Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd

2 Aims and Objectives Demonstrate risks of not protecting data Ensure awareness of data security issues Provide options for data security Demonstrate healthcare scenarios and solutions

3 Introduction Do you own a laptop? Do you have valuable data on your own work or home computer? Are you protected against computer hacking? Is the confidential data protected according to legislative requirements? Have you heard about computer encryption viruses?

4 Data security – the present

5 Current issues

6 Data security and the internet

7 Factors driving data protection WHICH FACTORS APPLY TO YOU? Legislative requirements ie. Privacy Act Insurance risks Unreliability of passwords Internal controls Accreditation and other compliance requirements Accountability

8 Types of risks 1.Loss of data Theft Accidental loss Unauthorised access to data

9 Types of risks 2.Controlling data processes Security Access levels Passwords

10 Passwords

11 Pitfalls of passwords Access Passwords stored on computer Not always regularly changed Time wasting if someone forgets Password policy i.e. name, DOB If copied, no longer secure

12 Types of risks 3. Legislation Accreditation Privacy Act State/Federal legislation e.g. Electronic Transactions Act

13 Types of risks 4. Transmission of data Hacking Internet security Secure sites Encryption

14 Types of risks 5. Insurance requirements Processes Guidelines Policies and procedures Consequences Risk to increase in premiums

15 Risk in specific terms Identify risks (risk management) No data protection (susceptible) Costs of no protection Costs of data protection Data protection – never 100% Failure to manage risks (consequences)

16 Facts about unprotected laptops More internal risks with employees than external risks Laptop theft US $11,000 per incident 600,000 laptops stolen (US) in 2001  53% CSI and FBI Survey US $61,881 per unit Gartner’s advice – use disk encryption on laptops and login. For PDAs, encryption and boot lock software. [Source: Noble, 2003, ADZNET]

17 Real life example Software development company Conference - Information split on several computers Perceived Risk – if one computer was stolen or lost, not all data available Problem – all laptops were stolen 6 months later, Competitor came up with same ideas Solution = encrypt all laptops

18 Health information scenarios Laptops being stolen or unsecure Securing data submission Restricting access Divulging information internally or externally –e.g. Redundancy, change of operational procedures Securing databases Transferring data from remote locations

19 Issues to consider 1. Are the solutions user friendly? 2. How easy is it to train someone? 3. Is it cost effective for the facility? 4. How secure is it? Will it meet statutory and legislative requirements? 5. How flexible is the product to solve the many security issues?

20 Issues to consider 5. What is the functionality of the product and does it meet our needs? 6. Is it relevant for our type and size of facility? 7. Will it be able to secure the type and size of data files in our facility?

21 Considerations to data security problems Cost-effective Multi-use Easy to use Control Support Upgrades/replacements

22 Our solution: Encryption Key

23 How does the encryption key work? Log on facility (USB drive) Authorization by key with optional pincode No additional hardware or software Secure and portable Click of mouse to encrypt Encrypts documents anywhere Public/Private key infrastructure

24 Why an encryption key? Controls: –Access to peripheral devices –Access to s –Access to files –Number of people having access Strict control (Analogy to house key )

25 Why an encryption key? Internally controlled access –Eg. Australian Federal Police – compromised internally People accidentally accessing information Encrypts servers and/or drives Encryption independent of the delivery Secures access to an Intranet

26 Features of the encryption key 256 bit encryption Encryption type and strength File of any size or type –eg. Radiographs Public/private key technology Many algorithms eg. TWOFISH

27 Encryption codes

28 Real life scenarios – Health Sector Example 1 Doctor’s surgery Different access levels to information Multiple users Only one hard drive SOLUTION: Encryption key for each person

29 Real life scenarios – Health Sector Example 2 1.Securing information internally on a network 2. Validating access externally into an intranet Limiting access to confidential information Accidental corruption of files

30 Solution – Scenario 2 Internal information Securing a drive with encryption key External logon into an intranet Issue with intranet key

31 Real life scenarios – Health Sector Example 3 Securing the contents of a laptop Ensuring security if stolen or lost Limiting access for multi-users SOLUTION: Installing encryption key –Protects files of any size of type –Enables encryption of s with confidential information –Screen saver function if laptop left

32 Real life scenarios – Health Sector Example 4 Securing transmission of data over the internet –Internal and external s –Data to external organizations SOLUTION: Install encryption key (up to 30 users) on nominated machine/s

33 Scenarios for the health industry How it could be used –Intranet (external use) –Laptops –PC control –Drive within an intranet Overall plan for risk management Path lab results (cost – 1 key) EMR (transfer of information)

34 Conclusions Addresses risk management issues Protects data Demonstrated use within Health facilities Meets legislative requirements Easy to use/portable What are you doing?

35 Finale

36 Contact Debbie Abbott Resolutions (Int) Pty Ltd (07)