Download - Security of Health Information
11
Security of Health Security of Health InformationInformation
Nancy Clark, M.Ed.Nancy Clark, M.Ed.FSU College of MedicineFSU College of Medicine
http://www.med.fsu.edu/informatics
22
ObjectivesObjectives
1.1. Demonstrate knowledge of issues Demonstrate knowledge of issues surrounding the privacy and security of surrounding the privacy and security of clinical data, including: clinical data, including:
2.2. Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA) Accountability Act (HIPAA)
3.3. Patient confidentiality Patient confidentiality
4.4. E-Mail with patients and colleaguesE-Mail with patients and colleagues
5.5. Role of technologyRole of technology
33
IssuesIssues
HIPAA and privacyHIPAA and privacy
Threats to security and privacyThreats to security and privacy
Using good passwords Using good passwords
Using virus softwareUsing virus software
Hardware/software options Hardware/software options
Backing up your systemBacking up your system
E-Mail with PatientsE-Mail with Patients
44
HIPAAHIPAA
Health Insurance Portability and Accountability Act of 1996
1.1. Insurance Reform:Insurance Reform: Carry health insurance to different plansCarry health insurance to different plans
2.2. Administrative Simplification:Administrative Simplification: Standards for electronically stored and Standards for electronically stored and transmitted datatransmitted data
Improve efficiency of sharing health dataImprove efficiency of sharing health data
Protecting privacy and confidentiality Protecting privacy and confidentiality
55
Security, Privacy, ConfidentialitySecurity, Privacy, Confidentiality
Privacy – The RightPrivacy – The Right Right of individual to have anonymityRight of individual to have anonymity
Confidentiality – The ExpectationConfidentiality – The Expectation Obligation of the user of an individual’s information to Obligation of the user of an individual’s information to
respect and uphold that individual’s privacyrespect and uphold that individual’s privacy
Security – The MechanismSecurity – The Mechanism Policies, procedures, mechanisms, tools, Policies, procedures, mechanisms, tools,
technologies, and accountability methods to support technologies, and accountability methods to support PrivacyPrivacy
PHI - Protected Health InformationPHI - Protected Health Information Patient identifiable information protectedPatient identifiable information protected (paper or (paper or
electronic)electronic)
66
IllustrationIllustration
Husband's note on refrigerator to his wife: Husband's note on refrigerator to his wife:
Someone from the
Someone from the
Gyna College called-
Gyna College called-
They said Pabst beer
They said Pabst beer
is normal.is normal.
Someone from the
Someone from the
Gyna College called-
Gyna College called-
They said Pabst beer
They said Pabst beer
is normal.is normal.
77
Compliance Deadlines
HIPAA RegulationHIPAA Regulation Compliance DateCompliance Date
PrivacyPrivacy April 14, 2003April 14, 2003
Transactions and Code Transactions and Code SetsSets
October 16, 2003October 16, 2003
Unique Employer Unique Employer IdentifierIdentifier
July 30, 2004July 30, 2004
SecuritySecurity April 21, 2005April 21, 2005
88
Significance of HIPAASignificance of HIPAA
What You Need to Know About HIPAA Now
““In my opinion, … the unmistakable legacy of In my opinion, … the unmistakable legacy of HIPAA will be to encourage computerization of HIPAA will be to encourage computerization of all personal health information, regardless of all personal health information, regardless of who creates, stores or transmits it. How else can who creates, stores or transmits it. How else can providers meet HIPAA's exhaustive providers meet HIPAA's exhaustive requirements … The alternative to computerizing requirements … The alternative to computerizing patients' medical information will be to maintain patients' medical information will be to maintain massive paper logs kept under lock and key. “ massive paper logs kept under lock and key. “ David C. Kibbe, MD, MBADavid C. Kibbe, MD, MBA
99
Categories of Security RegulationsCategories of Security Regulations
Administrative procedures Administrative procedures Contingency planningContingency planning Information access controlsInformation access controls Staff trainingStaff training
1010
Categories of Security RegulationsCategories of Security Regulations
Administrative Procedures Administrative Procedures
Physical safeguardsPhysical safeguards Medical records storage areasMedical records storage areas Printers, copiers, fax machinesPrinters, copiers, fax machines Workstations Workstations Server locationsServer locations
1111
Categories of Security RegulationsCategories of Security Regulations
Administrative Procedures Administrative Procedures
Physical safeguardsPhysical safeguards
Technical securityTechnical security Passwords Passwords Authentication Authentication Digital signatures Digital signatures Firewalls Firewalls Virus protection, VPN, encryption…Virus protection, VPN, encryption…
1212
Security – The Three “A”sSecurity – The Three “A”s
AuthenticationAuthentication You are who you say you areYou are who you say you are
AuthorizationAuthorization You can see and do what you are permitted You can see and do what you are permitted
by policy to see and doby policy to see and do
AccountabilityAccountability You are held responsible for what you see You are held responsible for what you see
and doand do
1313
AuthenticationAuthenticationPasswords – simplest form of Passwords – simplest form of authenticationauthentication
Can be very secure, but one breach can Can be very secure, but one breach can spread rapidlyspread rapidly
Can be too secure – if you forget your Can be too secure – if you forget your passwordpassword
1414
Selecting Good PasswordsSelecting Good Passwords
Using Good Passwords
Suggestions for Selecting Good Passwords
not guessable by any program not guessable by any program
easily remembered easily remembered
privateprivate
SecretSecret
Change them regularlyChange them regularly
1515
Biometric Authentication
Identify who you are by a physical attributeIdentify who you are by a physical attribute
SignatureSignature
Facial PointsFacial Points
Voice PrintVoice Print
Typing StyleTyping Style
1616
Biometric AuthenticationBiometric Authentication
FingerprintFingerprint Optical, DigitalOptical, Digital Hmmm… would someone in a hospital have Hmmm… would someone in a hospital have
access to a severed finger?access to a severed finger?
