reasons: they tend to have fewer technical support staff, resource limitations make it harder to assess, implement, and maintain safe data practices, and organizational inertia limits preventive action when no threat is perceived.  It is common practice today to encrypt data at rest, that is, data stored on servers. Like many smaller healthcare organizations, Federally Qualified Health Centers FQHC are particularly vulnerable to potential attack and infiltration by data hackers for several reasons: they tend to have fewer technical support staff, resource limitations make it harder to assess, implement, and maintain safe data practices, and organizational inertia limits preventive action when no threat is perceived. To build off an old adage, no one ever got fired for encrypting their data. But what protection does that really provide? Is just encrypting data enough? First, let’s distinguish between three methods for encrypting data at rest. Full-disk encryption. Most modern operating systems like Linux or Windows Server provide the capability to encrypt their disks in their entirety. This is accomplished with symmetric encryption whereby there is a key or passphrase that a computer operator has to enter when the disks are encrypted and when the system boots to allow access to the data. Typically, the password must be manually entered on the physical server console, though some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation. With full-disk encryption, software installed on the server does not need to know or do anything special to operate normally: the operating system provides transparent access to the encrypted data as necessary with very little performance loss. But note that the initial encryption needs to be done on a new disk or set of disks as an existing disk will be wiped clean in the process. So it’s easiest to do this during an initial deployment or migration to a new server. File system encryption. Physical disks are typically divided into one or more file systems by the operating system.  As an alternative to full-disk encryption, file system encryption allows administrators to encrypt only selected file systems or even just selected folders within file systems. This makes it possible to configure a server than can boot without a passphrase; and then require a passphase only after the system is up and running and needs to access its encrypted file systems.  Similar to full-disk encryption, the encryption is transparently provided to applications by the operating system.  Unlike full-disk encryption, developers and administrators need to be careful not to store sensitive files on non-encrypted file systems. Database encryption.  Another way to encrypt data at rest is at the database level: The database software Oracle, SQL Server can provide application-level encryption. Like operating system level encryption, a key or passphrase is entered by an operator when the database starts up, after which all database operations access the encrypted data transparently hence the name: Both Oracle and Microsoft SQL Server call the feature “Transparent Data Encryption”. For servers that may store sensitive data in files outside the database, this provides less protection than encrypting the entire file system, but likely protects the most sensitive data on the system. What kind of protection does encrypting data at rest really provide? Here are a few salient points: Benefits of Encrypting Data at Rest First and foremost, encrypting data at rest protects the organization from the physical theft of the file system storage devices which is why end-user mobile devices from laptops to cell phones should always be encrypted. While this might sound unlikely, the physical disk devices are only as secure as the data center where they are located. While data center access control policy is usually quite strict, in practice it can be quite lax. Door entry can employ weak precautions like old push-button unlock devices, and the proliferation of easily-swappable modular disks for quick maintenance makes removing a disk quite easy. Encrypting data at rest can protect the organization from unauthorized access to data when computer hardware is sent for repair or discarded. Encrypting data at rest can help to satisfy information security or regulatory requirements such as the Payment Card Industry Data Security Standard PCI DSS or the Health Insurance Portability and Accountability Act HIPAA. In some deployments, the actual file system where data resides is somewhat disconnected from the server upon which applications are loaded either through the use of a storage area network SAN or cloud-based storage. This introduces the possibility that an intruder could break in to the storage subsystem but not the rest of the system. Encrypting the storage subsystem can protect against such attacks. Limitations of Encrypting Data at Rest Encryption of data at rest provides little protection against intrusions in which a hacker gains remote privileged access to a running server in which the passphrase has already been entered. Even more so, if the applications that access the encrypted files or databases web applications, query systems are not themselves secured, a hacker who penetrates one of these applications gains access to the data, whether it is encrypted or not. For database encryption, note that some database management systems only support data encryption in more advanced read more expensive versions of the software. When full-disk encryption is enabled on a physical non-virtualized server, remember that an operator – a human being – will need to type the passphrase into a console whenever the system starts up. For database-level encryption, the passphrase will need to be entered when the database starts up. While this intervention increases the level of protection, it is at the expense of convenience, as systems cannot reboot automatically without a passphrase or even without someone actually being in the server room which can be especially inconvenient if the system manager is not collocated with the hardware. File system encryption can mitigate some of these startup issues. And, of course, if that passphrase is ever lost your data will be encrypted forever. Special Considerations for Virtualized and Cloud-based Environments As mentioned, some virtualized and cloud-based environments offer remote passphrase entry and varying degrees of passphrase management and automation for full-disk encryption – but be aware that there is often a tradeoff between convenience and security with automated solutions. For example, if a cloud provider keeps your passphrase and automatically provides it to the operating system at boot time, the level of security offered by the full-disk encryption solution is largely dependent on how securely the cloud provider manages the passphrase. While encrypting data at rest can be a useful component in a data security toolbox, it must be implemented with a full understanding of the protection it does and does not provide. Organizations should consult with their vendors, data security staff, system staff, and application staff to determine an appropriate set of actions to secure institutional data. More Details...

