Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design of Health Technologies lecture 22 John Canny 11/28/05.

Published byCory Fox Modified over 8 years ago

Similar presentations

Presentation on theme: "Design of Health Technologies lecture 22 John Canny 11/28/05."— Presentation transcript:

1 Design of Health Technologies lecture 22 John Canny 11/28/05

2 Healthcare IT Security Security is a critical aspect of Health IT performance: without secure systems, privacy protection is impossible. The Health and Human Services Agency published a proposed “security rule” in August 1998. Final rule was adopted Feb. 2003. It’s a set of best practices for securing information systems. Compliance is mandatory for health providers, plans, and clearinghouses.

3 Security Rule Compliance Large organizations were required to comply by April 21, 2005. Small organizations must comply by April 21, 2006. Final rule is available here: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

4 Security Rule Compliance The security rule creates an additional burden on providers to improve their IT infrastructure. On the flip side, the same improvements might actually improve service (e.g. enabling internet-based secure health information access, or secure wireless). A more sanguine perspective is that any mandatory IT upgrade is an opportunity for global improvement – many problems can be fixed at once.

5 Data CIA (Confidentiality, Integrity, Availability) The security rule is divided into 3 parts: 1. 1. Administrative safeguards 2. 2. Physical safeguards 3. 3. Technical safeguards

6 Administrative safeguards These steps are required at the highest level: 1. 1. Risk Analysis must be performed 2. 2. Risk Management sufficient for compliance 3. 3. Sanction Policy: against employees who don’t comply 4. 4. Information System Activity Review: records & logs 5. 5. Security Responsibility: assign a security official

7 Administrative safeguards Some required steps: 1. 1. Isolate Health Clearinghouse from rest of organization 2. 2. Access Control for protected records 3. 3. Access Establishment and modification 4. 4. Security Reminders: updates and messages 5. 5. Protection from Malicious Software 6. 6. Log-in Monitoring: all login attempts 7. 7. Password Management

8 Administrative safeguards Standards for availability: 1. 1. Data Backup Plan 2. 2. Disaster Recovery Plan 3. 3. Emergency Mode Operation Plan 4. 4. Testing and Revision of contingency plans 5. 5. Applications and Data Criticality Analysis: Identify the critical components in an emergency

9 Physical Safeguards Here are some: 1. 1. Facility Access Control 2. 2. Emergency Facility Access 3. 3. Physical Access to Workstations 4. 4. Media Access Controls 5. 5. Disposal Policies 6. 6. Media Erasure before Re-use

10 Technical Safeguards Here are some: 1. 1. Access Controls 2. 2. Unique User IDs 3. 3. Emergency Access Procedures 4. 4. Automatic Logoff (optional) 5. 5. Encryption and Decryption (optional) 6. 6. Audit Controls (optional)

11 Technical Safeguards Some more optional sections: 1. 1. Access Records: who accessed PHI 2. 2. Personal Identity: is the user really who they claim to be? Biometrics? 3. 3. Transmission Security: Secure communication channels

12 Over the Atlantic… The European Parliament has been passing security and privacy rules as well. “On the protection of medical data” (Recommendation R(97)5) is still a recommendation. The most recent is Directive 2002/58 “Privacy and electronic communications: Processing of personal data and the protection of privacy in electronic communication”

13 R(97)5 summary The European recommendation covers a lot of ground in the short document. It specifies both HIPAA-style privacy rules, as well as data-protection procedures. Stronger emphasis on results of genetic testing: 1. 1. Patients should have access 2. 2. It should not be illegal in the country 3. 3. The information is not likely to cause harm (?)

14 Gritzalis et al. paper This paper is based mostly on EU directives on general electronic privacy, as well as the medical security proposal. The paper also includes a sample RA (Risk Analysis) for the Beta-Thalassemia unit using CRAMM (CCTA Risk Analysis and Management Methodology).

15 Risk Analysis

16

17 Gritzalis et al. paper Proposals: Authentication: Smart cards, X.509 certificates, CHAP, EAP Communication: SSL, application-level security Disclosure from client machines (discourage): Through explicit web form fields Cookies and client-side script engines Anonymization methods: various technical approaches are listed, not clear any of these are intended to be used.

18 Gritzalis et al. paper ASP model: Control local code execution. Any code to be executed locally must be signed by someone (e.g. Microsoft or Verisign). Aside: Smart phones typically include additional quality control for locally-run code: e.g. “True Brew” certification for Qualcomm Brew phones. Other Certification Programs: Sony (Playstation) Microsoft (Xbox) Nintendo etc…. Microsoft for Windows device drivers

19 Medical service provider responsibilities Inform users about their services, ask for consent for required uses of client information. Use standards such as CEN and HL7 Use RBAC (Role-Based Access Control) Moderated Mailing Lists (?) w/ usage permissions Do not downgrade functionality to users who refuse to provide specific information

20 Discussion Questions Q1: Is Quality Certification a viable method for helping to secure medical software? Points of comparison: phone and driver software just mentioned, medical equipment, drugs,… How could it be implemented? Q2: Implementation of the security rule usually requires a significant overhaul of IT infrastructure. Discuss the trade-off in building secure systems “from scratch” vs. a “generalized firewall” approach which puts secure screens around vulnerable IT.

Download ppt "Design of Health Technologies lecture 22 John Canny 11/28/05."

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.

HIPAA and the GLB Connections Between Congress and Information Assurance.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.

The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.

Similar presentations

Ads by Google