introduction to healthcare information technology chapter seven basic healthcare information...
TRANSCRIPT
Introduction to Healthcare Information Technology
Chapter SevenBasic Healthcare Information Security
Introduction to Healthcare Information Technology
Objectives
• Define information security• List and describe the different elements of physical
security• Explain how computer security can protect data• Describe different types of data backups
2
Introduction to Healthcare Information Technology
Healthcare IT: Challenges and Opportunities
• The need for security is a significant aspect of life today– Personal physical security– Security of our information
• Defending against information attacks– Particularly important in the healthcare industry
• HIPAA provides for significant penalties for unauthorized disclosure of protected patient information
3
Introduction to Healthcare Information Technology 4
What Is Information Security?
• Describes tasks of securing information that is in a digital format
• Information security protection goals– Confidentiality
• Only authorized parties can access information– Integrity
• Ensures information is correct– Availability
• Data is accessible to authorized users
Introduction to Healthcare Information Technology 5
What Is Information Security? (cont’d.)
• Goals apply to devices that store, manipulate, and transmit the information
• Information security is achieved through:– Products– People– Procedures
Introduction to Healthcare Information Technology
Physical Security
• Involves securing devices so unauthorized users cannot access them
• Physical access security includes:– Securing the environment, office hardware, and
equipment– Regulating access
8
Introduction to Healthcare Information Technology
Environment
• Securing the surrounding environment– First step in physical security– Achieved with security guards in the past
• Security technology tools– Lighting and fencing– Video surveillance– Fire suppression equipment– Backup power generators– HVAC
9
Introduction to Healthcare Information Technology
Environment (cont’d.)
• Security perimeter– Can include a barrier, such as fencing– Often consists of a fence together with other
deterrents• Security lighting can be installed on:
– Poles– Building exteriors– Canopies– Landscaping
10
Introduction to Healthcare Information Technology
Environment (cont’d.)
• Video surveillance– Monitoring activity with a video camera
• Closed circuit television (CCTV)– Using video cameras to transmit a signal to a
specific set of receivers– Cameras may be fixed or allow movement– Used in banks, casinos, airports, and military
installations
12
Introduction to Healthcare Information Technology
Environment (cont’d.)
• Fire suppression– Fire represents a constant threat to people and
property• Four required entities for fire to occur
– Fuel– Oxygen– Heat– Chemical reaction
13
Introduction to Healthcare Information Technology
Environment (cont’d.)
• Types of stationary fire suppression systems– Water sprinkler systems– Dry chemical systems– Clean agent systems
• Power generator– Backup generator to be used in event of power loss– Can be powered by diesel, natural gas, or propane
16
Introduction to Healthcare Information Technology 17
Environment (cont’d.)
• Heating, ventilation, and air conditioning (HVAC)– Control and maintenance of temperature and
humidity levels– Can reduce electrostatic discharge which can
damage equipment• Data closets
– Rooms that house computer systems and network equipment
– Typically have special cooling requirements
Introduction to Healthcare Information Technology
Office Hardware
• Privacy screen– Freestanding panel to divide a work area– Also refers to a cover over a computer monitor to
create a narrow viewing angle• Residential hardware door lock types
– Keyed entry locks– Privacy locks– Patio locks– Passage locks– All provide minimal security
18
Introduction to Healthcare Information Technology
Office Hardware (cont’d.)
• Deadbolt locks– Often used in commercial buildings– Solid metal bar extends into door frame– More difficult to defeat than keyed entry locks
19
Figure 7-4 Deadbolt lock
© Cengage Learning 2013
Introduction to Healthcare Information Technology
Equipment
• Network hardware should be located behind a locked door
• Uninterruptible power supply (UPS)– Device that maintains power to the equipment in
case of interruption in main power– Offline UPS (standby mode)
• Can quickly begin supplying power when needed– Online UPS
• Always running off its battery while the main power runs the battery charger
• Not affected by dips or sags in voltage
20
Introduction to Healthcare Information Technology
Equipment (cont’d.)
• UPS systems can communicate with network operating system on a server to ensure orderly shutdown occurs
• Important to secure office imaging equipment– Attackers could access images in digital memory
21
Introduction to Healthcare Information Technology
Regulating Access
• Disadvantages of using keys to access a secured area– Keys must be managed– Keys can be lost, stolen, or duplicated– Keys must be securely stored
• Cipher lock system– Alternative to a key lock– Push-button code required to open the door
22
Introduction to Healthcare Information Technology
Regulating Access (cont’d.)
• Types of physical tokens– ID badge containing bearer’s photograph– ID with barcode that is “swiped”– ID badge read by a proximity reader – RFID tags read by an RFID proximity reader– Electronic keyfob (automobile keyless entry)
• Biometrics– Uses person’s unique physical characteristics to
authenticate– Example: fingerprint scanner
23
Introduction to Healthcare Information Technology
Regulating Access (cont’d.)