How to Effective Manage Social Media within the Health Center Setting: A HITEQ infographic of key principles (2016). Resource Type: Publication. Description: This article written by Dr. John Halamka, CIO at Harvard Medical School and a Health IT adoption thought-leader, provides examples from the Beth Israel Deaconess Medical Center on best practices for healthcare providers in trying to manage social media efforts. This article written by Dr. John Halamka, CIO at Harvard Medical School and a Health IT adoption thought-leader, provides examples from the Beth Israel Deaconess Medical Center BIDMC on best practices for healthcare providers in trying to manage social media efforts. Topics covered include communication strategies, responding to positive and negative comments, and staff awareness. These topics, while garnered from Mr. Halamka's experience with being CIO for BIDMC  are discussed in a way that is relevant to all health care settings, including health centers. Included in this article are straightforward policies or concepts that are easily adopted into an organization's social media policies no matter what their size. Click on the link below to gain access to the related article... More Details...

Using the Systems Usability Scale to Assess Patient Portal Systems: English and Spanish Templates (2016). Resource Type: Publication. Description: When deploying personal health information systems such as patient portals Health Centers will often encounter challenges in effectively engaging their patient population. Understanding where these challenges are originating can at times be difficult to determine. One obvious area of evaluation is in determining whether the system being deployed is appropriately usable for the population. When deploying personal health information systems such as patient portals Health Centers will often encounter challenges in effectively engaging their patient population. Understanding where these challenges are originating can at times be difficult to determine. One obvious area of evaluation is in determining whether the system being deployed is appropriately usable for the population. Patient perception of the overall usability of the patient portal system can be evaluated through use of survey instruments such as the Systems Usability Scale (SUS). SUS is a well-established and validated usability scale that helps to determine the value, ease and interest of users of a particular system. Located in the Downloads section below are English and Spanish SUS survey instruments. Also located below is a link to further information on leveraging the SUS measures.  More Details...

Guide to Improving Care Processes and Outcomes in Health Centers: An approach to quality improvement (2016). Resource Type: Publication. Description: The quality improvement QI approach outlined in this Guide can be used to augment current QI approaches used in your health center, or can serve as a placeholder QI methodology when there isn’t already a robust QI process in place. It provides a framework and tools for documenting, analyzing, sharing and improving key workflows and information flows that drive performance on high-stakes care performance measures, and related improvement imperatives. This webpage provides strategies and tools that health centers and their partners can use to enhance care processes and outcomes targeted for improvement, such as hypertension and diabetes control, preventive care, and many others. More Details...

Serving Transgender and Gender Nonconforming Persons: Establishing and Improving Models of Care for Those without Homes (2016). Resource Type: Publication. Description: Drawing from current literature and interviews conducted with health centers and a social support organization, this guide provides promising practices to consider when establishing or improving upon TGNC health services, including community needs, program structure, and funding. More Details...

Safety in the Health Care for the Homeless Settings: Consumer Perceptions and Advice (2016). Resource Type: Publication. Description: Responding to the findings of a recent survey conducted by the HCH National Consumer Advisory Board, this resource provides recommendations for developing physical spaces that promote well-being, considerations for vulnerable populations, and strategies for providing workforce and staff support. More Details...

Health and Housing Partnership Profiles - Housing the First 100 Orlando FL: Case Study on Frequent User Intiatives in Orlando FL (2016). Resource Type: Publication. Description: This Profile focuses on Orlando FL, and Orange Blossom Family Health - the Healthcare for Homeless Center in Orlando as part of a series of real Health Center Case Studies engaged in effective Frequent User Initiatives in communities around the country. More Details...

A Quick Guide on Consumer Engagement in Governance of Health Care for the Homeless Programs (2016). Resource Type: Publication. Description: Health centers serving people experiencing homelessness must meaningfully involve consumers with the lived experience of homelessness in their governance, either on their governance Board or through structures like Consumer Advisory Boards. This guide provides practical tips for organizations in setting up effective, empowering consumer governance structures and supports. The ideas in this Quick Guide were developed through conversations with over 20 key informants: consumer leaders, consumer support staff, and executive leaders of HCH projects who have facilitated consumer leadership both locally and nationally. More Details...

Professional Organizations and Associations for Health IT/Quality Staff: Resource Listing and Background (2016). Resource Type: Publication. Description: This is a list of professional and industry organizations and associations that can serve as a resource for staff interested in Health IT and quality and for those wanting to become more immersed in the field. Some of these may be appropriate for staff to join. This is a list of professional and industry organizations and associations that can serve as a resource for staff interested in Health IT and quality and for those wanting to become more immersed in the field. Some of these may be appropriate for staff to join. They offer resources such as training, conferences, research, literature, networking, and in some cases, certification. More Details...

