Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Computer Science

Published byMartha McKinney Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Computer Science"— Presentation transcript:

1 Introduction to Computer Science
Security and Privacy Welcome to the Introduction to Computer Science: Security and Privacy. This is Lecture e. The component, Introduction to Computer Science, provides a basic overview of computer architecture; data organization, representation and structure; the structure of programming languages; and networking and data communication. It also includes the basic terminology of computing. Lecture e This material (Comp 4 Unit 7) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit Health IT Workforce Curriculum Version 4.0

2 Security and Privacy Learning Objectives - 1
Define cybercrime and cybersecurity (Lecture a) List common information technology (IT) security and privacy concerns (Lecture a) List hardware components that are usually attacked by the hackers (Lecture a) Explain some of the common methods of attack (Lecture b) The objectives for this unit, Security and Privacy, are to: Define cybercrime and cybersecurity List common information technology, or IT, security and privacy concerns List the hardware components that are usually attacked by hackers Explain some of the common methods of attack

3 Security and Privacy Learning Objectives - 2
Describe common types of malware (Lecture b) Explain social engineering methods used by cybercriminals (Lecture b) Describe methods and tools available for protection against cyberattacks (Lecture c) Describe practices designed to minimize the risk of successful cyberattack (Lecture d) Describe common types of malware Explain social engineering methods used by cybercriminals Describe methods and tools available for protection against cyberattacks Describe practices designed to minimize the risk of successful cyberattack

4 Security and Privacy Learning Objectives - 3
Address specifics of wireless device security (Lecture d) Explain security and privacy concerns associated with EHRs (Lecture e) Describe security safeguards used for health care applications (Lecture e) Provide the basics of ethical behavior online (Lecture e) Address specifics of wireless device security Explain security and privacy concerns associated with Electronic Health Records, or EHRs Describe security safeguards used for health care applications And, provide the basics of ethical behavior online

5 Health Care Applications and Security
U.S. Government’s stated goal: Most Americans to have access to electronic health records (EHRs) by 2014 Why EHRs? Improve quality of care Decrease cost Ensure privacy and security Outsourcing introduces risk Countries with different cultural values and EHR regulations In this lecture, we will trace the history of the use of electronic health records, or EHRs, in America; discuss the risks inherent in putting health-related information into electronic form, and touch on ethical behavior when on the Internet. For a number of years, the U.S. government had a goal that by 2014 most Americans should have access to EHRs. Putting health records into electronic form means a lot of private and confidential information is now accessible through web browsers and wireless devices. If these devices are not secure, personal medical information is at risk. For example, information could be falsely entered or even changed by somebody with malicious intent. So it is very important that organizations understand the application of security in conjunction with health care. The impetus for EHRs came from the American government. The motivation was to improve quality of care, decrease cost, and insure the privacy and security of the data. One security concern is the current trend of outsourcing medical data entry management to countries outside the United States. If hospitals employ medical transcriptionists in other countries, might these countries have different cultural values and EHR regulations? How can data be protected when it is on the other side of the world being used by people who live by different rules, regulations, and cultural norms?

6 Health Record Security Concerns
Incorrect health data recorded Job discrimination Personal privacy violated Sharing of data between providers adds risk Use of Internet always introduces risk Other issues include concerns about encountering someone else’s information in your health record, making the information in both records incorrect and compromising security. Additionally, individuals might be discriminated against in employment, denied employment, or even denied health coverage based on pre-existing conditions if private medical information is made public. Personal privacy might be violated, such as when friends, family, and others find out about an embarrassing, but non-infectious medical condition. A final concern about the security of health data involves the sharing of data between providers. Any time data travels over the Internet, there is always a risk to data security and privacy.

7 What is an EHR System? Collection of health data about the business, patients, doctors, nurses Health data stored as records in database system Records represent a complete event Example: A patient’s personal information Reason for office visit Tests ordered and their results An EHR system is a collection of health data about medical practices, patients, doctors, nurses, and all entities involved in the health care process. Health data is stored as a record in a database system. For every visit to a doctor, an entry is recorded in the EHR, and that record is stored in a database. The patient’s name and contact information are one record in the database. The patient’s diagnosis and treatment are other records in the database. Tests ordered and procedures performed are yet another record in the database.

