1 / 24

Clinical Information System Security Policy (CISS Policy)

Clinical Information System Security Policy (CISS Policy). CSC 662 Computer Security CS2305B. Introduction. The patient’s information is the most important data for clinical affairs. ACH95 ( Keeping Information Confidential )

Download Presentation

Clinical Information System Security Policy (CISS Policy)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Clinical Information System Security Policy(CISS Policy) CSC 662 Computer Security CS2305B

  2. Introduction • The patient’s information is the most important data for clinical affairs. • ACH95 (Keeping Information Confidential) • “Doctors and other clinical professionals are worried that making personal health information more widely available may endanger patient confidentiality”

  3. Scope of the policy • Clinician • Patient • System

  4. Clinician • Clinician (licensed professional such as a doctor, nurse, dentist physiotherapist or pharmacist) who has access in the line of duty to personal health information and is bound by a professional obligation of confidentiality. • Social workers, students, charity workers and receptionists may access personal health information under the supervision of a healthcare professional (but the professional remains responsible for their conduct)

  5. Patient • Patient (the individual’s concerned or the individual’s representative) • The rules may depend on the wishes of the patient • If the patient is a child, parent or guardian of a child will be acts on his behalf

  6. System • System(hardware, software, communications and manual procedures which make up a connected information processing system)

  7. Threats and Vulnerabilities • The ethical basis of clinical confidentiality • In GMC (General Medical Council) booklet, “Confidentiality” state that doctors who record of confidential information must ensure that it is effectively protected against improper disclosure • The basic ethical principle, state Confidentiality is the privilege of the patient, so only he way waive it and the consent must be informed, voluntary and competent

  8. Threats and Vulnerabilities • The ethical basis of clinical confidentiality • for example, patients must be made aware that information may be shared between members of a care team, such as a general practice or a hospital department • There is the issue of the patient's consent to have his record kept on a computer system at all. It is unethical to discriminate against a patient who demands that his records be kept on paper instead

  9. Threats and Vulnerabilities • Other security requirements for clinical information • we also concerned with its integrity and availability • If information is corrupted, clinicians may take incorrect decisions which harm or even kill patients. • If information is unreliable, in the sense that it could have been corrupted then its value as a basis for clinical decisions is decrease

  10. Threats and Vulnerabilities • Threats to clinical confidentiality • Experience shows that the main new threat comes from insiders • Eg : most of the big UK banks now let any teller access any customer's account (private detectives bribe tellers to get account information)

  11. Threats and Vulnerabilities • Threats to clinical confidentiality • security depends on the fragmentation and scattering inherent in manual record systems, and these systems are already vulnerable to private detectives ringing up and pretending to be from another healthcare provider.

  12. Threats and Vulnerabilities • Other security threats to clinical information • Hardware failures occasionally corrupt messages • Higher error rates could result from the spreading practice of sending lab results as unstructured email messages • Viruses have already destroyed clinical information, and a virus could conceivably be written to make malicious alterations to records • A malicious attacker might also manipulate messages

  13. Security Policy • Principle 1 : Access control • Each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it • The system shall prevent anyone not on the access control list from accessing the record in any way

  14. Security Policy • Principle 2 : Record opening • A clinician may open a record with herself and the patient on the access control list • Where a patient has been refer, she may open a record with herself, the patient and the referring clinician on the access control list

  15. Security Policy • Principle 3 : Control • One of the clinicians on the access control list must be marked as being responsible. • Only she may alter the access control list, and she may only add other health care professionals to it

  16. Security Policy • Principle 4 : Consent and notification • The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. • His consent must also be obtained, except in emergency case

  17. Security Policy • Principle 5 : Persistence • No-one shall have the ability to delete clinical information until the appropriate time period has expired

  18. Security Policy • Principle 6 : Attribution • All accesses to clinical records shall be marked on the record with the subject's name, as well as the date and time • An audit trail must also be kept of all deletions

  19. Security Policy • Principle 7 : Information flow • Information derived from record A may be appended to record B if and only if B's access control list is contained in A's

  20. Security Policy • Principle 8 : Aggregation control • There shall be effective measures to prevent the aggregation of personal health information

  21. Security Policy • Principle 9 : The Trusted Computing Base • Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way • Its effectiveness shall be subject to evaluation by independent experts

  22. Conclusions • Based on the experience, we can conclude that the threats to the confidentiality, integrity and availability of personal health information enforced the medical sector to developed a Clinical Information System that can give the high level protection to patient’s data. • Clinicians making decisions must be compliance with CISS Policy

  23. Conclusions • Nowadays, there is a lot of Clinical Information System but still have a weakness that can cause the data of patient’s spread • So we need to enhance the already system so that we can keep the data as confidentiality

  24. THE END • Reference: • Dr Rose, J. A., (1996). Security in Clinical Information System. Computer Laboratory University of Cambridge.

More Related