Confidentiality, Privacy, and
Security
William A. Yasnoff, MD, PhD
Oregon Health Division
1
Overview
 Definitions
 Fair
Information Practices
 Policies and Procedures
 Legislation
 Authentication
 Encryption
 Firewalls
 WWW security
2
Definitions
 PRIVACY: The
right of individuals to
hold information about themselves in
secret, free from the knowledge of others.
3
Definitions (continued)
 CONFIDENTIALITY:
The assurance
that information about identifiable
persons, the release of which would
constitute an invasion of privacy for any
individual, will not be disclosed without
consent except as allowed by law.
4
Definitions (continued)
 SECURITY:
The mechanisms by which
confidentiality policies are implemented
in computer systems, including
provisions for:
– Access control
– Integrity
– Availability
5
Definitions (continued)
 IDENTIFIABLE
INFORMATION: Any
information, including but not limited to
demographic information, which will
identify or may reasonably lead to the
identification of one or more specific
individuals.
6
Definitions (continued)
 CONFIDENTIAL DATABASE:
Any
collection or grouping of information
about individuals maintained by the
Division in electronic form which is not
comprised solely of public records
subject to release on request, and the
release of which could represent a breach
of confidentiality.
...
7
Definitions (continued)
.
. . Such information includes, but is not
limited to demographic information,
medical or testing histories, clinical
information, employment or financial
status, the results of special studies,
participation in or exclusion from
specific programs, sources of . . .
8
Definitions (continued)
.
. . information, or new collections of
information derived from the linkage of
one or more previously existing
confidential databases.
9
Fair Information Practices
 Relevance
 Integrity
 Written
Purpose
 Need-to-Know Access
 Correction
 Consent
10
1. Relevance
 All
information collected should be
necessary and relevant to public health
or required by law.
– individuals entitled to privacy
– benefits of information should outweigh
privacy concerns
– collection not overly burdensome, intrusive,
or coercive
11
2. Integrity
 The
integrity of information should be
protected.
– prevent loss, interception, misuse
– maintain accurate, complete, timely data
– no unauthorized alteration or destruction
12
3. Written Purpose
 All
information collected should be
consistent with written public health
purposes and/or required by law.
– databases must have written purpose(s)
– usage restricted to stated purpose(s)
– linkage of databases considered a new
database
13
4. Need-to-Know Access
 All
confidential information should be
accessible only on a need-to-know basis,
both internally and externally.
–
–
–
–
14
confidentiality agreements for all personnel
access terminated when duties change
no redisclosure
external release for research requires IRB
approval
5. Correction
 Individuals
should have access to
information about themselves and the
ability to correct this information to the
extent allowed by law.
– maintain public list of all databases
» name of database
» description of information included
» information sources (non-confidential)
– disputed data must be marked
15
6. Consent
 Information
must be collected with the
consent of the individual except as
required by law.
– informed consent
» purpose of information collection
» data protections in place
» consequences of withholding information
– no consent if waived by law
16
Confidentiality Policies
 Fair
Information Practices
 Data Release Restrictions
 Personnel Agreements
17
Data Release Restrictions
 Release
18
without review is restricted
 Denominator >
50 [population data]
 Denominator >
10 [cohort data]
Personnel Issues
 All
personnel to sign confidentiality
agreements periodically
 Special provisions for data system
administrators
19
Confidentiality Provisions
 Definition
of confidential information
 Need-to-know access only
 No redisclosure
 If questions, ask supervisor
 Breach will result in disciplinary action
 Confidentiality must be maintained
indefinitely
20
Data System Administrators
 Information
used only as needed for
administration of computer system
 Access granted to others only in
accordance with established policies and
procedures
 Disciplinary action for violations may be
termination on first offense
21
Legislation
 Health
Insurance Portability and
Accountability Act (HIPAA) [1996]
– privacy standards by August 1997
– security standards by February 1998
– universal health identifier
 Fair
Health Information Practices (bill
introduced in 105th Congress)
22
Security
 Authentication
 Encryption
 Firewalls
 WWW
23
Authentication
 Who
are you talking to?
 Methods
– what the user knows (password)
– what the user has (smartcard)
– what the user is (biometrics)
24
Passwords
 Longer
is better
 Never use dictionary words
 word1;word2 is good working model
 Never write or store passwords
 On network, passwords often travel in the
clear
25
End-to-End Authentication
 Cryptography
based
 Challenge-response
– response generated with encryption
– challenge varies to defeat interception
 Time
synchronized
– password depends on time of day
– user-carried device generates password
– good for system administrators
26
Kerberos
 User
asks “key server” for access to
target system
 Key server creates message, encrypts
with user key, sends
 User decrypts message, then encrypts
with “access key” of target system
 Key server sends “session key” to user
and target system (both encrypted)
27
Kerberos
 Key
server must be secure
 Allows mediation by third party of access
among multiple systems
 Potential model for electronic medical
record exchange
 Developed at MIT
28
Cryptography
 Convert
plaintext into message readable
only with “key”
 DES = data encryption standard
–
–
–
–
29
64 bit message
56 bit key
uses repeated substitution, transposition
breakable in reasonable time with large
computer system (31 hrs @ $100K, 20
minutes @ $10 MM)
Cryptography
 Triple-DES
– apply DES three times
– three different keys (168 bits total)
– now used for automated teller transactions
30
Public Key Cryptography
 Public
Key
– in phone directory
 Private
Key
– known only to recipient
 Message
encrypted with either key can
be decrypted with the other
– sender encrypts with one key, receiver
decrypts with the other key
31
RSA Cryptography
 Public
key is product p x q
 Private key is factors p, q
 Security derived from difficulty in
computing factors p, q if pq is large
 Larger key size provides more security
32
Firewalls
 Separate,
dedicated computer system
 Filters packets based on source and/or
destination
 Mount disks read only
 Eliminate all unnecessary commands and
services
 Minimum number of user accounts
33
Firewalls as Proxy Servers
 Firewall
connects to outside system, not
your system
 By acting as your “proxy”, your system is
protected from the outside system
 Can be used for
– telnet (session)
– ftp (file transfer)
34
Intrusion Detection
 Look
for unusual access patterns or
activity
 Types of evaluation
– statistical
– rule-based
 Example:
lock account after 3 failed
login attempts
 Assume all systems are subject to
attempted unauthorized use
35
WWW Security
 server
scripts (Java) can execute
programs on your machine!
 Types of WWW security
– SSL = secure sockets layer
» secure “pipe” between two machines
» transparent to application
– S-HTTP = secure HTTP
» secure “envelopes” for messages
» built into browsers
36
Security Pearls
 Back
up key files
 Use encryption on sensitive data
 Use good passwords
 Network security requires expertise
– authentication
– encryption
– firewalls
37