© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security
Data Security Measures and tools to safeguard data, and the information systems on which they reside, from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST)
Elements of a Security Program Data security concepts: o Protecting the privacy of data Safeguarding access o Ensuring the integrity of data Data should be complete, accurate, consistent and up-to- date o Ensuring the availability of data Can depend on system to perform as expected, without error, and to provide information when and where needed o Backup policies and procedures
Data Security Threats Threats can be internal (from within an organization) or external (from outside an organization) Potential threats to data security are caused by two main sources: o Threats caused by people o Threats caused by environmental and hardware or software factors
Threats Caused by People Threats from insiders who make unintentional mistakes Threats from insiders who abuse their access privileges to information Threats from insiders who access information or computer systems for spite or profit Threats from intruders who attempt to access information or steal physical resources Threats from vengeful employees or outsiders who mount attacks on the organization’s information system
Threats Caused by Environmental and Hardware or Software Factors Natural disasters Utility, hardware, and software failures Electrical outages and power surges Hardware or software malfunction Malicious software applications (malware)
Security Management Structure Chief Security Officer (CSO) Advisory or policy-making group (such as an information security committee) o Executive-level managers o Health information management director or designee o Chief information officer (CIO) o Information technology system directors o Network engineers o Representatives from clinical departments
Components of a Security Program A good security program should include: o Employee awareness o Risk management program o Access safeguards o Physical and administrative safeguards o Software application safeguards o Network safeguards o Disaster planning and recovery o Data quality control processes
Security Program: Employee Awareness Train employees to recognize, respond, and report New employee education o Policies and procedures Including mobile devices, s, faxes, social media Annual signed confidentiality agreements Periodic and ongoing security reminders
Security Program: Risk Management Program Risk Analysis o Identify all security threats o Estimate how likely it is that risk may occur (likelihood determination) o Eliminate the impact of an untoward event (impact analysis) o Determine the value of information assets
Security Program: Risk Management Program Incident Detection o Monitor information systems for abnormalities Incident Response Plan o Watch and warn o Repair and report o Pursue and prosecute
Security Program: Access Safeguards Identify which employees should have access to what data o Role-based access (RBAC) o User-based access (UBAC) o Context-based access control (CBAC) Access controls that restrict access when necessary but allow access to complete job tasks Develop procedures and methods for identification, authentication, and authorization of users
Security Program: Access Safeguards – Access Control Mechanisms Identification: establish user IDs and or numbers Authentication: verify the user o Password or PIN (something you know) o Smart card or token (something you have) o Biometrics (something you are) o Two-factor authentication (combination of these) o Single Sign-on Authorization: permission given to an individual o CAPTCHA
Security Program: Physical and Administrative Safeguards Physical safeguards: Protection from physical damage (natural elements, theft) o Secure and structurally sound locations o Physical separation and barriers Administrative safeguards: Policies and procedures that address management of computer resources o Includes Information Technology Asset Disposition (ITAD) to identify how all data storage devices are destroyed and purged of data prior to repurposing or disposal
Security Program: Software Application Safeguards Authentication Edit checks Audit trails
Security Program: Network Safeguards Firewalls Cryptographic technologies o Encryption (private key or public key) o Digital signatures o Digital certificates Web security protocols Intrusion detection systems
Security Program: Disaster Planning and Recovery Disaster planning o Contingency plan: set of procedures to follow when responding to emergencies Based on information gathered during risk assessment and analysis o Identify minimum allowable time for system disruption o Identify alternatives for system continuation o Evaluate cost and feasibility of each alternative o Develop procedures required to active the plan
Security Program: Disaster Planning and Recovery Disaster Recovery o Disaster recovery plan addresses resources, actions, tasks, and data necessary to restore critical services as soon as possible and to manage business recovery processes Business continuity plan o How to continue operations during computer system shutdown Emergency mode of operations o Processes and controls to follow until operations are fully restored
Security Program: Data Quality Control Processes Availability: data are easily obtainable Consistency: data do not change Definition: clear meaning for every data element
HIPAA Security Provisions Health Insurance Portability and Accountability Act of 1996 o Security standards implemented 2005 o Security compliance responsibility of Office for Civil Rights (OCR) o Privacy Law revised in February of 2009 HITECH improves enforcement of privacy and security rules
HIPAA Security Provisions: General Rules Security program must document confidentiality, integrity and availability of all ePHI Protect ePHI against reasonably anticipated threats or hazards to its security or integrity Protect ePHI against reasonable or anticipated uses or disclosures not permitted under the HIPAA Privacy Rule Ensure workforce compliance with HIPAA Security Rule
HIPAA Security Provisions: General Rules Security Rule is: o Flexible – security measures may be adopted that are appropriate and reasonable for the organization o Scalable – accommodates organizations of any size o Technology neutral – specific technologies are not prescribed
HIPAA Security Provisions: General Rules Security Rule applies to: o Covered entities o Business associates o Hybrid entities o Other related entities
HIPAA Security Provisions: General Rules Implementation specifications: o Required o Addressable (not optional) – covered entity must conduct risk assessment and evaluate whether the specification is appropriate as written If not, must document why not Must implement equivalent alternative method if reasonable and appropriate
HIPAA Security Provisions: 5 Categories Provisions 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards 4.Organizational requirements and policies 5.Policies and documentation requirements
HIPAA Security Rule: Administrative Safeguards Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation Business associate contracts
HIPAA Security Rule: Physical Safeguards Facility access controls Workstation use Workstation security Device and media controls
HIPAA Security Rule: Technical Safeguards Access control Audit controls Integrity Person or entity authentication Transmission security
HIPAA Security Rule: Organizational Requirements Business associate or other contracts Group health plan requirements
HIPAA Security Rule: Policies and Procedures and Documentation Requirements Policies and procedures Documentation
American Recovery and Reinvestment Act and HITECH Changes Changes o Business associates must comply with most of the same rules as covered entities (increase in potential BA liability) o Breach notification requirements for breaches of unsecured ePHI ePHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons Encryption secures ePHI Affects data at rest, in motion, in use, and disposed
Forensics Security committee or designated individuals must review o Access logs at specified intervals o Audit trails based on trigger events o Failed logins
Trigger Events Monitoring can be based on events or situations as follows o Last name of employee matches that or accessed record o VIP records o Records of those involved in high-profile events o Records with little or no activity for 120 days o Other employees’ records o Records of minors o Access of those treated for sensitive diagnoses o Records of those for which the viewing employee did not treat o Spousal records o Records of terminated employees o Portions of records not consistent with viewing employees’ job role