8 EHRs are… 1 Used and maintained by health care providers
Covered by Health Insurance Portability and Accountability Act (HIPAA) rules Centralized database systems used to integrate patient intake, medical care, pharmacy, and billing into one system EHR systems are used and maintained by health care providers and others to store health care data. Health care providers, health care clearinghouses, and health plan providers are subject to federal rules governing security and other rules related to EHRs. The primary federal rule governing EHRs is the Health Insurance Portability and Accountability Act, or HIPAA. Organizations that must adhere to HIPAA rules are called “covered entities.” When data in an EHR is maintained by a covered entity, that data is also subject to HIPAA rules. However, free, online, electronic, personal health records are not a covered entity. This means data entered in free, online, electronic, personal health records is not protected by HIPAA rules. EHRs use centralized database systems to integrate functions such as patient intake, medical care, and pharmacy billing into one large database system.

9 EHRs are… 2 Used to send data over the Internet when departments/entities are not in same physical location Accessible by individual patient Departments and other entities might not be in the same physical location, so patient data must often travel over the Internet. As we touched on earlier, any time the Internet and data are combined, an element of risk is introduced. Why does data have to travel over the Internet at all? One reason―and there are many―is that when a doctor’s office bills an insurance company, some of the patient’s medical information must travel over the Internet. Through the use of EHRs, people can view their own health record, taking ownership of its contents, insuring accuracy, and even providing content by adding comments for their doctors to read.

10 EHR Security Q & A - 1 How is data sent over the Internet?
It should be sent in an encrypted, secure manner over the Internet Is my personal data safe? Much depends on each organization’s physical record and network security practices No data is 100% secure against theft or misuse Let’s now consider some EHR security question and answers. How is―or how should―data be sent over the Internet? In most cases, data will be sent in an encrypted, secure manner over the Internet. If not, patients should question the security practices being used. Is your personal data safe? The answer to this question depends on each organization’s physical record and network security practices, as governed by their security policy. However, no data is 100 percent secure against theft or misuse, regardless of the applicable security policy. Having a good security policy in place, and then auditing for compliance, can significantly improve success in maintaining data security.

11 EHR Security Q & A - 2 Who can view my health records?
Only those who need to know or view the contents of a health record should be able to view it Patient must authorize all other access And finally, who can view your private medical records? According to HIPAA, only those who need to know or view the contents of a health record should be able to do so. Patients must authorize all other access to their record.

12 Federal Rules Emerge HIPAA enacted in 1996
HIPAA establishes privacy and security standards established for: Health care providers Health insurance companies Care clearinghouses (organizations that translate claims data in to and out of HIPAA-standard format) HIPAA was enacted in 1996 by the federal government. HIPAA establishes privacy and security standards, and requires that health care providers, insurance companies, and care clearinghouses - organizations that translate claims data in to and out of HIPAA-standard format - abide by privacy and security standards.

13 HIPAA and Privacy Privacy Rule Security Rule
Requires those covered to provide patients a “Notice of Privacy Practices” when care is first provided Covers paper and electronic private health information Security Rule Covers administrative, physical, and technical data safeguards that secure electronic health record data The HIPAA privacy rule requires covered entities to provide patients with what is known as a “Notice of Privacy Practices” when care is first provided. A patient might receive this notice when visiting a walk-in clinic, for example. The privacy rule covers both paper and electronic private health information. HIPAA also incorporates a security rule that goes farther than the privacy rule in that it covers administrative, physical, and technical data safeguards that must be enacted to secure EHR data. All of these should be outlined in the entity’s security policy.

14 What is Privacy? Most privacy laws revolves around privacy between a person and the government “The law of privacy regulates the type of information which may be collected and how this information may be used and stored.” Wikipedia, 2016 Privacy relates to people. Most privacy laws revolve around privacy between a person and the government. According to Wikipedia, “The law of privacy regulates the type of information that can be collected and how this information may be used and stored.” Privacy relates to people. For example, a patient’s visit to a doctor is private information.

15 What is Confidentiality?
“Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” Wikipedia. 2016 Confidentiality relates to data Confidentiality is different from privacy. According to Wikipedia, “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” We can infer from this that confidentiality relates to data, data shared between the health provider and the patient. Confidentiality, then, in this context, means that the things discussed with a doctor should remain between the patient and the doctor; they are confidential. To put privacy and confidentiality in context, the fact that someone visited a doctor is private; what the patient and doctor discussed is confidential. Privacy and confidentiality are not mutually exclusive and each slightly overlaps the other in scope.

