introduction to healthcare information technology chapter seven basic healthcare information...

Introduction to Healthcare Information Technology

Chapter SevenBasic Healthcare Information Security


Objectives

• Define information security• List and describe the different elements of physical

security• Explain how computer security can protect data• Describe different types of data backups

2


Healthcare IT: Challenges and Opportunities

• The need for security is a significant aspect of life today– Personal physical security– Security of our information

• Defending against information attacks– Particularly important in the healthcare industry

• HIPAA provides for significant penalties for unauthorized disclosure of protected patient information

3

Introduction to Healthcare Information Technology 4

What Is Information Security?

• Describes tasks of securing information that is in a digital format

• Information security protection goals– Confidentiality

• Only authorized parties can access information– Integrity

• Ensures information is correct– Availability

• Data is accessible to authorized users


What Is Information Security? (cont’d.)

• Goals apply to devices that store, manipulate, and transmit the information

• Information security is achieved through:– Products– People– Procedures

Figure 7-1 Information security components

© Cengage Learning 2013

Table 7-1 Information security layers



Physical Security

• Involves securing devices so unauthorized users cannot access them

• Physical access security includes:– Securing the environment, office hardware, and

equipment– Regulating access

8


Environment

• Securing the surrounding environment– First step in physical security– Achieved with security guards in the past

• Security technology tools– Lighting and fencing– Video surveillance– Fire suppression equipment– Backup power generators– HVAC

9


Environment (cont’d.)

• Security perimeter– Can include a barrier, such as fencing– Often consists of a fence together with other

deterrents• Security lighting can be installed on:

– Poles– Building exteriors– Canopies– Landscaping

10

Table 7-2 Fencing deterrents




• Video surveillance– Monitoring activity with a video camera

• Closed circuit television (CCTV)– Using video cameras to transmit a signal to a

specific set of receivers– Cameras may be fixed or allow movement– Used in banks, casinos, airports, and military

installations

12



• Fire suppression– Fire represents a constant threat to people and

property• Four required entities for fire to occur

– Fuel– Oxygen– Heat– Chemical reaction

13

Figure 7-2 Fire triangle


Table 7-3 Fire types




• Types of stationary fire suppression systems– Water sprinkler systems– Dry chemical systems– Clean agent systems

• Power generator– Backup generator to be used in event of power loss– Can be powered by diesel, natural gas, or propane

16



• Heating, ventilation, and air conditioning (HVAC)– Control and maintenance of temperature and

humidity levels– Can reduce electrostatic discharge which can

damage equipment• Data closets

– Rooms that house computer systems and network equipment

– Typically have special cooling requirements


Office Hardware

• Privacy screen– Freestanding panel to divide a work area– Also refers to a cover over a computer monitor to

create a narrow viewing angle• Residential hardware door lock types

– Keyed entry locks– Privacy locks– Patio locks– Passage locks– All provide minimal security

18


Office Hardware (cont’d.)

• Deadbolt locks– Often used in commercial buildings– Solid metal bar extends into door frame– More difficult to defeat than keyed entry locks

19

Figure 7-4 Deadbolt lock



Equipment

• Network hardware should be located behind a locked door

• Uninterruptible power supply (UPS)– Device that maintains power to the equipment in

case of interruption in main power– Offline UPS (standby mode)

• Can quickly begin supplying power when needed– Online UPS

• Always running off its battery while the main power runs the battery charger

• Not affected by dips or sags in voltage

20


Equipment (cont’d.)

• UPS systems can communicate with network operating system on a server to ensure orderly shutdown occurs

• Important to secure office imaging equipment– Attackers could access images in digital memory

21


Regulating Access

• Disadvantages of using keys to access a secured area– Keys must be managed– Keys can be lost, stolen, or duplicated– Keys must be securely stored

• Cipher lock system– Alternative to a key lock– Push-button code required to open the door

22


Regulating Access (cont’d.)

• Types of physical tokens– ID badge containing bearer’s photograph– ID with barcode that is “swiped”– ID badge read by a proximity reader – RFID tags read by an RFID proximity reader– Electronic keyfob (automobile keyless entry)

• Biometrics– Uses person’s unique physical characteristics to

authenticate– Example: fingerprint scanner

23

Figure 7-5 Cipher lock Figure 7-6 RFID tag

© Cengage Learning 2013 © Cengage Learning 2013


Regulating Access (cont’d.)