IrisIris Highly accurateHighly accurate Same issue as with a dead fingerSame issue as with a dead finger Requires a cameraRequires a camera
1717
AuthorizationAuthorizationI’m a valid user or the system, and I’ve I’m a valid user or the system, and I’ve been authenticated. I want to see been authenticated. I want to see EVERYTHING on EVERYONE!!!EVERYTHING on EVERYONE!!!
The system can define who is authorized The system can define who is authorized to see and do whatto see and do what
1818
Authorization ModelsAuthorization ModelsUser BasedUser Based I have certain authorization rights based on who I am I have certain authorization rights based on who I am
as an individualas an individual
Role BasedRole Based I have authority based on my role e.g. doctor vs. I have authority based on my role e.g. doctor vs.
nurse vs. lab technologistnurse vs. lab technologist
Context BasedContext Based Who you are + Where you are + What you are + Who you are + Where you are + What you are +
When you are What you areWhen you are What you are
1919
AccountabilityAccountabilityYou are held responsible for what you see You are held responsible for what you see and doand do
Difficult to develop systems-based ways of Difficult to develop systems-based ways of ensuring accountabilityensuring accountability
An ethics problemAn ethics problem
2020
AccountabilityAccountabilitySecurity can help ensure accountabilitySecurity can help ensure accountability Audit Logging – “We know where you’ve Audit Logging – “We know where you’ve
been”been” Password policiesPassword policies Alert capabilitiesAlert capabilities
2121
Ethics and MoralsEthics and MoralsOne definitionOne definition Morals – choice between right and wrongMorals – choice between right and wrong Ethics – choice between right and rightEthics – choice between right and right Example 1Example 1
Famous person in hospital, and you’re curious Famous person in hospital, and you’re curious about their lab resultsabout their lab results
2222
Workplace EthicsWorkplace EthicsMany people may have access to patient Many people may have access to patient datadata
TrustTrust
Knowledge of Rules - TrainingKnowledge of Rules - Training
Awareness of ConsequencesAwareness of Consequences
2323
Technology SolutionsTechnology SolutionsData EncryptionData Encryption
Data Aging – remove data after a certain Data Aging – remove data after a certain timetime
Data Transmission Security – can’t move Data Transmission Security – can’t move what isn’t authorizedwhat isn’t authorized
Local AuthenticationLocal Authentication Includes time-out functionIncludes time-out function
2424
Threats to Data Security and Threats to Data Security and PrivacyPrivacy
Viruses, worms, etcViruses, worms, etc
Hackers/snoopersHackers/snoopers
CrashesCrashes
TheftTheft
Power failure/surgesPower failure/surges
Trauma/lossTrauma/loss
2525
Virus ProtectionVirus Protection
NortonNorton
McAfeeMcAfee
Others - Others - Computer Security Software
UpdatingUpdating
2626
Unauthorized Access ProtectionUnauthorized Access Protection
FirewallsFirewalls
Home PC Firewall Guide
Secure Network DevicesSecure Network Devices Secure ModemsSecure Modems Encryption devicesEncryption devices Virtual Private Networks (VPN)Virtual Private Networks (VPN)
Introduction to Network Security
2727
Hardware SolutionsHardware Solutions
UPS –uninterruptible power supplyUPS –uninterruptible power supply
Surge protector – power/modemSurge protector – power/modem APC
Tape backupTape backup
RAID/mirrored systemRAID/mirrored system
Protective cases (laptops and PDAs)Protective cases (laptops and PDAs)
CompucageCompucage
2828
Backing Up Your DataBacking Up Your Data
What:What: email files email files word processor files word processor files databases databases web bookmarksweb bookmarks files you directly files you directly
createcreate
Where:Where: Zip/Jaz diskZip/Jaz disk CD-R or RWCD-R or RW Compact Flash Compact Flash
(PDA)(PDA) DVDDVD TapeTape Remote sitesRemote sites
Backing up your dataBacking up your data
2929
E-MailE-Mail
3030
Smart E-mailing with PatientsSmart E-mailing with Patients
Tips to avoid legal problems Tips to avoid legal problems Get informed consent Get informed consent Include instructions when and how e-mail Include instructions when and how e-mail should escalate to phone call or office should escalate to phone call or office visit. visit. Use password-protected screen savers. Use password-protected screen savers. Never forward patient-identifiable Never forward patient-identifiable information to 3information to 3rdrd party partyNever use patient's e-mail address in Never use patient's e-mail address in marketing scheme. marketing scheme.
3131
Tips to avoid legal problems Tips to avoid legal problems
Don't share e-mail accounts with family Don't share e-mail accounts with family members. members. Use encryption when available and Use encryption when available and practical. practical. Double-check "to" fields before sending. Double-check "to" fields before sending. Commit policy decisions to writing and Commit policy decisions to writing and electronic form. electronic form. Save e-mail communication; Save e-mail communication; electronically or on paper. electronically or on paper.
3232
Wrap UpWrap Up
Keep HIPAA on radar screenKeep HIPAA on radar screen
Observe how clerkship faculty practices Observe how clerkship faculty practices are dealing with securityare dealing with security
Read policiesRead policies
Ask questionsAsk questions
Follow as unfoldsFollow as unfolds