1 / 32

Security of Health Information

Security of Health Information. Nancy Clark, M.Ed. FSU College of Medicine http://www.med.fsu.edu/informatics. Objectives. Demonstrate knowledge of issues surrounding the privacy and security of clinical data, including: Health Insurance Portability and Accountability Act (HIPAA)

ebuhr
Download Presentation

Security of Health Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Health Information Nancy Clark, M.Ed. FSU College of Medicine http://www.med.fsu.edu/informatics

  2. Objectives • Demonstrate knowledge of issues surrounding the privacy and security of clinical data, including: • Health Insurance Portability and Accountability Act (HIPAA) • Patient confidentiality • E-Mail with patients and colleagues • Role of technology

  3. Issues • HIPAA and privacy • Threats to security and privacy • Using good passwords • Using virus software • Hardware/software options • Backing up your system • E-Mail with Patients

  4. HIPAA • Health Insurance Portability and Accountability Act of 1996 • Insurance Reform:Carry health insurance to different plans • Administrative Simplification:Standards for electronically stored and transmitted data • Improve efficiency of sharing health data • Protecting privacy and confidentiality

  5. Security, Privacy, Confidentiality • Privacy – The Right • Right of individual to have anonymity • Confidentiality – The Expectation • Obligation of the user of an individual’s information to respect and uphold that individual’s privacy • Security – The Mechanism • Policies, procedures, mechanisms, tools, technologies, and accountability methods to support Privacy • PHI - Protected Health Information • Patient identifiable information protected(paper or electronic)

  6. Illustration Husband's note on refrigerator to his wife: Someone from the Gyna College called- They said Pabst beer is normal.

  7. Compliance Deadlines

  8. Significance of HIPAA What You Need to Know About HIPAA Now “In my opinion, … the unmistakable legacy of HIPAA will be to encourage computerization of all personal health information, regardless of who creates, stores or transmits it. How else can providers meet HIPAA's exhaustive requirements … The alternative to computerizing patients' medical information will be to maintain massive paper logs kept under lock and key. “ David C. Kibbe, MD, MBA

  9. Categories of Security Regulations • Administrative procedures • Contingency planning • Information access controls • Staff training

  10. Categories of Security Regulations • Administrative Procedures • Physical safeguards • Medical records storage areas • Printers, copiers, fax machines • Workstations • Server locations

  11. Categories of Security Regulations • Administrative Procedures • Physical safeguards • Technical security • Passwords • Authentication • Digital signatures • Firewalls • Virus protection, VPN, encryption…

  12. Security – The Three “A”s • Authentication • You are who you say you are • Authorization • You can see and do what you are permitted by policy to see and do • Accountability • You are held responsible for what you see and do

  13. Authentication • Passwords – simplest form of authentication • Can be very secure, but one breach can spread rapidly • Can be too secure – if you forget your password

  14. Selecting Good Passwords Using Good Passwords Suggestions for Selecting Good Passwords • not guessable by any program • easily remembered • private • Secret • Change them regularly

  15. Biometric Authentication • Identify who you are by a physical attribute • Signature • Facial Points • Voice Print • Typing Style

  16. Biometric Authentication • Fingerprint • Optical, Digital • Hmmm… would someone in a hospital have access to a severed finger? • Iris • Highly accurate • Same issue as with a dead finger • Requires a camera

  17. Authorization • I’m a valid user or the system, and I’ve been authenticated. I want to see EVERYTHING on EVERYONE!!! • The system can define who is authorized to see and do what

  18. Authorization Models • User Based • I have certain authorization rights based on who I am as an individual • Role Based • I have authority based on my role e.g. doctor vs. nurse vs. lab technologist • Context Based • Who you are + Where you are + What you are + When you are What you are

  19. Accountability • You are held responsible for what you see and do • Difficult to develop systems-based ways of ensuring accountability • An ethics problem

  20. Accountability • Security can help ensure accountability • Audit Logging – “We know where you’ve been” • Password policies • Alert capabilities

  21. Ethics and Morals • One definition • Morals – choice between right and wrong • Ethics – choice between right and right • Example 1 • Famous person in hospital, and you’re curious about their lab results

  22. Workplace Ethics • Many people may have access to patient data • Trust • Knowledge of Rules - Training • Awareness of Consequences

  23. Technology Solutions • Data Encryption • Data Aging – remove data after a certain time • Data Transmission Security – can’t move what isn’t authorized • Local Authentication • Includes time-out function

  24. Threats to Data Security and Privacy • Viruses, worms, etc • Hackers/snoopers • Crashes • Theft • Power failure/surges • Trauma/loss

  25. Virus Protection • Norton • McAfee • Others - Computer Security Software • Updating

  26. Unauthorized Access Protection • Firewalls Home PC Firewall Guide • Secure Network Devices • Secure Modems • Encryption devices • Virtual Private Networks (VPN) Introduction to Network Security

  27. Hardware Solutions • UPS –uninterruptible power supply • Surge protector – power/modem • APC • Tape backup • RAID/mirrored system • Protective cases (laptops and PDAs) • Compucage

  28. What: email files word processor files databases web bookmarks files you directly create Where: Zip/Jaz disk CD-R or RW Compact Flash (PDA) DVD Tape Remote sites Backing Up Your Data Backing up your data

  29. E-Mail

  30. Smart E-mailing with Patients Tips to avoid legal problems • Get informed consent • Include instructions when and how e-mail should escalate to phone call or office visit. • Use password-protected screen savers. • Never forward patient-identifiable information to 3rd party • Never use patient's e-mail address in marketing scheme.

  31. Tips to avoid legal problems • Don't share e-mail accounts with family members. • Use encryption when available and practical. • Double-check "to" fields before sending. • Commit policy decisions to writing and electronic form. • Save e-mail communication; electronically or on paper.

  32. Wrap Up • Keep HIPAA on radar screen • Observe how clerkship faculty practices are dealing with security • Read policies • Ask questions • Follow as unfolds

More Related