Security of Health Information

advertisement
Security of Health
Information
Nancy Clark, M.Ed.
FSU College of Medicine
http://www.med.fsu.edu/informatics
1
Objectives
1. Demonstrate knowledge of issues
surrounding the privacy and security of
clinical data, including:
2. Health Insurance Portability and
Accountability Act (HIPAA)
3. Patient confidentiality
4. E-Mail with patients and colleagues
5. Role of technology
2
Issues
HIPAA and privacy
Threats to security and privacy
Using good passwords
Using virus software
Hardware/software options
Backing up your system
E-Mail with Patients
3
HIPAA
Health Insurance Portability and
Accountability Act of 1996
1.
2.
Insurance Reform:
Carry health insurance to different plans
Administrative Simplification:
Standards for electronically stored and
transmitted data
Improve efficiency of sharing health data
Protecting privacy and confidentiality
4
Security, Privacy, Confidentiality
Privacy – The Right

Right of individual to have anonymity
Confidentiality – The Expectation

Obligation of the user of an individual’s information to
respect and uphold that individual’s privacy
Security – The Mechanism

Policies, procedures, mechanisms, tools,
technologies, and accountability methods to support
Privacy
PHI - Protected Health Information

Patient identifiable information protected (paper or
electronic)
5
Illustration
Husband's note on refrigerator to his wife:
6
Compliance Deadlines
HIPAA Regulation
Compliance Date
Privacy
April 14, 2003
Transactions and Code
Sets
Unique Employer
Identifier
Security
October 16, 2003
July 30, 2004
April 21, 2005
7
Significance of HIPAA
What You Need to Know About HIPAA Now
“In my opinion, … the unmistakable legacy of
HIPAA will be to encourage computerization of
all personal health information, regardless of
who creates, stores or transmits it. How else can
providers meet HIPAA's exhaustive
requirements … The alternative to
computerizing patients' medical information will
be to maintain massive paper logs kept under
lock and key. “ David C. Kibbe, MD, MBA
8
Categories of Security Regulations
Administrative procedures



Contingency planning
Information access controls
Staff training
9
Categories of Security Regulations
Administrative Procedures
Physical safeguards




Medical records storage areas
Printers, copiers, fax machines
Workstations
Server locations
10
Categories of Security Regulations
Administrative Procedures
Physical safeguards
Technical security





Passwords
Authentication
Digital signatures
Firewalls
Virus protection, VPN, encryption…
11
Security – The Three “A”s
Authentication

You are who you say you are
Authorization

You can see and do what you are permitted
by policy to see and do
Accountability

You are held responsible for what you see
and do
12
Authentication
Passwords – simplest form of
authentication
Can be very secure, but one breach can
spread rapidly
Can be too secure – if you forget your
password
13
Selecting Good Passwords
Using Good Passwords
Suggestions for Selecting Good Passwords
not guessable by any program
easily remembered
private
Secret
Change them regularly
14
Biometric Authentication
Identify who you are by a physical attribute
Signature
Facial Points
Voice Print
Typing Style
15
Biometric Authentication
Fingerprint


Optical, Digital
Hmmm… would someone in a hospital have
access to a severed finger?
Iris



Highly accurate
Same issue as with a dead finger
Requires a camera
16
Authorization
I’m a valid user or the system, and I’ve
been authenticated. I want to see
EVERYTHING on EVERYONE!!!
The system can define who is authorized
to see and do what
17
Authorization Models
User Based

I have certain authorization rights based on who I am
as an individual
Role Based

I have authority based on my role e.g. doctor vs.
nurse vs. lab technologist
Context Based

Who you are + Where you are + What you are +
When you are What you are
18
Accountability
You are held responsible for what you see
and do
Difficult to develop systems-based ways of
ensuring accountability
An ethics problem
19
Accountability
Security can help ensure accountability



Audit Logging – “We know where you’ve
been”
Password policies
Alert capabilities
20
Ethics and Morals
One definition



Morals – choice between right and wrong
Ethics – choice between right and right
Example 1
Famous person in hospital, and you’re curious
about their lab results
21
Workplace Ethics
Many people may have access to patient
data
Trust
Knowledge of Rules - Training
Awareness of Consequences
22
Technology Solutions
Data Encryption
Data Aging – remove data after a certain
time
Data Transmission Security – can’t move
what isn’t authorized
Local Authentication

Includes time-out function
23
Threats to Data Security and
Privacy
Viruses, worms, etc
Hackers/snoopers
Crashes
Theft
Power failure/surges
Trauma/loss
24
Virus Protection
Norton
McAfee
Others - Computer Security Software
Updating
25
Unauthorized Access Protection
Firewalls
Home PC Firewall Guide
Secure Network Devices



Secure Modems
Encryption devices
Virtual Private Networks (VPN)
Introduction to Network Security
26
Hardware Solutions
UPS –uninterruptible power supply
Surge protector – power/modem

APC
Tape backup
RAID/mirrored system
Protective cases (laptops and PDAs)
Compucage
27
Backing Up Your Data
Backing up your data
What:





email files
word processor files
databases
web bookmarks
files you directly
create
Where:






Zip/Jaz disk
CD-R or RW
Compact Flash
(PDA)
DVD
Tape
Remote sites
28
E-Mail
29
Smart E-mailing with Patients
Tips to avoid legal problems
Get informed consent
Include instructions when and how email should escalate to phone call or
office visit.
Use password-protected screen savers.
Never forward patient-identifiable
information to 3rd party
Never use patient's e-mail address in
marketing scheme.
30
Tips to avoid legal problems
Don't share e-mail accounts with family
members.
Use encryption when available and
practical.
Double-check "to" fields before sending.
Commit policy decisions to writing and
electronic form.
Save e-mail communication;
electronically or on paper.
31
Wrap Up
Keep HIPAA on radar screen
Observe how clerkship faculty practices
are dealing with security
Read policies
Ask questions
Follow as unfolds
32
Download