Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Similar presentations


Presentation on theme: "Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,"— Presentation transcript:

1 Chapter 10

2 Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external, intentional, and unintentional—to the security of health care information. Outline the components of the HIPAA security regulations. Give examples of administrative, physical, and technical security safeguards currently in use by health care organizations. Discuss the impact and the risks of using wireless networks and allowing remote access to health information, and describe ways to minimize the risks. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

3 Define Security Program Threats to Health Care Information HIPAA Security Regulations Administrative Safeguards Physical Safeguards Technical Safeguards Wireless Security Issues

4 Identifying potential threats Implementing processes to remove or mitigate threats Protects not only patient-specific information but also IT assets Balance need for security with cost of security Balance need for information access with security

5 Human Threats Natural or Environmental Threats Technology Malfunctions

6 Intentional or Unintentional Internal or External Examples  Viruses—intentional & external  Installing unauthorized software—intentional or unintentional & internal Cause of unintentional may be lack of training

7 Key Terms  Covered entity  Required implementation specification  Addressable implementation specification

8 A health plan A health care clearinghouse A health care provider who transmits protected health information (phi) in an electronic form

9 Must be implemented by the CE Implement as stated Implement an alternative to accomplish the same purpose Demonstrate that specification is not reasonable

10 Technology Neutral Includes  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Policies, Procedures and Documentation

11 Security management functions Assigned security responsibility Workforce security Information access management Security awareness and training Security incident reporting Contingency plan Evaluation Business associate contacts and other arrangements

12 Facility access controls Workstation use Workstation security Device and media controls

13 Access control Audit controls Integrity Person or entity authentication Transmission security

14 Policies and Procedures Documentation

15 Risk analysis and management (Weil, 2004)  Boundary definition  Threat identification  Vulnerability identification  Security control analysis  Risk likelihood determination  Impact analysis  Risk determination  Security control recommendations

16 Chief Security Officer System Security Evaluation

17 Assigned security responsibilities Media controls Physical access controls Workstation security

18 Access control  User-based access  Role-based access  Context-based access

19 Entity Authentication  Password systems  PINs  Biometric id systems  Telephone callback systems  Tokens  Layered systems

20 Two-factor authentication (Walsh, 2003)  Use two of the following  Something you know—password, etc  Something you have—token or card, etc  Something you are—fingerprint, etc

21 Don’t  Pick a password that can be guessed  Pick a word that can be found  Pick a word that is newsworthy  Pick a word similar to previous  Share your password Do  Pick a combination of letters and at least one number  Pick a word that you can remember  Change your password often

22 Audit Trails Data Encryption Firewall Protection Virus Checking

23 Same problems with security Plus—difficult to limit the transmission of media to just the areas under your control Need clear policies & appropriate sanctions Assign responsibility for hardware

24 Specific threats and vulnerabilities for wireless networks and handheld devices (Karygiannis & Owens, 2002): Unauthorized access to a computer network through wireless connections, bypassing firewall protections Information that is not encrypted (or has been encrypted with poor techniques) transmitted between two wireless devices may be intercepted Denial-of-service attacks may be directed at wireless connections or devices Sensitive data may be corrupted during improper synchronization Handheld devices are easily stolen Internal attacks may be possible via ad hoc transmissions Unauthorized users may obtain access through piggybacking or war driving. Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

25 There are two cryptographic techniques specific to the wireless environment:  WEP (Wired Equivalent Privacy)  WPA (Wi-Fi Protected Access) WPA is newer and more secure Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

26 Remote Access creates additional security issues. CMS issued HIPAA security guidance for remote access in Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser

27

28

29 Security Program Threats to Health Care Information HIPAA Definitions  Covered Entity (CE)  Required Specification  Addressable Specification HIPAA Overview  Administrative Safeguards  Physical Safeguards  Technical Safeguards  Policies, Procedures and Documentation

30 Administrative Safeguard Practices Physical Safeguard Practice Technical Safeguard Practices Wireless Security Issues Remote Access Issues


Download ppt "Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,"

Similar presentations


Ads by Google