1 / 30

Hipaa sECURITY

Hipaa sECURITY. How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information. Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12. Spring Conference April 4, 2008. Influencing the move to eHealthcare.

orlando-gilmore
Download Presentation

Hipaa sECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hipaa sECURITY How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12 Spring Conference April 4, 2008

  2. Influencing the move to eHealthcare • Need to reduce the cost of health care • Increase quality of health care • Consumer driven health care • Online health records • Payer support for community health records • Transparency in health care • Pay for performance programs • Governmental

  3. Terminology EMR HR EHR PHR CCR Acronyms Hybrids PHI

  4. Terminology Health Records (AHIMA) • The legal business record for a healthcare organization. • Individually identifiable information • Any medium • Collected, processed, stored, displayed

  5. Terminology • Health Records contain • Diagnosis • Medications • Procedures • Problems • Clinical Notes • Diagnostic Results • Images • Graphs • Other items deemed necessary

  6. Terminology • Health Records • Support continuity of care • Planning patient care • Provides planning information • Resource allocation • Trend analysis • Forecasting • Workload management • Justification for billing information

  7. Terminology • Electronic Medical Record (EMR) (HIMSS) • An application environment composed of: • Clinical Data Repository (CDR) • Clinical Decision Support (CDS) • Controlled medical terminology • Order entry • Computerized provider order entry • Pharmacy • Clinical document applications • Enterprise support • Inpatient and Outpatient • Use to document, monitor and manage delivery of health care • Electronic Medical Record (EMR) (HIMSS) • The EMR is the legal record • Owned by the Care Delivery Organization (CDO)

  8. Terminology • Electronic Health Record (EHR) (HIMSS) • Longitutal electronic medical record across encounters in any care delivery setting. • Resource for clinicians • Secure • Real-time • Point-of-care • Patient centric information source • Aids collection of data for other uses • Billing • Quality management • Outcomes reporting • Resource planning • Public health disease surveillance • Reporting

  9. Terminology • Electronic Health Record (EHR) (HIMSS) • Includes: • Patient demographics • Progress notes • Problems • Medications • Vital signs • Past medical history • Immunizations • Laboratory data • Radiology reports

  10. Terminology • Electronic Health Record (EHR) (HIMSS) • Automates / streamlines clinicians workflow • Complete record of clinical encounter • Supports other care-related activities • Evidence-based decision support • Quality management • Outcome reporting

  11. Terminology • Personal Health Record (PHR) • Created by the individual • Summarizes health and medical history • Gathered from many sources • Format of PHR • Paper • Personal computer • Internet based • Portable storage

  12. Terminology • Continuity of Care Record (CCR) • Patient Health Summary Standard • ASTM / MMS / HIMSS / AAFP / AAP co-development • Core health care components • Sent from one provider to another • Includes • Patient demographics • Insurance information • Diagnosis and problem • Medications • Allergies • Care plan

  13. Terminology • Hybrid Health Record • Both • Paper health records • Electronic health records

  14. Terminology • Protected Health Information (PHI) • Any health care information linked to a person • Health Status • Provision of Health Care • Payment of Health Care • Includes • Names • Geographic subdivision smaller than a state • Dates related to an individual • Phone Numbers • Fax Numbers • Email Addresses • SSN • Medical Record Numbers • Beneficiary Numbers • Account Numbers • Certificate/license numbers; • Vehicle identifiers and serial numbers • license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers • Finger • voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code

  15. Security Concerns • Privacy • Can anyone else read it? • Authentication • How do I knowwho sent it? • Data Integrity • Did it arrive exactly as sent? • Non-repudiation of receipt • Can the receiver deny receipt? • How do I know it got there? • How do I track these activities?

