300 likes | 378 Views
Hipaa sECURITY. How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information. Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12. Spring Conference April 4, 2008. Influencing the move to eHealthcare.
E N D
Hipaa sECURITY How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12 Spring Conference April 4, 2008
Influencing the move to eHealthcare • Need to reduce the cost of health care • Increase quality of health care • Consumer driven health care • Online health records • Payer support for community health records • Transparency in health care • Pay for performance programs • Governmental
Terminology EMR HR EHR PHR CCR Acronyms Hybrids PHI
Terminology Health Records (AHIMA) • The legal business record for a healthcare organization. • Individually identifiable information • Any medium • Collected, processed, stored, displayed
Terminology • Health Records contain • Diagnosis • Medications • Procedures • Problems • Clinical Notes • Diagnostic Results • Images • Graphs • Other items deemed necessary
Terminology • Health Records • Support continuity of care • Planning patient care • Provides planning information • Resource allocation • Trend analysis • Forecasting • Workload management • Justification for billing information
Terminology • Electronic Medical Record (EMR) (HIMSS) • An application environment composed of: • Clinical Data Repository (CDR) • Clinical Decision Support (CDS) • Controlled medical terminology • Order entry • Computerized provider order entry • Pharmacy • Clinical document applications • Enterprise support • Inpatient and Outpatient • Use to document, monitor and manage delivery of health care • Electronic Medical Record (EMR) (HIMSS) • The EMR is the legal record • Owned by the Care Delivery Organization (CDO)
Terminology • Electronic Health Record (EHR) (HIMSS) • Longitutal electronic medical record across encounters in any care delivery setting. • Resource for clinicians • Secure • Real-time • Point-of-care • Patient centric information source • Aids collection of data for other uses • Billing • Quality management • Outcomes reporting • Resource planning • Public health disease surveillance • Reporting
Terminology • Electronic Health Record (EHR) (HIMSS) • Includes: • Patient demographics • Progress notes • Problems • Medications • Vital signs • Past medical history • Immunizations • Laboratory data • Radiology reports
Terminology • Electronic Health Record (EHR) (HIMSS) • Automates / streamlines clinicians workflow • Complete record of clinical encounter • Supports other care-related activities • Evidence-based decision support • Quality management • Outcome reporting
Terminology • Personal Health Record (PHR) • Created by the individual • Summarizes health and medical history • Gathered from many sources • Format of PHR • Paper • Personal computer • Internet based • Portable storage
Terminology • Continuity of Care Record (CCR) • Patient Health Summary Standard • ASTM / MMS / HIMSS / AAFP / AAP co-development • Core health care components • Sent from one provider to another • Includes • Patient demographics • Insurance information • Diagnosis and problem • Medications • Allergies • Care plan
Terminology • Hybrid Health Record • Both • Paper health records • Electronic health records
Terminology • Protected Health Information (PHI) • Any health care information linked to a person • Health Status • Provision of Health Care • Payment of Health Care • Includes • Names • Geographic subdivision smaller than a state • Dates related to an individual • Phone Numbers • Fax Numbers • Email Addresses • SSN • Medical Record Numbers • Beneficiary Numbers • Account Numbers • Certificate/license numbers; • Vehicle identifiers and serial numbers • license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers • Finger • voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code
Security Concerns • Privacy • Can anyone else read it? • Authentication • How do I knowwho sent it? • Data Integrity • Did it arrive exactly as sent? • Non-repudiation of receipt • Can the receiver deny receipt? • How do I know it got there? • How do I track these activities?
Modes of Communication • Internet / Intranet • Wired • Wireless • Wifi (802.11a, b, g, i, n) • Bluetooth (Personal Area Network - PAN) • VoiP • Dial-up • Mobile Devices • Smart Phones • Mobile Standards (GSM, GPRS, etc.) • PDA • Tablet PC’s • Physical Media • Magnetic, optical, flash (thumb drives), others
Wireless Security • RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken) • Secure Sockets Layer (SSL) • WEP Wire Equivalent Privacy • WPA WiFi Protected Access • WPA2 (based upon 802.11i) • Data Encryption Standards (DES) • Advanced Encryption Standards (AES) • Government strength encryption
Internet Security • Firewall machines • IP address selection • ID + Passwords • Security techniques • Encryption • Digital Signatures • Data Integrity Verification • Non-repudiation • Trading Partner Agreements (TPA)
Symmetric Key(Private) CYPHERTEXT ENCRYPT DECRYPT PLAINTEXT DOCUMENT PLAINTEXT DOCUMENT PROVIDER PAYER PRIVATE KEY
Symmetric Key(Private) • n * (n-1) / 2 keys to manage • 100 users would require 4950 keys • Key size 128 bits • Generally considered fast Gary Alice Julie Karen Frank Erin Dale Mary
Asymmetric Keys (Public/Private)PKI CYPHERTEXT ENCRYPT DECRYPT PLAINTEXT DOCUMENT PLAINTEXT DOCUMENT PROVIDER PAYER PAYER’S PUBLIC KEY PAYER’S PRIVATE KEY
Asymmetric Keys (Public/Private) • n key pairs needed for n partners • key size (128, 768, 1024, 2048 bits) • Generally considered slower • What happens if you lose your key? Gary Alice Julie Public Key Directory Karen Gary Mary E Alice Dale F Frank Karen G Erin Julie H Frank Erin Dale Mary
AuthenticationDigitized vs. Digital Signature • A digitized signature is a scanned image • A digital signature is a numeric value that is created by performing a cryptographic transformation of the hash of the data using the “signer’s” private key. Ö m25_ +¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7»q*++¤Gß_¿_°;·Ae¦_7¦?ââ-á+H¶¥-÷90Y å+£ú'¦Æ<§_8óX`p¡ìÉ_V+1^ª+ ¦%Gary A. Beatty <garyb@eci.com>
Data Integrity • Part of the digital signature process • A secure one way hashing algorithm used to create a hash of the data PROVIDER A Provider B Encoded Cypher Cypher Encoded EHR EHR PROVIDER A PRIVATE KEY PROVIDER A PUBLIC KEY Provider B PRIVATE KEY Provider B PUBLIC KEY
Applicability Statement StandardsEDIINT Workgroup of IETF • AS1 – Applicability Statement 1 • Email exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses SMTP (Simple Mail Transfer Protocol) • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • Email capability • Electronic Transaction • Digital Certificate
Applicability Statement StandardsEDIINT Workgroup of IETF • AS2 – Applicability Statement 2 • HTTP exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses HTTPS • Hypertext Transfer Protocol over Secure Socket Layer • Allows for REAL TIME delivery • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • Web Server (static IP address) • Electronic Transaction • Digital Certificate
Applicability Statement StandardsEDIINT Workgroup of IETF • AS3 – Applicability Statement 3 • FTP exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses FTP – File Transfer Protocol • Allows for REAL TIME delivery • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • FTP Server • Electronic Transaction • Digital Certificate
Digital Certificates • Electronic Credit Card • Establishes “Credentials” for electronic transactions • Issues by Credential Authority • Name • Serial Number • Expiration Dates • Certificate Holder’s Public Key • Digital Certificate of Certification Authority • Verified by Registration Authority • X.509 Standards • Registry of Digital Certificates • Access with HIPAA Identifiers
Security – Weak Links • We can secure transmission of data! • Weakest link – usually when data is AT REST! • Paper • On the screen • Waste baskets • Physical Security • Building access • Data Center access • Electronic Security • Screen Savers • Auto Logoff
Thank you Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12 Spring Conference April 4, 2008