1 / 30

Security of Health Care Information Systems

Security of Health Care Information Systems. Chapter 10. Learning Objectives. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external, intentional, and unintentional—to the security of health care information.

irina
Download Presentation

Security of Health Care Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Health Care Information Systems Chapter 10

  2. Learning Objectives Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external, intentional, and unintentional—to the security of health care information. Outline the components of the HIPAA security regulations. Give examples of administrative, physical, and technical security safeguards currently in use by health care organizations. Discuss the impact and the risks of using wireless networks and allowing remote access to health information, and describe ways to minimize the risks. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  3. Outline • Define Security Program • Threats to Health Care Information • HIPAA Security Regulations • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Wireless Security Issues

  4. Security Program • Identifying potential threats • Implementing processes to remove or mitigate threats • Protects not only patient-specific information but also IT assets • Balance need for security with cost of security • Balance need for information access with security

  5. Threats to Health Care Information • Human Threats • Natural or Environmental Threats • Technology Malfunctions

  6. Human Threats • Intentional or Unintentional • Internal or External • Examples • Viruses—intentional & external • Installing unauthorized software—intentional or unintentional & internal • Cause of unintentional may be lack of training

  7. HIPAA Security Standards • Key Terms • Covered entity • Required implementation specification • Addressable implementation specification

  8. Covered Entity (CE) • A health plan • A health care clearinghouse • A health care provider who transmits protected health information (phi) in an electronic form

  9. Required Specification • Must be implemented by the CE Addressable Specification • Implement as stated • Implement an alternative to accomplish the same purpose • Demonstrate that specification is not reasonable

  10. HIPAA Overview • Technology Neutral • Includes • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Policies, Procedures and Documentation

  11. Administrative Safeguards • Security management functions • Assigned security responsibility • Workforce security • Information access management • Security awareness and training • Security incident reporting • Contingency plan • Evaluation • Business associate contacts and other arrangements

  12. Physical Safeguards • Facility access controls • Workstation use • Workstation security • Device and media controls

  13. Technical Safeguards • Access control • Audit controls • Integrity • Person or entity authentication • Transmission security

  14. Policies, Procedures and Documentation • Policies and Procedures • Documentation

  15. Administrative Safeguard Practices • Risk analysis and management (Weil, 2004) • Boundary definition • Threat identification • Vulnerability identification • Security control analysis • Risk likelihood determination • Impact analysis • Risk determination • Security control recommendations

  16. Administrative Safeguard Practices • Chief Security Officer • System Security Evaluation

  17. Physical Safeguard Practices • Assigned security responsibilities • Media controls • Physical access controls • Workstation security

  18. Technical Safeguard Practices • Access control • User-based access • Role-based access • Context-based access

  19. Technical Safeguard Practices • Entity Authentication • Password systems • PINs • Biometric id systems • Telephone callback systems • Tokens • Layered systems

  20. Technical Safeguard Practices • Two-factor authentication (Walsh, 2003) • Use two of the following • Something you know—password, etc • Something you have—token or card, etc • Something you are—fingerprint, etc

  21. Don’t Pick a password that can be guessed Pick a word that can be found Pick a word that is newsworthy Pick a word similar to previous Share your password Do Pick a combination of letters and at least one number Pick a word that you can remember Change your password often Password Do’s and Don’ts

  22. Technical Safeguard Practices • Audit Trails • Data Encryption • Firewall Protection • Virus Checking

  23. Wireless Security • Same problems with security • Plus—difficult to limit the transmission of media to just the areas under your control • Need clear policies & appropriate sanctions • Assign responsibility for hardware

  24. Wireless Security Threats Specific threats and vulnerabilities for wireless networks and handheld devices (Karygiannis & Owens, 2002): Unauthorized access to a computer network through wireless connections, bypassing firewall protections Information that is not encrypted (or has been encrypted with poor techniques) transmitted between two wireless devices may be intercepted Denial-of-service attacks may be directed at wireless connections or devices Sensitive data may be corrupted during improper synchronization Handheld devices are easily stolen Internal attacks may be possible via ad hoc transmissions Unauthorized users may obtain access through piggybacking or war driving. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  25. Wireless Security • There are two cryptographic techniques specific to the wireless environment: • WEP (Wired Equivalent Privacy) • WPA (Wi-Fi Protected Access) • WPA is newer and more secure Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  26. Remote Access Security Remote Access creates additional security issues. CMS issued HIPAA security guidance for remote access in 2006. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  27. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  28. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

  29. Summary Slide • Security Program • Threats to Health Care Information • HIPAA Definitions • Covered Entity (CE) • Required Specification • Addressable Specification • HIPAA Overview • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Policies, Procedures and Documentation

  30. Summary Slide (cont.) • Administrative Safeguard Practices • Physical Safeguard Practice • Technical Safeguard Practices • Wireless Security Issues • Remote Access Issues

More Related