  16. Modes of Communication • Internet / Intranet • Wired • Wireless • Wifi (802.11a, b, g, i, n) • Bluetooth (Personal Area Network - PAN) • VoiP • Dial-up • Mobile Devices • Smart Phones • Mobile Standards (GSM, GPRS, etc.) • PDA • Tablet PC’s • Physical Media • Magnetic, optical, flash (thumb drives), others

  17. Wireless Security • RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken) • Secure Sockets Layer (SSL) • WEP Wire Equivalent Privacy • WPA WiFi Protected Access • WPA2 (based upon 802.11i) • Data Encryption Standards (DES) • Advanced Encryption Standards (AES) • Government strength encryption

  18. Internet Security • Firewall machines • IP address selection • ID + Passwords • Security techniques • Encryption • Digital Signatures • Data Integrity Verification • Non-repudiation • Trading Partner Agreements (TPA)

  19. Symmetric Key(Private) CYPHERTEXT ENCRYPT DECRYPT PLAINTEXT DOCUMENT PLAINTEXT DOCUMENT PROVIDER PAYER PRIVATE KEY

  20. Symmetric Key(Private) • n * (n-1) / 2 keys to manage • 100 users would require 4950 keys • Key size 128 bits • Generally considered fast Gary Alice Julie Karen Frank Erin Dale Mary

  21. Asymmetric Keys (Public/Private)PKI CYPHERTEXT ENCRYPT DECRYPT PLAINTEXT DOCUMENT PLAINTEXT DOCUMENT PROVIDER PAYER PAYER’S PUBLIC KEY PAYER’S PRIVATE KEY

  22. Asymmetric Keys (Public/Private) • n key pairs needed for n partners • key size (128, 768, 1024, 2048 bits) • Generally considered slower • What happens if you lose your key? Gary Alice Julie Public Key Directory Karen Gary Mary E Alice Dale F Frank Karen G Erin Julie H Frank Erin Dale Mary

  23. AuthenticationDigitized vs. Digital Signature • A digitized signature is a scanned image • A digital signature is a numeric value that is created by performing a cryptographic transformation of the hash of the data using the “signer’s” private key. Ö m25_ +¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7»q*++¤Gß_¿_°;·Ae¦_7¦?ââ-á+H¶¥-÷90Y å+£ú'¦Æ<§_8óX`p¡ìÉ_V+1^ª+ ¦%Gary A. Beatty <garyb@eci.com>

  24. Data Integrity • Part of the digital signature process • A secure one way hashing algorithm used to create a hash of the data PROVIDER A Provider B Encoded Cypher Cypher Encoded EHR EHR PROVIDER A PRIVATE KEY PROVIDER A PUBLIC KEY Provider B PRIVATE KEY Provider B PUBLIC KEY

  25. Applicability Statement StandardsEDIINT Workgroup of IETF • AS1 – Applicability Statement 1 • Email exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses SMTP (Simple Mail Transfer Protocol) • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • Email capability • Electronic Transaction • Digital Certificate

  26. Applicability Statement StandardsEDIINT Workgroup of IETF • AS2 – Applicability Statement 2 • HTTP exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses HTTPS • Hypertext Transfer Protocol over Secure Socket Layer • Allows for REAL TIME delivery • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • Web Server (static IP address) • Electronic Transaction • Digital Certificate

  27. Applicability Statement StandardsEDIINT Workgroup of IETF • AS3 – Applicability Statement 3 • FTP exchange of electronic transactions • S/MIME – Secure Multi-Purpose Internet Mail Extensions • Uses FTP – File Transfer Protocol • Allows for REAL TIME delivery • Satisfies Security Requirements • Encryption • Authentication • Integrity • Non-repudiation • What’s needed • FTP Server • Electronic Transaction • Digital Certificate

  28. Digital Certificates • Electronic Credit Card • Establishes “Credentials” for electronic transactions • Issues by Credential Authority • Name • Serial Number • Expiration Dates • Certificate Holder’s Public Key • Digital Certificate of Certification Authority • Verified by Registration Authority • X.509 Standards • Registry of Digital Certificates • Access with HIPAA Identifiers

  29. Security – Weak Links • We can secure transmission of data! • Weakest link – usually when data is AT REST! • Paper • On the screen • Waste baskets • Physical Security • Building access • Data Center access • Electronic Security • Screen Savers • Auto Logoff

  30. Thank you Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12 Spring Conference April 4, 2008

More Related