240 likes | 392 Views
The Culture of Health Care. Privacy, Confidentiality, and Security. Lecture b.
E N D
The Culture of Health Care Privacy, Confidentiality, and Security Lecture b This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
Privacy, Confidentiality, and SecurityLearning Objectives • Define and discern the differences between privacy, confidentiality, and security (Lecture a). • Discuss methods for using information technology to protect privacy and confidentiality (Lecture b). • Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy and Security rules (Lectures c and d). • Discuss the intersection of a patient’s right to privacy with the need to share and exchange patient information (Lecture d).
Concerns about Security • Comprehensive overview (Herzig, 2010) • Guide to Privacy and Security of Electronic Health Information (ONC & OCR, 2015) • https://www.youtube.com/watch?v=phrXsdnhE7w • Many points of leakage • A problem for paper records, too • Consequences of poor security • Medical identity theft
Flow of Information in Health Care: Many Points to “Leak” 9.2 Chart. Flow of information in health care (Rindfleisch, 1997).
Security for Paper Records Is a Significant Problem • Difficult to audit trail of paper chart • Fax machines, scanners are easily accessible • Records frequently copied for many reasons • New providers, insurance purposes • Records abstracted for variety of purposes • Research • Quality assurance • Insurance fraud → Medical Information Bureau (Rothfeder, 1992)
Potential Consequences of Poor Security • According to Rindfleish (1997) • Patients avoid health care • Patients lie • Providers avoid entering sensitive data • Providers devise workarounds • California Health Care Foundation (2005) • 13% of consumers admit to engaging in “privacy-protective” behaviors that might put health at risk, such as • Asking doctor to lie about diagnosis • Paying for a test because they did not want to submit a claim • Avoid seeing their regular doctor
Medical Identity Theft • AHIMA reported in 2008 a growing concern of general identity theft • 2015 Medical Identity Fraud Alliance Annual Report • Medical info more valuable than financial • Costly to the victim • Can be complex to solve over a long time • HHS report outlines approaches to prevention, detection, and remediation (ONC & OCR, 2015)
Tools for Protecting Health Information • Brought to wider light by IOM report For the Record (Committee on Maintaining Privacy and Security,1997) • Guide to Privacy and Security of Electronic Health Information (ONC & OCR, 2015) • NIST Critical Cybersecurity Infrastructure Framework • SANS • And many more ….
Threats to Security • Insider • Accidental disclosure • Curiosity • Malicious/subornation • Outsider • Organized crime • Hacktivists • Cyber thieves
Technologies to Secure Information • Deterrents • Alerts • Audit trails • System management precautions • Software management • Analysis of vulnerability • Obstacles • Authentication • Authorization • Integrity management • Digital signatures • Encryption • Firewalls • Rights management
Encryption • Necessary but not sufficient to ensure security • Is a “safe harbor” under federal and state laws when data loss occurs • Should, however, be used for all communications over public networks, such as the Internet, and with mobile devices • Information is scrambled and unscrambled using a key • Types: Symmetric and asymmetric • Asymmetric, also known as public key encryption, can be used for digital certificates, electronic signatures, and so on
Standards for Encryption and Related Functions • Advanced Encryption Standard (AES): NIST-designated standard for encryption/decryption (Daemen & Rijmen, 2002) • Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL): Cryptographic protocols that provide security for communications over all points on networks (Rescorla, 2001) • Internet Protocol Security (IPsec): Protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream • Part of IPv6 but also added as standalone on top of IPv4 • Secure Hash Algorithm (SHA): Protocols that ensure integrity of transmitted information and documents (NIST, 2002) • Security flaws have been identified in SHA-1, so SHA-2 family of protocols has been developed • For more: • Secure Hash Algorithm https://en.wikipedia.org/wiki/Secure_Hash_Algorithm • NIST’s Cryptographic Toolkithttp://csrc.nist.gov/groups/ST/toolkit/index.html
For the Record Best Practices(Committee on Maintaining Privacy and Security, 1997) • Organizational • Information & security governance • Confidentiality and security policies and committees • Education and training programs • Sanctions • Patient access to audit trails • Management dashboards • Risk management and compliance • Technical • Authentication of users • Audit trails • Physical security and disaster recovery • Protection of remote access points and external communications • Software discipline • Ongoing system vulnerability assessment • Infrastructure management
Authentication and Passwords • Authentication: Process of gaining access to secure computer • Usual approach is passwords (“what you know”), but secure systems may add physical entities (“what you have”) • Biometric devices: Physical characteristic (e.g., thumbprint) • Physical devices: Smart card or some other physical “key” • Ideal password is one you can remember but no one else can guess • Typical Internet user interacts with many sites for which he/she must use password • “single sign-on” is commonly used • Two-factor authentication
Some Challenges with Passwords • Common approach to security is password “aging” (i.e., expiration), which is less effective than other measures (Wagner, Allan, & Heiser, 2005) • Session-locking: One or small number of simultaneous logons • Login failure lockout: After 3 to 5 attempts • Password aging may also induce counterproductive behavior (Allan, 2005)
Health Information Security Is Probably a Trade-off 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).