• Types of fingerprint scanners– Static
• User places entire finger on scanner window– Dynamic
• User slides finger across reader
• Disadvantages to standard biometrics– Cost– Not 100% accurate
25
Introduction to Healthcare Information Technology
Computer Security
• Providing security for data stored on a computer– Critical function for a healthcare IT professional
• Aspects of computer security– Password security– Computer permissions– Defending against common security risks
26
Introduction to Healthcare Information Technology
Passwords
• Secret combination of letters, numbers, and characters that only the user should know
• Most common type of authentication today• Offer weak protection• Password weaknesses
– Relies on human memory– Long and complex passwords difficult to recall– Users must recall passwords for many different
accounts
27
Introduction to Healthcare Information Technology
Passwords (cont’d.)
• Password defenses– Creating and managing strong passwords
• Creating strong passwords– Most passwords consist of a root word and a suffix
or prefix• Guidelines for creating strong passwords
– Do not use dictionary or phonetic words– Do not use personal information– Do not repeat characters or use sequences– Use long passwords (12 characters or more)
28
Introduction to Healthcare Information Technology
Passwords (cont’d.)
• Another way to make passwords stronger– Use non-keyboard characters– Create by holding down ALT key and simultaneously
pressing a number on the numeric keypad• Good password management
– Change passwords frequently– Do not reuse old passwords– Never write a password down
29
Introduction to Healthcare Information Technology
Passwords (cont’d.)
• Good password management (cont’d.)– Have a unique password for each account– Set up a temporary password for the case when
another user needs to access your account– Do not allow a computer to automatically sign in or
store password so that a login is unnecessary– Do not enter passwords on public computers– Never share a password with another person
31
Introduction to Healthcare Information Technology
Passwords (cont’d.)
• Password supplements– Autocomplete passwords used in modern browsers
• Stored encrypted in the Microsoft Windows registry– Password management applications
• Digital equivalent of a written sticky note
32
Introduction to Healthcare Information Technology
Permissions
• Identification– Example: delivery person ID badge
• Authentication– Process of checking the identification
• Authorization– Granting permission to take action
34
Introduction to Healthcare Information Technology
Permissions (cont’d.)
• One type of computer access control– Objects (such as files) given an owner– Access control list defines who is allowed to access
the object– Types of access permissions
• Read, write, modify, full control, read and execute
• Least privilege– Allocate minimum amount of privileges needed to
perform the job
35
Introduction to Healthcare Information Technology
Common Security Risks
• Malware– Software that enters a computer system without the
user’s knowledge or consent– Performs an unwanted or harmful action
• Types of malware– Viruses– Worms– Spyware
37
Introduction to Healthcare Information Technology
Common Security Risks (cont’d.)
• Virus– Computer code that reproduces itself on the same
computer• Worm
– Malicious program designed to take advantage of a vulnerability in an application or operating system
– Uses a network to send copies of itself to other network devices
• Spyware– Software that gathers information on users without
consent38
Introduction to Healthcare Information Technology
Common Security Risks (cont’d.)
• Social engineering– Means of gathering information for an attack by
relying on weaknesses of individuals– Clever manipulation of human nature to persuade
the victim to provide information or take actions• Phishing
– Sending a deceptive e-mail that claims to be from a legitimate enterprise• Attempts to trick user into surrendering private
information
40
Introduction to Healthcare Information Technology
Common Security Risks (cont’d.)
• Key defense against fishing– Provide security awareness and training to users
• Spamming– Unsolicited e-mail– Used for advertising or distributing malware– Profit for spammers can be substantial
• E-mail spam filters attempt to block spam before it reaches the host
41
Introduction to Healthcare Information Technology 42
Data Backups
• Copying digital information to different medium– Stored separately so it can be used in event of a
disaster• Disaster recovery plan answers five basic
questions:– What information should be backed up?– How often should it be backed up?– What media should be used?– Where should the backup be stored?– What hardware or software should be used?
Introduction to Healthcare Information Technology 43
Data Backups (cont’d.)
• Archive bit– Used to flag which files need to be backed up
• Types of backups– Full or daily backup– Differential backup– Incremental backup
• Backups should be stored at a separate location– Reduces risk of backup being destroyed in a disaster
Introduction to Healthcare Information Technology
Summary
• Information security creates a defense to ward off attacks designed to steal information
• Three types of protections– Confidentiality– Integrity– Availability
• Securing the devices themselves is an important aspect of information security
• Backup generators can be used to provide power in the event of power loss
46
Introduction to Healthcare Information Technology
Summary (cont’d.)
• Sensitive information should be placed in a room secured by a deadbolt lock
• Various types of ID badges can be used to control access to a secured area
• Biometrics uses human physical characteristics to provide authentication
• Passwords provide a weak degree of protection• Malware is unwanted software that is often harmful• Types of data backups include full, differential, and
incremental
47