1. Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid

2. Agenda  Defining Information Security  Information Security Goals  Security Risks  Defining Information Privacy

3. Introduction  In medical practice patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality  Ponemon Institute released a 2011 research report on patient privacy and security with the following key findings:  Healthcare data breaches are on the rise; 32 % rise over the previous years  Widespread use of mobile technology is putting data at risk  In spite of breaches, many organizations have not set data privacy and security as a priority  Financial consequences of data breaches are very significant  Medical identity theft is a major problem

4. Why does it Matter? Ensuring Privacy and Security of health information, including information in EHR is the key component to building the trust required to realize the potential benefits of electronic health information capture and exchange

5. Defining Information Security  Refers to protecting information and information systems from unauthorized:  Access  Use  Disclosure  Disruption  Modification  Destruction

6. Information Security Pillars/Goals AvailabilityConfidentiality Integrity

7. Confidentiality  Is the avoidance of the unauthorized disclosure of information  Involves:  Protection of data  Providing access for those who are allowed to see the data  Disallowing non-allowed from learning anything about the data

8. Tools for Confidentiality  Encryption  Access Control  Authentication  Authorization  Physical security

9. Encryption  The transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key  Allowing two parties to establish confidential communication over an insecure channel that is subject to eavesdropping

10. Access Control  Rules and policies that limit access to confidential information to those people and /or systems with a “need to know”  This need to know may be determined by identity, such as a person’s name or a computer’s serial number, or by a role that a person has, such as being a manager or a computer security specialist

11. Authentication  The determination of the identity or role that someone has  Could be performed by different ways and usually based on a combination of:  Something a person has (e.g. Smart cards)  Something a person knows (e.g. Password)  Something a person is (e.g. Fingurprint)

12. Authorization  The determination if a person or system is allowed access to resources, based on access control policy

13. Physical Security  The establishment of physical barriers to limit access to protected computational resources  Such barriers include locks on cabinets and doors, the placement of computers in windowless rooms and even the construction of buildings or rooms with walls incorporating copper meshes so that electromagnetic signals cannot enter or exit enclosures

14. Integrity  Ensuring that information has not been altered in an unauthorized way  Tools:  Backups  Capturing Data Correction

15. Availability  Ensuring that information is accessible and modifiable in a timely manner by those authorized to do so  Tools:  Physical protection: infrastructure meant to keep information available  Computational redundancies: computers and storage devices that serve as fallbacks in the case of failure

16. Safeguards Required by HIPPA Security Rule  Administrative  Physical  Technical

17. Security Risks needed to be Analyzed  Vulnerabilities: weaknesses in a system that could be used to cause harm (e.g. user access controls are not properly configured allowing staff to inappropriately view patient information)  Threats: sets of circumstances with the potential to cause harm (e.g. theft of portable device that stores or can access patient information)  Attacks: occur when vulnerabilities are deliberately exploited

18. Defining Information Privacy  Is a set of rules and standards for the use and disclosure of individually identifiable health information – often referred to as protected health information – by specific entities, as well as standards for providing individuals with privacy rights helping them controlling how their health information is used  The patient has the right to:  Examine and obtain a copy of their health records  Have corrections added to their health information  Receive a notice that discusses how health information can be used or shared for certain purposes  Provide permission on whether health information can be used or shared  Get reports on when and why health information was shared  File a complaint if rights are being denied or health information is not being protected

19. HIPPA Privacy Rule  There is a method that can be employed to use and release data without restrictions  The privacy rule mandates that organizations de-identify the data by removing:  Names  Geographic subdivisions smaller than a state  Birth dates, admission date, discharge date, date of death  Telephone number  Facsimile numbers  Medical record number

20. HIPPA Information Privacy, Con’d  Health plan beneficiary number  Account number  Certificate/license number  Vehicle identifiers  Device identifiers  URL (web Universal Recourse Locator)  IP (internet protocol) address number  Biometric identifier (fingerprint)  Photographic images  Any other unique identifier

21. Properly Configured HER should Provide  Unique passwords and user names  User and role based access controls  Backup and recovery  Encryption  Appropriate and properly installed wireless capabilities