Security of Health Information Nancy Clark, M.Ed. FSU College of Medicine http://www.med.fsu.edu/informatics 1 Objectives 1. Demonstrate knowledge of issues surrounding the privacy and security of clinical data, including: 2. Health Insurance Portability and Accountability Act (HIPAA) 3. Patient confidentiality 4. E-Mail with patients and colleagues 5. Role of technology 2 Issues HIPAA and privacy Threats to security and privacy Using good passwords Using virus software Hardware/software options Backing up your system E-Mail with Patients 3 HIPAA Health Insurance Portability and Accountability Act of 1996 1. 2. Insurance Reform: Carry health insurance to different plans Administrative Simplification: Standards for electronically stored and transmitted data Improve efficiency of sharing health data Protecting privacy and confidentiality 4 Security, Privacy, Confidentiality Privacy – The Right Right of individual to have anonymity Confidentiality – The Expectation Obligation of the user of an individual’s information to respect and uphold that individual’s privacy Security – The Mechanism Policies, procedures, mechanisms, tools, technologies, and accountability methods to support Privacy PHI - Protected Health Information Patient identifiable information protected (paper or electronic) 5 Illustration Husband's note on refrigerator to his wife: 6 Compliance Deadlines HIPAA Regulation Compliance Date Privacy April 14, 2003 Transactions and Code Sets Unique Employer Identifier Security October 16, 2003 July 30, 2004 April 21, 2005 7 Significance of HIPAA What You Need to Know About HIPAA Now “In my opinion, … the unmistakable legacy of HIPAA will be to encourage computerization of all personal health information, regardless of who creates, stores or transmits it. How else can providers meet HIPAA's exhaustive requirements … The alternative to computerizing patients' medical information will be to maintain massive paper logs kept under lock and key. “ David C. Kibbe, MD, MBA 8 Categories of Security Regulations Administrative procedures Contingency planning Information access controls Staff training 9 Categories of Security Regulations Administrative Procedures Physical safeguards Medical records storage areas Printers, copiers, fax machines Workstations Server locations 10 Categories of Security Regulations Administrative Procedures Physical safeguards Technical security Passwords Authentication Digital signatures Firewalls Virus protection, VPN, encryption… 11 Security – The Three “A”s Authentication You are who you say you are Authorization You can see and do what you are permitted by policy to see and do Accountability You are held responsible for what you see and do 12 Authentication Passwords – simplest form of authentication Can be very secure, but one breach can spread rapidly Can be too secure – if you forget your password 13 Selecting Good Passwords Using Good Passwords Suggestions for Selecting Good Passwords not guessable by any program easily remembered private Secret Change them regularly 14 Biometric Authentication Identify who you are by a physical attribute Signature Facial Points Voice Print Typing Style 15 Biometric Authentication Fingerprint Optical, Digital Hmmm… would someone in a hospital have access to a severed finger? Iris Highly accurate Same issue as with a dead finger Requires a camera 16 Authorization I’m a valid user or the system, and I’ve been authenticated. I want to see EVERYTHING on EVERYONE!!! The system can define who is authorized to see and do what 17 Authorization Models User Based I have certain authorization rights based on who I am as an individual Role Based I have authority based on my role e.g. doctor vs. nurse vs. lab technologist Context Based Who you are + Where you are + What you are + When you are What you are 18 Accountability You are held responsible for what you see and do Difficult to develop systems-based ways of ensuring accountability An ethics problem 19 Accountability Security can help ensure accountability Audit Logging – “We know where you’ve been” Password policies Alert capabilities 20 Ethics and Morals One definition Morals – choice between right and wrong Ethics – choice between right and right Example 1 Famous person in hospital, and you’re curious about their lab results 21 Workplace Ethics Many people may have access to patient data Trust Knowledge of Rules - Training Awareness of Consequences 22 Technology Solutions Data Encryption Data Aging – remove data after a certain time Data Transmission Security – can’t move what isn’t authorized Local Authentication Includes time-out function 23 Threats to Data Security and Privacy Viruses, worms, etc Hackers/snoopers Crashes Theft Power failure/surges Trauma/loss 24 Virus Protection Norton McAfee Others - Computer Security Software Updating 25 Unauthorized Access Protection Firewalls Home PC Firewall Guide Secure Network Devices Secure Modems Encryption devices Virtual Private Networks (VPN) Introduction to Network Security 26 Hardware Solutions UPS –uninterruptible power supply Surge protector – power/modem APC Tape backup RAID/mirrored system Protective cases (laptops and PDAs) Compucage 27 Backing Up Your Data Backing up your data What: email files word processor files databases web bookmarks files you directly create Where: Zip/Jaz disk CD-R or RW Compact Flash (PDA) DVD Tape Remote sites 28 E-Mail 29 Smart E-mailing with Patients Tips to avoid legal problems Get informed consent Include instructions when and how email should escalate to phone call or office visit. Use password-protected screen savers. Never forward patient-identifiable information to 3rd party Never use patient's e-mail address in marketing scheme. 30 Tips to avoid legal problems Don't share e-mail accounts with family members. Use encryption when available and practical. Double-check "to" fields before sending. Commit policy decisions to writing and electronic form. Save e-mail communication; electronically or on paper. 31 Wrap Up Keep HIPAA on radar screen Observe how clerkship faculty practices are dealing with security Read policies Ask questions Follow as unfolds 32