• Types of fingerprint scanners– Static

• User places entire finger on scanner window– Dynamic

• User slides finger across reader

• Disadvantages to standard biometrics– Cost– Not 100% accurate

25


Computer Security

• Providing security for data stored on a computer– Critical function for a healthcare IT professional

• Aspects of computer security– Password security– Computer permissions– Defending against common security risks

26


Passwords

• Secret combination of letters, numbers, and characters that only the user should know

• Most common type of authentication today• Offer weak protection• Password weaknesses

– Relies on human memory– Long and complex passwords difficult to recall– Users must recall passwords for many different

accounts

27


Passwords (cont’d.)

• Password defenses– Creating and managing strong passwords

• Creating strong passwords– Most passwords consist of a root word and a suffix

or prefix• Guidelines for creating strong passwords

– Do not use dictionary or phonetic words– Do not use personal information– Do not repeat characters or use sequences– Use long passwords (12 characters or more)

28



• Another way to make passwords stronger– Use non-keyboard characters– Create by holding down ALT key and simultaneously

pressing a number on the numeric keypad• Good password management

– Change passwords frequently– Do not reuse old passwords– Never write a password down

29

Figure 7-8 Windows character map




• Good password management (cont’d.)– Have a unique password for each account– Set up a temporary password for the case when

another user needs to access your account– Do not allow a computer to automatically sign in or

store password so that a login is unnecessary– Do not enter passwords on public computers– Never share a password with another person

31



• Password supplements– Autocomplete passwords used in modern browsers

• Stored encrypted in the Microsoft Windows registry– Password management applications

• Digital equivalent of a written sticky note

32

Table 7-4 Password management applications



Permissions

• Identification– Example: delivery person ID badge

• Authentication– Process of checking the identification

• Authorization– Granting permission to take action

34


Permissions (cont’d.)

• One type of computer access control– Objects (such as files) given an owner– Access control list defines who is allowed to access

the object– Types of access permissions

• Read, write, modify, full control, read and execute

• Least privilege– Allocate minimum amount of privileges needed to

perform the job

35

Figure 7-9 Windows permissions



Common Security Risks

• Malware– Software that enters a computer system without the

user’s knowledge or consent– Performs an unwanted or harmful action

• Types of malware– Viruses– Worms– Spyware

37


Common Security Risks (cont’d.)

• Virus– Computer code that reproduces itself on the same

computer• Worm

– Malicious program designed to take advantage of a vulnerability in an application or operating system

– Uses a network to send copies of itself to other network devices

• Spyware– Software that gathers information on users without

consent38

Table 7-5 Technologies used by spyware




• Social engineering– Means of gathering information for an attack by

relying on weaknesses of individuals– Clever manipulation of human nature to persuade

the victim to provide information or take actions• Phishing

– Sending a deceptive e-mail that claims to be from a legitimate enterprise• Attempts to trick user into surrendering private

information

40



• Key defense against fishing– Provide security awareness and training to users

• Spamming– Unsolicited e-mail– Used for advertising or distributing malware– Profit for spammers can be substantial

• E-mail spam filters attempt to block spam before it reaches the host

41


Data Backups

• Copying digital information to different medium– Stored separately so it can be used in event of a

disaster• Disaster recovery plan answers five basic

questions:– What information should be backed up?– How often should it be backed up?– What media should be used?– Where should the backup be stored?– What hardware or software should be used?


Data Backups (cont’d.)

• Archive bit– Used to flag which files need to be backed up

• Types of backups– Full or daily backup– Differential backup– Incremental backup

• Backups should be stored at a separate location– Reduces risk of backup being destroyed in a disaster

Figure 7-11 Archive bit


Table 7-6 Types of data backups



Summary

• Information security creates a defense to ward off attacks designed to steal information

• Three types of protections– Confidentiality– Integrity– Availability

• Securing the devices themselves is an important aspect of information security

• Backup generators can be used to provide power in the event of power loss

46


Summary (cont’d.)

• Sensitive information should be placed in a room secured by a deadbolt lock

• Various types of ID badges can be used to control access to a secured area

• Biometrics uses human physical characteristics to provide authentication

• Passwords provide a weak degree of protection• Malware is unwanted software that is often harmful• Types of data backups include full, differential, and

incremental

47

introduction to healthcare information technology chapter seven basic healthcare information...

Documents

information security

information integrity

information attacks

security guards

computer security

security perimeter

tasks of securing information

physical access security