16 Steps to Secure EHR - 1 Authenticate and authorize ALL record access
Only those who “need to know” can view Only pertinent people can change records Limit who can print electronic documents All views and changes recorded for audit trail What steps can be taken to secure an EHR and its records? It is possible to authenticate and authorize all access to electronic health records. Authorization involves permissions. Permissions limit who can view, change, and/or print medical records and electronic documents. Additionally, all views of and changes to medical information should be recorded for audit.

17 Steps to Secure EHR - 2 Examples:
A clerk can view the dates and charges related to an office visit but nothing about treatment Nurses and doctors can view medical records only for patients under their direct care Security outlines the structure to enforce privacy and security As an example of permissions, a clerk would be able to view the dates and charges related to an office visit, but would not be able to view anything that details the treatment received or the information discussed between patient and doctor. Nurses and doctors can view medical records only for patients under their direct care, but should not view medical records for patients not under their care. An important point is that security outlines the structure through which privacy and confidentiality can be enforced. Putting in place security mechanisms such as requiring usernames and passwords; badges to open doors; and keys to open file cabinets, increases the probability of data privacy and confidentiality.

18 Steps to Secure EHR - 3 Device security
Apply operating system critical updates immediately Install current Anti-virus definitions Restrict physical access to servers Allow only authenticated device access Device security is important in securing EHR and records. Critical updates to computer operating systems should be applied immediately Antivirus definitions should always be current Physical access to servers that house medical data should be restricted And finally, access to devices must be authenticated

19 Steps to Secure EHR - 4 Secure electronic communications
Encrypt all EHR communications Client-server environment Configure user accounts and groups Implement network access protection mechanisms Encryption can also help secure electronic communications. All communication between an EHR system and a destination device should be encrypted. A client-server environment allows maintenance of a domain environment with a server that manages all devices and all objects. User accounts should be configured in groups, and permissions must be provided to the groups. Finally, organizations should implement network access protection mechanisms. For example, if a device attempts to connect to a network, the system should first examine the device to verify that it has had critical updates applied to its operating system. The system should then require that the device attempting to connect to the network has antivirus protection software installed and verify that its firewall is enabled.

20 Steps to Secure EHR - 5 Web environment considerations
Implement HTTPS for all web transactions Validate all data entered into web forms Perform regular audits of access and changes Implement redundant devices Ensures that devices are available as expected Load-balance heavily used hardware devices EHR transmission over the Internet should require that either Hypertext Transfer Protocol Secure, or HTTPS, or secure web browsing be implemented for all web transactions. In other words, all communication over the Internet should be encrypted. Additionally, all data entered into web forms should have to be validated before that data is stored in a database. And, regular audits of data access and changes in medical records should be occurring. Implementing redundant devices within the data environment helps ensure that devices are available as expected. Having redundant devices allows system administrators to load-balance heavily used hardware devices. For example, rather than using only one server to store database records, an administrator can create a five-server cluster. Then, whichever server is the least busy can respond to requests for database records.

21 Steps to Secure EHR - 6 Prosecute security violations vigorously
Backup EHR data with secure storage Administrators should prosecute security violations vigorously. If a hacker attacks a network, administrators should immediately report that activity to the authorities. Even internal violations should be pursued and offenders prosecuted. This would discourage others from taking the same actions. Finally, EHR data must be backed up and stored securely.

22 Free Online PHR Systems
PHRs maintained by individuals Some PHRs not covered by HIPAA rules Resources Microsoft HealthVault - WebMD Health Manager - Many of the concerns related to medical privacy exist because there are a number of EHR options available for use. If an individual uses a personal health record, or PHR system, this usually means that the individual maintains the record. Notice that PHRs differ from EHR systems. PHRs are maintained by individuals and are usually not covered by HIPAA rules because individuals manage their own health record, not the company that is providing an individual with the ability to have the health record. There are links on this slide for Microsoft Health Vault and WebMD’s Health Manager—two examples of available PHRs. Typically, these PHRs are free, allowing an individual to enter all of his or her medical information and share it with a doctor or medical personnel.