A Need for Ongoing Research • One of the four HITECH Strategic Healthcare IT Advanced Research Projects (SHARP) projects was focused on security: www.sharps.org • Resources provided by ONC on many aspects of privacy and security • Security risk assessments, mobile devices, to name a few • NIST • Many other initiatives
Other Issues to Ponder… • Who owns information? • How is informed consent implemented? • When does public good exceed personal privacy? • e.g., public health, research, law enforcement • What conflicts are there with business interests? • How do we let individuals “opt out” of systems? • What are the costs? When do we override?
Privacy, Confidentiality, and SecuritySummary – Lecture b • There are many points where information can “leak” out of the system • Many technologies are available for protecting security • Encryption is necessary but not sufficient • Paper-based information has its own security problems
Privacy, Confidentiality, and SecurityReferences – Lecture b References Allan, A. (2005). Password aging can burden an already-weak authentication method. Stamford, CT: Gartner. American Health Information Management Association. (2003). Flow of patient health information inside and outside the healthcare industry. Retrieved from http://library.ahima.org/PdfView?oid=22958 Bowe, Robin. (2013). Identity crisis: Organizations are implementing medical identity theft teams to combat rising incidents. Journal of AHIMA, 84(1), 38–42. California Health Care Foundation (CHCF). (2005). National consumer health privacy survey 2005. Oakland: CHCF. Retrieved from http://www.chcf.org/topics/view.cfm?itemID=115694 Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. (1997). For the record: Protecting electronic health information. Washington, DC: National Academies Press. Retrieved from http://www.nap.edu/catalog/5595/for-the-record-protecting-electronic-health-information Daemen, J., & Rijmen, V. (2002). The design of Rijndael: AES—The advanced encryption standard. Berlin, Germany: Springer-Verlag. Herzig, T. (Ed.). (2010). Information security in healthcare—Managing risk. Chicago, IL: Healthcare Information Management Systems Society. Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). (2004). Break glass procedure: Granting emergency access to critical ePHI systems. Retrieved from http://hipaa.yale.edu/ security/break-glass-procedure-granting-emergency-access-critical-ephi-systems
Privacy, Confidentiality, and SecurityReferences – Lecture b Continued McNabb, J., & Rhodes, H. B. (2014). Combating the privacy crime that can KILL. Journal of AHIMA, 85(4), 26–29. National Academies Press (1997). For the record protecting electronic health information. Retrieved from https://www.nap.edu/read/5595/chapter/2#4 National Institute for Standards and Technology (NIST). (2015). Secure hash standard. Gaithersburg, MD: National Institute for Standards and Technology. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf National Institute of Standards and Technology (NIST). (2014). Cryptographic toolkit. Retrieved from http://csrc.nist.gov/groups/ST/toolkit National Institute of Standards and Technology (NIST). (2014). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/ cybersecurity-framework-021214.pdf Office of the National Coordinator for Health Information Technology (ONC) & Office for Civil Rights (OCR). (2015). Guide to privacy and security of electronic health information. Retrieved from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf Pabrai, A. (2008, January 23). The single sign-on solution. H&HN’s Most Wired Magazine. Ponemon Institute. (2015). Fifth annual benchmark study on privacy and security of healthcare data. Retrieved from https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
Privacy, Confidentiality, and Security References – Lecture b Continued 2 Rescorla, E. (2001). SSL and TLS: Designing and building secure systems. Boston: Addison Wesley. Rindfleisch, T. (1997). Privacy, information technology, and healthcare. Communications of the ACM, 40(8), 93–100. Rothfeder, J. (1992). Privacy for sale: How computerization has made everyone’ s private life an open secret. New York: Simon & Schuster. The SANS Institute. (2016). About (SANS). Retrieved from https://www.sans.org/about Wagner, R., Allan, A., & Heiser, J. (2005). Eight security practices offer more value than password aging. Stamford, CT: Gartner. Wikipedia. (2016). Secure hash algorithm. Retrieved from https://en.wikipedia.org/wiki/Secure_Hash_Algorithm Charts, Tables, Figures 9.2 Chart. Flow of information in health care (Rindfleisch, 1997). 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).
The Culture of Health CarePrivacy, Confidentiality, and SecurityLecture b This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002.