Tables containing patient personal information.

For users or potential users.
Post Reply
ForrestGumpDDS
Posts: 177
Joined: Fri Oct 14, 2011 3:31 pm

Tables containing patient personal information.

Post by ForrestGumpDDS » Mon Jun 12, 2017 6:36 am

Hi guys,
I am setting up the access for the service that will get me statistics reports. Something like a dashboard where I can see office performance.
For the access, I would like to exclude the tables, that will or may contain patient sensitive information so this information would not get on such report by accident or purposely.
Is there any known list of such tables?

User avatar
cmcgehee
Posts: 711
Joined: Tue Aug 25, 2015 5:06 pm
Location: Salem, Oregon

Re: Tables containing patient personal information.

Post by cmcgehee » Mon Jun 12, 2017 8:28 am

There are many tables that might include personally identifiable information, and many that one might not realize (such as ehrsummaryccd or smsfrommobile). Creating a list will likely omit one or more tables that need to be included. Instead of blacklisting the tables that you allow access to your reporting service, I would recommend whitelisting a few tables and looking closely at the fields on those table to ensure there is no sensitive patient information. However, there still may be the problem that tables important for performance metrics may have personally identifiable information contained in them; for example, the appointment.Note field may have an entry like, "Little Susie was very frightened, so her parents Greg and Linda sat in with her for the appointment."
Chris McGehee
Open Dental Software
http://www.opendental.com

User avatar
jsalmon
Posts: 1551
Joined: Tue Nov 30, 2010 12:33 pm
Contact:

Re: Tables containing patient personal information.

Post by jsalmon » Mon Jun 12, 2017 9:05 am

Do not recommend!!
It is not secure to expose the MySQL service to the internet (World Wide Web). Do not open the MySQL port (default is port 3306) on your routers and do not allow incoming traffic for that port
http://www.opendental.com/manual/securitymysql.html
The best thing about a boolean is even if you are wrong, you are only off by a bit.

Jason Salmon
Open Dental Software
http://www.opendental.com

ForrestGumpDDS
Posts: 177
Joined: Fri Oct 14, 2011 3:31 pm

Re: Tables containing patient personal information.

Post by ForrestGumpDDS » Mon Jun 12, 2017 1:02 pm

cmcgehee wrote:There are many tables that might include personally identifiable information, and many that one might not realize
It's funny you mentioned it, I was just thinking how I can accidentally expose the data and came up with "notes" too.
I think we are looking to work with insurance carriers, their fees, find most commonly done procedure, time per procedure, $$ per procedure etc.
Basically, same as custom queries, but also make it visual and being able to monitor changes in stats over time after making adjustments.
jsalmon wrote:Do not recommend!!
It is not secure to expose the MySQL service to the internet (World Wide Web). Do not open the MySQL port (default is port 3306) on your routers and do not allow incoming traffic for that port
http://www.opendental.com/manual/securitymysql.html
No, I do not mean opening the mysql port to outside.
Regardless of the permissions set for this job user, I will not be knowingly creating a security breach.
Most likely I'll set him up with ssh access with authorization by key (that's what I usually do for other gigs on my server). Once I see the offered scope of work, I will decide what permissions to issue the user. Probably restriction to home dir, adding appropriate permissions to its mysql user, etc.
The service will be hosted inside the office network, physically inside the office, no web exposure.
BTW, so far my outside interface is compliant with credit card processing standards. Passed the clearance that my merchant service provider (former), required us to go through :)

User avatar
cmcgehee
Posts: 711
Joined: Tue Aug 25, 2015 5:06 pm
Location: Salem, Oregon

Re: Tables containing patient personal information.

Post by cmcgehee » Mon Jun 12, 2017 2:36 pm

I do commend you for wanting to limit the amount of information that a vendor has access to. Even if you trust the vendor, it is safer to just not give them the ability to breach your trust.
I think we are looking to work with insurance carriers, their fees, find most commonly done procedure, time per procedure, $$ per procedure etc.
Here are some tables you would probably want to give access to: carrier, insplan, inssub, patplan, fee, feesched, procedurelog, procedurecode, claimproc, adjustment, appointment, payplan, payplancharge, payment, paysplit, claimpayment. These are all the tables that affect P&I and a few others relating to insurance.
Chris McGehee
Open Dental Software
http://www.opendental.com

Post Reply