23 Ethical Behavior Online
Mistakes Happens Need to Know vs. Want to Know Online Ratings Data Breaches This is a good time to discuss ethical behavior online, some of which we’ve already touched on. The very nature of the Internet is openness and accessibility. But when it comes to health care data, we all want our data to be accurate and secure. We all know mistakes happen. Computer data can only be accurate if it was entered correctly in the first place. Occasionally medical codes may get transposed when being entered into an EHR, dosages can get mis-transcribed, or medical notes can be placed in the wrong patient’s chart. These types of mistakes, though undesirable, are understandable. However, ethics become a question when someone’s intent is in conflict with known rules and regulations. For example, it should be obvious that just because you could have access to someone’s medical records doesn’t mean you should go ahead and access them. But all you have to do is a simple Internet search on “celebrity HIPAA violations” to see that even medical professionals, who are trained in the importance of abiding by HIPAA, sometimes exercise poor judgment. Websites, such as healthgrades.com allow users to post ratings about doctors, dentists, and hospitals. But who validates those ratings? How can a website ensure that what is posted is accurate? Could a medical professional be offering incentives for positive reviews? Should the website publishing the ratings be responsible for verifying the ratings it publishes? If so, how would this be done without violating a patient’s privacy? If a server holding EHRs gets hacked and your personal health data gets shared on the Internet, what share of the responsibility should be assigned to your health care professional? To their IT department? To the service that was contracted to keep those records secure? Entire courses are taught on the subject of ethical behavior when online. For now, as technology continues to be increasingly intertwined with health care, health care professionals must continue to question, debate, and examine ethics and ethical behavior in the context of the Internet. Resources are included in the References section of this presentation for those interested in learning more about ethical behavior online and health care.

24 Security and Privacy Summary – Lecture e
Explained security and privacy concerns associated with Electronic Health Records (EHRs) Described security safeguards used for health care applications Provided basics of ethical behavior when online This concludes lecture e of Security and Privacy. In summary, this lecture: Explained security and privacy concerns associated with Electronic Health Records Described security safeguards used for health care applications And, provided some thoughts on ethical behavior and the Internet

25 Security and Privacy Summary - 1
Cybercrime and cybersecurity Common IT security and privacy concerns Hardware components usually attacked by the hackers; common methods of attack Common types of malware Social engineering methods used by cybercriminals Methods and tools available for protection against cyberattacks This also concludes the unit on Security and Privacy. In summary, this unit addressed the following topics: Cybercrime and cybersecurity Common IT security and privacy concerns Hardware components usually attacked by hackers and the common methods of attack Common types of malware Social engineering methods used by cybercriminals Methods and tools available for protection against cyberattacks

26 Security and Privacy Summary - 2
Practices designed to minimize the risk of successful cyberattack Specifics of wireless device security Security and privacy concerns associated with EHRs Security safeguards used for health care applications Basics of ethical behavior online Practices designed to minimize the risk of successful cyberattack Specifics of wireless device security Security and privacy concerns associated with EHRs Security safeguards used for health care applications And, the basics of ethical behavior online

27 Security and Privacy References – 1 – Lecture e
Dyer, K. A. (2011, June 2). Ethical Challenges of Medicine and Health on the Internet: A Review. Retrieved from Greysen, S. (2010, July 15). Online Professionalism and the Mirror of Social Media. Retrieved April 20, 2016, from Health and Human Services. HHS Announces Project to Help 3.6 Million Consumers Reap Benefits of Electronic Health Records. [Internet] [cited 2011 Nov 07]. Available from: Improving Ethics Quality in Health Care. (n.d.). Retrieved April 20, 2016, from Informatics Professor, Meaningful Use: A Highly Useful Construct for Informatics. [Internet] May [cited 2011 Nov 07]. Available from: Kraus, R. (2004). Ethical and Legal Considerations for Providers of Mental Health Services Online. In Online Counseling, 2nd ed.: A Handbook for Mental Health Professionals. San Diego, CA: Elsevier Academic Press. References slide. No audio.

28 Security and Privacy References – 2 – Lecture e
Wikipedia. Network security. [Internet] [cited 2011 Nov 07]. Available from: Wikipedia. Wireless security. [Internet] [cited 2011 Nov 07]. Available from: Wikipedia. Wireless LAN security. [Internet] [cited 2011 Nov 07]. Available from: Wikipedia. Electronic health record. [Internet] [cited 2011 Nov 07]. Available from: Wikipedia. Electronic medical record. [Internet] [cited 2011 Nov 07]. Available from: References slide. No audio.

29 Introduction Computer Science Security and Privacy Lecture e
This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. No audio.

Download ppt "Introduction to Computer Science"

Similar presentations

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
2 The Use of Health Information Technology in Physician Practices.

2 The Use of Health Information Technology in Physician Practices.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
The University of Kansas Medical Center Shadow Experience Training.

The University of Kansas Medical Center Shadow Experience Training.
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
The Use of Health Information Technology in Physician Practices

The Use of Health Information Technology in Physician Practices
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.

Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google