Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Electronic Health Records Privacy and Security in the US Lecture d This material (Comp11_Unit7d) was developed by Oregon Health & Science University,

Similar presentations


Presentation on theme: "Configuring Electronic Health Records Privacy and Security in the US Lecture d This material (Comp11_Unit7d) was developed by Oregon Health & Science University,"— Presentation transcript:

1 Configuring Electronic Health Records Privacy and Security in the US Lecture d This material (Comp11_Unit7d) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC

2 Privacy and Security in the US Learning Objectives Compare and contrast the concepts of privacy and security (Lecture a) List the regulatory frameworks for an EHR (Lecture b, c) Describe the concepts and requirements for risk management (Lecture d) Describe authentication, authorization and accounting (Lecture d) Describe passwords and multi-factor authentication and their associated issues (Lecture d) Describe issues with portable devices (Lecture d) Describe elements of disaster preparedness and disaster recovery (Lecture e) Describe issues of physical security (Lecture e) Describe malware concepts (Lecture f) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

3 Risk Analysis Requirement § Administrative safeguards. (a) (1) (ii) (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

4 Risk Management Requirement § Administrative safeguards. (a)(1)(ii)(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § (a). 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

5 Evaluation Requirement § Administrative safeguards. (a)(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart. 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

6 Risk Management Guide for Information Technology Systems Special Publication from National Institute of Standards and Technology Outlines a nine step process Referred to in the responses to the comments to the current final security rule in the Federal Register 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

7 Risk Assessment Methodology Flowchart 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d 4.3 Chart: Risk Assessment Methodology Flowchart, top half. (Stoneburner, G., 2010, PD-US)

8 Risk Assessment Methodology Flowchart (continued) 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d 4.4 Chart: Risk Assessment Methodology Flowchart, bottom half. (Stoneburner, G., 2010, PD-US)

9 Strategic Plan for Security Determine what controls to implement Compile the remediation tasks Align information security controls with business strategic plans Align information security controls with regulatory requirements Create a prioritized plan of action Publish and share the plan 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

10 Security of Patient Data Patient data collected and stored in hospitals and healthcare facilities is the most valuable for fraudulent use Hospitals are aggregators of birth and death records which are often used for synthetic identity theft Patient data breaches are the most difficult to clean-up and cause problems beyond financial damage 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

11 Data Leakage Inappropriate movement of data Consider: –Recordable CDs & DVDs –Flash drives –External drives –PDAs –Hard copy – –FTP –External storage –Cloud-based storage –Social media –Others Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

12 Additional Threats Loss or theft Exposure of data Data interception Viruses 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

13 Policy Considerations for Portable Devices and External Access What is allowed? What is supported? How? Who pays? Who buys and owns? What services? How is it integrated? What are the user’s responsibilities? How is the user educated? 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

14 Policy Should Include: Acceptable use Product standards Security procedures Data restrictions Ownership Enforcement and sanctions Network access Liability Purchasing strategies Budgets and reimbursements 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

15 Tracking Data Breaches How is system access tracked? What access should be made inaccessible, or locked down? What are the impacts on staff? 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

16 Access: Identification How are users identified to the system? Systems need a unique identifier In addition to access, used for authorization and accountability Examples include an account name, an account number, a MRN Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

17 Authentication Ensure that the user is the individual associated with the identifier Multiple authentication methods (factors): –Something the user knows (password, PIN) –Something the user has (token, card) –Something the user is (biometrics) 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

18 Passwords Most common factor Trade-off between security and usability “There is consensus in the literature that a properly written password policy can provide an organization with increased security.” “There is, however, less accord in describing just what such a well-written policy would be, or even how to determine whether a given policy is effective.” 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

19 Elements of Password Policies Random Base of password Number of characters Number of lower and upper case characters Number of numbers Number of symbols Password expiration Password re-use 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

20 Passphrase Mnemonic technique to generate a password “Bill Smith drives a 2008 BMW” BSda2008BMW Still have to think about special characters What about changing a password? 20 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

21 Password Risks Weak passwords Password re-use Phishing / social engineering Sharing Artifacts “Shoulder surfing” Keystroke loggers Brute force Cracking tools, including password hash & rainbow table 21 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

22 Passwords in Clinical Environments “… you really have to go through a lot of passwords to get [patient care] … information” Users locked out with invalid password attempts Users locked out if systems not accessed in four to six weeks Passwords illicitly stored and shared 22 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

23 Single Sign On One password/authentication for many systems Simplify user login process – only authenticate once Fewer passwords need to be remembered; may result in stronger password usage Can help with password management However: –Once broken, intruder has access to many systems –Password policy is critical –Can be challenging to implement 23 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

24 Stronger Authentication Two factor authentication –OTP tokens –Smart cards 24 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

25 Biometrics Fingerprint scanner Handprint reader Retina scanner Consider: –Failure to enroll –Failure to capture –False negatives –False positives 25 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

26 Privacy and Security in the US Summary – Lecture d Risk assessment Portable devices System Access 26 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d

27 Privacy and Security in the US References – Lecture d References Dropbox Inc. (2011). Dropbox. San Francisco, CA. Fernando, J. (2010). Jabberwocky: The Nonsense of Clinician eHealth Security. International Journal of Digital Society, 1(3). Kroll Fraud Solutions. (2008) HIMSS Analytics Report: Security of Patient Data. Office of the Federal Register. (2010). Federal Register, from 14/pdf/FR pdfhttp://www.gpo.gov/fdsys/pkg/FR /pdf/FR pdf Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., et al. (2010). Encountering Stronger Password Requirements: User Attitudes and Behaviors. Paper presented at the Symposium on Usable Privacy and Security (SOUPS), Redmond, WA. Stoneburner, G., Goguen, A., & Feringa, A. (2010). Risk Management Guide for Information Technology Systems,.Retrieved Jan 2012 from U.S. Government Printing Office.Code of Federal Regulations. Retrieved Jan 2012 from Images 4.3 Chart: Stoneburner, G., Goguen, A., & Feringa, A. (2010). Risk Assessment Methodology Flowchart from Risk Management Guide for Information Technology Systems (pp. 9). Gaithersburg, MD: National Institute of Standards and Technology. Retrieved Jan 2012 from 30_Figure_3-1.png (PD-US).http://upload.wikimedia.org/wikipedia/commons/5/5a/NIST_SP_ _Figure_3-1.png 4.4 Chart: Stoneburner, G., Goguen, A., & Feringa, A. (2010). Risk Assessment Methodology Flowchart from Risk Management Guide for Information Technology Systems (pp. 9). Gaithersburg, MD: National Institute of Standards and Technology. Retrieved Jan 2012 from 30_Figure_3-1.png (PD-US).http://upload.wikimedia.org/wikipedia/commons/5/5a/NIST_SP_ _Figure_3-1.png 27 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture d


Download ppt "Configuring Electronic Health Records Privacy and Security in the US Lecture d This material (Comp11_Unit7d) was developed by Oregon Health & Science University,"

Similar presentations


Ads by Google