Job Postings: A template for Human Resources and Hiring Managers (2016). Resource Type: Publication. Description: The following resource provides links to organizations that include job postings for Health IT and Quality jobs. This may be helpful to those both seeking employment or simply looking to learn more about the field and the kinds of positions that are available. The following resource provides links to organizations that include job postings for Health IT and Quality jobs. This may be helpful to those both seeking employment or simply looking to learn more about the field and the kinds of positions that are available. Job titles are not standard across the industry so perusing the various job openings will give a sense of the types of functions people perform in the Health IT/Quality area. In addition, employers may post openings on many of these sites. More Details...

Coffee Break Webinar: 3 Key Lessons Learned from Conducting Needs Assessments (2016). Resource Type: Archived Webinar. Description: Join us for a Coffee Break Webinar titled “3 Key Lessons Learned Conducting Needs Assessments.” HOP provides 3 key strategies on how to plan and conduct an effective needs assessment process, and presents resources to help you on your own needs assessments. More Details...

Building Resources to Support Civil Legal Aid Access in HRSA-Funded Health Centers (2016). Resource Type: Publication. Description: This issue brief describes how health centers used supplemental funding to anchor MLP services as part of enabling services activities. It shares the experiences of health centers from Hawai’i to New Hampshire that received expanded services awards from HRSA and used them for legal-related enabling services, and extrapolates lessons for other health centers about the impact of collaborations between health centers and civil legal aid services and how to leverage funding opportunities for fostering medical-legal partnerships. More Details...

Using Health Center Needs Assessments To Address Legal Needs (2016). Resource Type: Publication. Description: This fact sheet outlines how health centers can use community needs assessments to understand and meet their patients’ health-harming civil legal needs. More Details...

Communicating Safety: English as a Second Language Health and Safety Training Materials (2016). Resource Type: Patient Material. Description: Communicating Safety: A Health and Safety English Learning Curriculum for Immigrant Workers in Agriculture is a health and safety intervention for immigrant workers. This project offers free, OSHA-approved training and educational materials that were developed using English-as-a-Second-Language (ESL) learning activities - pairing dairy safety and health content with relevant vocabulary and English language skills in a culturally and linguistically appropriate context. More Details...

Integrating Community Health Workers into Primary Care Practice: A Resource Guide for HCH Programs (2016). Resource Type: E-Learning. Description: The National HCH Council developed this resource guide to share experiences and successful recruitment and supervision strategies with other HCH projects looking to employ CHWs. This guide incorporates current research and uses feedback from administrators, supervisors, CHWs, hospital staff, community members, and clients involved in the HCIA project. More Details...

Integrated Care Teams to Improve Quality of Care: Health and Housing Integrated Care Models (2016). Resource Type: Archived Webinar. Description: A two-part webinar series to highlight models of integrated care for vulnerable populations includng models of integrated care for primary and behavioral health More Details...

Care Coordination for Individuals Experiencing Homelessness: Healing Hands (2016). Resource Type: Publication. Description: This issue of Healing Hands discusses some of the benefits of care coordination as well as ongoing and emerging challenges for implementation of care coordination initiatives, and then presents several provider case studies that highlight solutions and emerging strategies in care coordination for clients experiencing homelessness. More Details...

Health IT Staff Resume Screening Tool: A template for Human Resources and Hiring Managers (2016). Resource Type: Publication. Description: This is a list of key words and phrases that can be used to pre-screen resumes for HIT/QI jobs to help quickly identify candidates for an additional screen. More Details...

Health IT Staff Recruitment Strategies: A template for Human Resources and Hiring Managers (2016). Resource Type: Publication. Description: This resource provides ideas about the latest recruiting tips used by community health centers as well as leading organizations from other industries. Review the strategies and identify ones that could work in your organization.  Adapt them as necessary to fit your particular needs and resources. This resource provides ideas about the latest recruiting tips used by community health centers as well as leading organizations from other industries. Review the strategies and identify ones that could work in your organization.  Adapt them as necessary to fit your particular needs and resources. More Details...

Health IT Interviewing Questions: Examples for Human Resources and Hiring Managers (2016). Resource Type: Publication. Description: This resource provides a list of sample questions that can be used to interview job candidates. The questions are organized into four categories: 1) questions for HIT staff positions; 2) questions for quality improvement staff positions; 3) questions for either position; and 4) questions for senior HIT or Quality positions.   This resource provides a list of sample questions that can be used to interview job candidates. The questions are organized into four categories: 1) questions for HIT staff positions; 2) questions for quality improvement staff positions; 3) questions for either position; and 4) questions for senior HIT or Quality positions.   These questions are intended to be a menu of items that an organization can pick or choose from, adapt to meet their organization’s needs, or use to generate additional/new questions. More Details...