Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

Published byRonald Parks Modified over 7 years ago

Similar presentations

Presentation on theme: "© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security."— Presentation transcript:

1 © 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security

2 Data Security Measures and tools to safeguard data, and the information systems on which they reside, from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST)

3 Elements of a Security Program Data security concepts: o Protecting the privacy of data Safeguarding access o Ensuring the integrity of data Data should be complete, accurate, consistent and up-to- date o Ensuring the availability of data Can depend on system to perform as expected, without error, and to provide information when and where needed o Backup policies and procedures

4 Data Security Threats Threats can be internal (from within an organization) or external (from outside an organization) Potential threats to data security are caused by two main sources: o Threats caused by people o Threats caused by environmental and hardware or software factors

5 Threats Caused by People Threats from insiders who make unintentional mistakes Threats from insiders who abuse their access privileges to information Threats from insiders who access information or computer systems for spite or profit Threats from intruders who attempt to access information or steal physical resources Threats from vengeful employees or outsiders who mount attacks on the organization’s information system

6 Threats Caused by Environmental and Hardware or Software Factors Natural disasters Utility, hardware, and software failures Electrical outages and power surges Hardware or software malfunction Malicious software applications (malware)

7 Security Management Structure Chief Security Officer (CSO) Advisory or policy-making group (such as an information security committee) o Executive-level managers o Health information management director or designee o Chief information officer (CIO) o Information technology system directors o Network engineers o Representatives from clinical departments

8 Components of a Security Program A good security program should include: o Employee awareness o Risk management program o Access safeguards o Physical and administrative safeguards o Software application safeguards o Network safeguards o Disaster planning and recovery o Data quality control processes

9 Security Program: Employee Awareness Train employees to recognize, respond, and report New employee education o Policies and procedures Including mobile devices, e-mails, faxes, social media Annual signed confidentiality agreements Periodic and ongoing security reminders

10 Security Program: Risk Management Program Risk Analysis o Identify all security threats o Estimate how likely it is that risk may occur (likelihood determination) o Eliminate the impact of an untoward event (impact analysis) o Determine the value of information assets

11 Security Program: Risk Management Program Incident Detection o Monitor information systems for abnormalities Incident Response Plan o Watch and warn o Repair and report o Pursue and prosecute

12 Security Program: Access Safeguards Identify which employees should have access to what data o Role-based access (RBAC) o User-based access (UBAC) o Context-based access control (CBAC) Access controls that restrict access when necessary but allow access to complete job tasks Develop procedures and methods for identification, authentication, and authorization of users

13 Security Program: Access Safeguards – Access Control Mechanisms Identification: establish user IDs and or numbers Authentication: verify the user o Password or PIN (something you know) o Smart card or token (something you have) o Biometrics (something you are) o Two-factor authentication (combination of these) o Single Sign-on Authorization: permission given to an individual o CAPTCHA

14 Security Program: Physical and Administrative Safeguards Physical safeguards: Protection from physical damage (natural elements, theft) o Secure and structurally sound locations o Physical separation and barriers Administrative safeguards: Policies and procedures that address management of computer resources o Includes Information Technology Asset Disposition (ITAD) to identify how all data storage devices are destroyed and purged of data prior to repurposing or disposal

15 Security Program: Software Application Safeguards Authentication Edit checks Audit trails

16 Security Program: Network Safeguards Firewalls Cryptographic technologies o Encryption (private key or public key) o Digital signatures o Digital certificates Web security protocols Intrusion detection systems

17 Security Program: Disaster Planning and Recovery Disaster planning o Contingency plan: set of procedures to follow when responding to emergencies Based on information gathered during risk assessment and analysis o Identify minimum allowable time for system disruption o Identify alternatives for system continuation o Evaluate cost and feasibility of each alternative o Develop procedures required to active the plan

18 Security Program: Disaster Planning and Recovery Disaster Recovery o Disaster recovery plan addresses resources, actions, tasks, and data necessary to restore critical services as soon as possible and to manage business recovery processes Business continuity plan o How to continue operations during computer system shutdown Emergency mode of operations o Processes and controls to follow until operations are fully restored

19 Security Program: Data Quality Control Processes Availability: data are easily obtainable Consistency: data do not change Definition: clear meaning for every data element

20 HIPAA Security Provisions Health Insurance Portability and Accountability Act of 1996 o Security standards implemented 2005 o Security compliance responsibility of Office for Civil Rights (OCR) o Privacy Law revised in February of 2009 HITECH improves enforcement of privacy and security rules

21 HIPAA Security Provisions: General Rules Security program must document confidentiality, integrity and availability of all ePHI Protect ePHI against reasonably anticipated threats or hazards to its security or integrity Protect ePHI against reasonable or anticipated uses or disclosures not permitted under the HIPAA Privacy Rule Ensure workforce compliance with HIPAA Security Rule

22 HIPAA Security Provisions: General Rules Security Rule is: o Flexible – security measures may be adopted that are appropriate and reasonable for the organization o Scalable – accommodates organizations of any size o Technology neutral – specific technologies are not prescribed

23 HIPAA Security Provisions: General Rules Security Rule applies to: o Covered entities o Business associates o Hybrid entities o Other related entities

24 HIPAA Security Provisions: General Rules Implementation specifications: o Required o Addressable (not optional) – covered entity must conduct risk assessment and evaluate whether the specification is appropriate as written If not, must document why not Must implement equivalent alternative method if reasonable and appropriate

25 HIPAA Security Provisions: 5 Categories Provisions 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards 4.Organizational requirements and policies 5.Policies and documentation requirements

26 HIPAA Security Rule: Administrative Safeguards Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation Business associate contracts

27 HIPAA Security Rule: Physical Safeguards Facility access controls Workstation use Workstation security Device and media controls

28 HIPAA Security Rule: Technical Safeguards Access control Audit controls Integrity Person or entity authentication Transmission security

29 HIPAA Security Rule: Organizational Requirements Business associate or other contracts Group health plan requirements

30 HIPAA Security Rule: Policies and Procedures and Documentation Requirements Policies and procedures Documentation

31 American Recovery and Reinvestment Act and HITECH Changes Changes o Business associates must comply with most of the same rules as covered entities (increase in potential BA liability) o Breach notification requirements for breaches of unsecured ePHI ePHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons Encryption secures ePHI Affects data at rest, in motion, in use, and disposed

32 Forensics Security committee or designated individuals must review o Access logs at specified intervals o Audit trails based on trigger events o Failed logins

33 Trigger Events Monitoring can be based on events or situations as follows o Last name of employee matches that or accessed record o VIP records o Records of those involved in high-profile events o Records with little or no activity for 120 days o Other employees’ records o Records of minors o Access of those treated for sensitive diagnoses o Records of those for which the viewing employee did not treat o Spousal records o Records of terminated employees o Portions of records not consistent with viewing employees’ job role

Download ppt "© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Health information security & compliance

Health information security & compliance
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Similar presentations

Ads by Google