Design of Health Technologies lecture 22 John Canny 11/28/05.

Slides:

Advertisements

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA and the GLB Connections Between Congress and Information Assurance.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

Security Controls – What Works

Information Security Policies and Standards

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Technological Security Implementation and Privacy Protection.

 Risk vs. Access  Tightest Security (not useful) ›Write-only databases ›Passwords too complex to remember  Weakest Security (not protected) ›No logins.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Group 3 Angela, Rachael, Misty, Kayelee, and Krysta.

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

Eliza de Guzman HTM 520 Health Information Exchange.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Privacy, Confidentiality, and Security Component 2/Unit 8c.

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,

HIPAA Security Final Rule Overview

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Health Insurance Portability and Accountability Act By Bradley Gleich.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HIPAA Security Best Practices Clint Davies Principal BerryDunn

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

iSecurity Compliance with HIPAA

Understanding HIPAA Dr. Jennifer Lu.

IS4550 Security Policies and Implementation

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Security Standards Final Rule

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Introduction to the PACS Security

Presentation transcript:

Design of Health Technologies lecture 22 John Canny 11/28/05

Healthcare IT Security Security is a critical aspect of Health IT performance: without secure systems, privacy protection is impossible. The Health and Human Services Agency published a proposed “security rule” in August Final rule was adopted Feb It’s a set of best practices for securing information systems. Compliance is mandatory for health providers, plans, and clearinghouses.

Security Rule Compliance Large organizations were required to comply by April 21, Small organizations must comply by April 21, Final rule is available here:

Security Rule Compliance The security rule creates an additional burden on providers to improve their IT infrastructure. On the flip side, the same improvements might actually improve service (e.g. enabling internet-based secure health information access, or secure wireless). A more sanguine perspective is that any mandatory IT upgrade is an opportunity for global improvement – many problems can be fixed at once.

Data CIA (Confidentiality, Integrity, Availability) The security rule is divided into 3 parts: Administrative safeguards Physical safeguards Technical safeguards

Administrative safeguards These steps are required at the highest level: Risk Analysis must be performed Risk Management sufficient for compliance Sanction Policy: against employees who don’t comply Information System Activity Review: records & logs Security Responsibility: assign a security official

Administrative safeguards Some required steps: Isolate Health Clearinghouse from rest of organization Access Control for protected records Access Establishment and modification Security Reminders: updates and messages Protection from Malicious Software Log-in Monitoring: all login attempts Password Management

Administrative safeguards Standards for availability: Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision of contingency plans Applications and Data Criticality Analysis: Identify the critical components in an emergency

Physical Safeguards Here are some: Facility Access Control Emergency Facility Access Physical Access to Workstations Media Access Controls Disposal Policies Media Erasure before Re-use

Technical Safeguards Here are some: Access Controls Unique User IDs Emergency Access Procedures Automatic Logoff (optional) Encryption and Decryption (optional) Audit Controls (optional)

Technical Safeguards Some more optional sections: Access Records: who accessed PHI Personal Identity: is the user really who they claim to be? Biometrics? Transmission Security: Secure communication channels

Over the Atlantic… The European Parliament has been passing security and privacy rules as well. “On the protection of medical data” (Recommendation R(97)5) is still a recommendation. The most recent is Directive 2002/58 “Privacy and electronic communications: Processing of personal data and the protection of privacy in electronic communication”

R(97)5 summary The European recommendation covers a lot of ground in the short document. It specifies both HIPAA-style privacy rules, as well as data-protection procedures. Stronger emphasis on results of genetic testing: Patients should have access It should not be illegal in the country The information is not likely to cause harm (?)

Gritzalis et al. paper This paper is based mostly on EU directives on general electronic privacy, as well as the medical security proposal. The paper also includes a sample RA (Risk Analysis) for the Beta-Thalassemia unit using CRAMM (CCTA Risk Analysis and Management Methodology).

Risk Analysis

Gritzalis et al. paper Proposals: Authentication: Smart cards, X.509 certificates, CHAP, EAP Communication: SSL, application-level security Disclosure from client machines (discourage): Through explicit web form fields Cookies and client-side script engines Anonymization methods: various technical approaches are listed, not clear any of these are intended to be used.

Gritzalis et al. paper ASP model: Control local code execution. Any code to be executed locally must be signed by someone (e.g. Microsoft or Verisign). Aside: Smart phones typically include additional quality control for locally-run code: e.g. “True Brew” certification for Qualcomm Brew phones. Other Certification Programs: Sony (Playstation) Microsoft (Xbox) Nintendo etc…. Microsoft for Windows device drivers

Medical service provider responsibilities Inform users about their services, ask for consent for required uses of client information. Use standards such as CEN and HL7 Use RBAC (Role-Based Access Control) Moderated Mailing Lists (?) w/ usage permissions Do not downgrade functionality to users who refuse to provide specific information

Discussion Questions Q1: Is Quality Certification a viable method for helping to secure medical software? Points of comparison: phone and driver software just mentioned, medical equipment, drugs,… How could it be implemented? Q2: Implementation of the security rule usually requires a significant overhaul of IT infrastructure. Discuss the trade-off in building secure systems “from scratch” vs. a “generalized firewall” approach which puts secure screens around vulnerable IT.