patient data security and privacy lecture # 7 phcl 498 amar hijazi, majed alameel, mona almehaid
TRANSCRIPT
Patient Data Security and Privacy
Lecture # 7
PHCL 498
Amar Hijazi, Majed Alameel, Mona AlMehaid
Agenda
Defining Information Security
Information Security Goals
Security Risks
Defining Information Privacy
Introduction
In medical practice patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality
Ponemon Institute released a 2011 research report on patient privacy and security with the following key findings:
Healthcare data breaches are on the rise; 32 % rise over the previous years
Widespread use of mobile technology is putting data at risk
In spite of breaches, many organizations have not set data privacy and security as a priority
Financial consequences of data breaches are very significant
Medical identity theft is a major problem
Why does it Matter?
Ensuring Privacy and Security of health information, including information in EHR is the key component to
building the trust required to realize the potential benefits of electronic health information capture and
exchange
Defining Information Security
Refers to protecting information and information systems from unauthorized:
Access
Use
Disclosure
Disruption
Modification
Destruction
Information Security Pillars/Goals
Availability Confidentiality
Integrity
Confidentiality
Is the avoidance of the unauthorized disclosure of information
Involves:
Protection of data
Providing access for those who are allowed to see the data
Disallowing non-allowed from learning anything about the data
Tools for Confidentiality
Encryption
Access Control
Authentication
Authorization
Physical security
Encryption
The transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key
Allowing two parties to establish confidential communication over an insecure channel that is subject to eavesdropping
Access Control
Rules and policies that limit access to confidential information to those people and /or systems with a “need to know”
This need to know may be determined by identity, such as a person’s name or a computer’s serial number, or by a role that a person has, such as being a manager or a computer security specialist
Authentication
The determination of the identity or role that someone has
Could be performed by different ways and usually based on a combination of:
Something a person has (e.g. Smart cards)
Something a person knows (e.g. Password)
Something a person is (e.g. Fingurprint)
Authorization
The determination if a person or system is allowed access to resources, based on access control policy
Physical Security
The establishment of physical barriers to limit access to protected computational resources
Such barriers include locks on cabinets and doors, the placement of computers in windowless rooms and even the construction of buildings or rooms with walls incorporating copper meshes so that electromagnetic signals cannot enter or exit enclosures
Integrity
Ensuring that information has not been altered in an unauthorized way
Tools:
Backups
Capturing Data Correction
Availability
Ensuring that information is accessible and modifiable in a timely manner by those authorized to do so
Tools:
Physical protection: infrastructure meant to keep information available
Computational redundancies: computers and storage devices that serve as fallbacks in the case of failure
Safeguards Required by HIPPA Security Rule
Administrative
Physical
Technical
Security Risks needed to be Analyzed
Vulnerabilities: weaknesses in a system that could be used to cause harm (e.g. user access controls are not properly configured allowing staff to inappropriately view patient information)
Threats: sets of circumstances with the potential to cause harm (e.g. theft of portable device that stores or can access patient information)
Attacks: occur when vulnerabilities are deliberately exploited
Defining Information Privacy
Is a set of rules and standards for the use and disclosure of individually identifiable health information – often referred to as protected health information – by specific entities, as well as standards for providing individuals with privacy rights helping them controlling how their health information is used The patient has the right to:
Examine and obtain a copy of their health records
Have corrections added to their health information
Receive a notice that discusses how health information can be used or shared for certain purposes
Provide permission on whether health information can be used or shared
Get reports on when and why health information was shared
File a complaint if rights are being denied or health information is not being protected
HIPPA Privacy Rule
There is a method that can be employed to use and release data without restrictions
The privacy rule mandates that organizations de-identify the data by removing:
Names
Geographic subdivisions smaller than a state
Birth dates, admission date, discharge date, date of death
Telephone number
Facsimile numbers
Medical record number
HIPPA Information Privacy, Con’d
Health plan beneficiary number
Account number
Certificate/license number
Vehicle identifiers
Device identifiers
URL (web Universal Recourse Locator)
IP (internet protocol) address number
Biometric identifier (fingerprint)
Photographic images
Any other unique identifier
Properly Configured HER should Provide
Unique passwords and user names
User and role based access controls
Backup and recovery
Encryption
Appropriate and properly installed wireless capabilities