Privacy, Confidentiality, and Security Component 2/Unit 8c.

Slides:

Advertisements

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Advertisements

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Security Controls – What Works

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Risks, Controls and Security Measures

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Chapter 19 Security.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share.

Web services security I

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Securing Information Systems

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Privacy, Confidentiality, Security, and Integrity of Electronic Data

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Module 9: Fundamentals of Securing Network Communication.

PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 Databases, Controls, and Security.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.

Working with HIT Systems

Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

IAD 2263: System Analysis and Design Chapter 7: Designing System Databases, Interfaces and Security.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

Chapter 17 Risks, Security and Disaster Recovery

Presentation transcript:

Privacy, Confidentiality, and Security Component 2/Unit 8c

Tools for protecting health information IOM report: For the Record (1997) Report commissioned by NLM; informed HIPAA legistation Looked at current practices at six institutions Recommended immediate and future best practices Some content dated, but framework not Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Threats to security Insider –Accidental disclosure –Curiosity –Subornation Secondary use settings Outside institution –A lot of press, few examples Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Technologies to secure information Deterrents –Alerts –Audit trails System management precautions –Software management –Analysis of vulnerability Obstacles –Authentication –Authorization –Integrity management –Digital signatures –Encryption –Firewalls –Rights management Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Encryption Necessary but not sufficient to ensure security Should, however, be used for all communications over public networks, e.g., the Internet Information is scrambled and unscrambled using a key Types: symmetric vs. asymmetric – Asymmetric, aka public key encryption, can be used for digital certificates, electronic signatures, etc. Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Standards for encryption and related functions Advanced Encryption Standard (AES) – NIST-designated standard for encryption/decryption (Daemen, 2002) Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL) – cryptographic protocols that provide security for communications over all points on networks (Rescorla, 2001) Internet Protocol Security (IPsec) – protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream – Part of IPv6 but also added as standalone on top of IPv4 Secure Hash Algorithm (SHA) protocols insure integrity of transmitted information and documents (NIST, 2002) – Security flaws have been identified in SHA-1 so SHA-2 family of protocols has been developed For more: Wikipedia and – Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

NRC report best practices Organizational –Confidentiality and security policies and committees –Education and training programs –Sanctions –Patient access to audit trails Technical – Authentication of users – Audit trails – Physical security and disaster recovery – Protection of remote access points and external communications – Software discipline – Ongoing system vulnerability assessment Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Authentication and passwords Authentication is process of gaining access to secure computer Usual approach is passwords (“what you know”), but secure systems may add physical entities (“what you have”), e.g., – Biometric devices – physical characteristic, e.g., thumbprint – Physical devices – smart card or some other physical “key” Ideal password is one you can remember but no one else can guess Typical Internet user interacts with many sites for which he/she must use password – Many clamor for “single sign-on,” especially in healthcare, where users authenticate just once (Pabrai, 2008) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Some challenges with passwords Common approach to security is password “aging” (i.e., expiration), which is less effective than other measures (Wagner, 2005) –Session-locking – one or small number of simultaneous logons –Login failure lockout – after 3-5 attempts Password aging may also induce counterproductive behavior (Allan, 2005) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c

Health information security is probably a trade-off Health IT Workforce Curriculum Version 1.0/Fall No security - Web pages Total security - CIA, NSA Where is the happy medium for healthcare? Component 2/Unit 8c

Other issues about privacy and confidentiality to ponder… Who owns information? How is informed consent implemented? When does public good exceed personal privacy? – e.g., public health, research, law enforcement What conflicts are there with business interests? How do we let individuals “opt out” of systems? – What are the costs? When do we override? Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8c