Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clinical Information System Security Policy (CISS Policy)

Published byEileen Woods Modified over 5 years ago

Similar presentations

Presentation on theme: "Clinical Information System Security Policy (CISS Policy)"— Presentation transcript:

1 Clinical Information System Security Policy (CISS Policy)
CSC 662 Computer Security CS2305B

2 Introduction The patient’s information is the most important data for clinical affairs. ACH95 (Keeping Information Confidential) “Doctors and other clinical professionals are worried that making personal health information more widely available may endanger patient confidentiality”

3 Scope of the policy Clinician Patient System

4 Clinician Clinician (licensed professional such as a doctor, nurse, dentist physiotherapist or pharmacist) who has access in the line of duty to personal health information and is bound by a professional obligation of confidentiality. Social workers, students, charity workers and receptionists may access personal health information under the supervision of a healthcare professional (but the professional remains responsible for their conduct)

5 Patient Patient (the individual’s concerned or the individual’s representative) The rules may depend on the wishes of the patient If the patient is a child, parent or guardian of a child will be acts on his behalf

6 System System(hardware, software, communications and manual procedures which make up a connected information processing system)

7 Threats and Vulnerabilities
The ethical basis of clinical confidentiality In GMC (General Medical Council) booklet, “Confidentiality” state that doctors who record of confidential information must ensure that it is effectively protected against improper disclosure The basic ethical principle, state Confidentiality is the privilege of the patient, so only he way waive it and the consent must be informed, voluntary and competent

8 Threats and Vulnerabilities
The ethical basis of clinical confidentiality for example, patients must be made aware that information may be shared between members of a care team, such as a general practice or a hospital department There is the issue of the patient's consent to have his record kept on a computer system at all. It is unethical to discriminate against a patient who demands that his records be kept on paper instead

9 Threats and Vulnerabilities
Other security requirements for clinical information we also concerned with its integrity and availability If information is corrupted, clinicians may take incorrect decisions which harm or even kill patients. If information is unreliable, in the sense that it could have been corrupted then its value as a basis for clinical decisions is decrease

10 Threats and Vulnerabilities
Threats to clinical confidentiality Experience shows that the main new threat comes from insiders Eg : most of the big UK banks now let any teller access any customer's account (private detectives bribe tellers to get account information)

11 Threats and Vulnerabilities
Threats to clinical confidentiality security depends on the fragmentation and scattering inherent in manual record systems, and these systems are already vulnerable to private detectives ringing up and pretending to be from another healthcare provider.

12 Threats and Vulnerabilities
Other security threats to clinical information Hardware failures occasionally corrupt messages Higher error rates could result from the spreading practice of sending lab results as unstructured messages Viruses have already destroyed clinical information, and a virus could conceivably be written to make malicious alterations to records A malicious attacker might also manipulate messages

13 Security Policy Principle 1 : Access control
Each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it The system shall prevent anyone not on the access control list from accessing the record in any way

14 Security Policy Principle 2 : Record opening
A clinician may open a record with herself and the patient on the access control list Where a patient has been refer, she may open a record with herself, the patient and the referring clinician on the access control list

15 Security Policy Principle 3 : Control
One of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it

16 Security Policy Principle 4 : Consent and notification
The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency case

17 Security Policy Principle 5 : Persistence
No-one shall have the ability to delete clinical information until the appropriate time period has expired

18 Security Policy Principle 6 : Attribution
All accesses to clinical records shall be marked on the record with the subject's name, as well as the date and time An audit trail must also be kept of all deletions

19 Security Policy Principle 7 : Information flow
Information derived from record A may be appended to record B if and only if B's access control list is contained in A's

20 Security Policy Principle 8 : Aggregation control
There shall be effective measures to prevent the aggregation of personal health information

21 Security Policy Principle 9 : The Trusted Computing Base
Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way Its effectiveness shall be subject to evaluation by independent experts

22 Conclusions Based on the experience, we can conclude that the threats to the confidentiality, integrity and availability of personal health information enforced the medical sector to developed a Clinical Information System that can give the high level protection to patient’s data. Clinicians making decisions must be compliance with CISS Policy

23 Conclusions Nowadays, there is a lot of Clinical Information System but still have a weakness that can cause the data of patient’s spread So we need to enhance the already system so that we can keep the data as confidentiality

24 Reference: Dr Rose, J. A., (1996). Security in Clinical Information System. Computer Laboratory University of Cambridge. THE END

Download ppt "Clinical Information System Security Policy (CISS Policy)"

Similar presentations

Confidentiality and HIPAA

Confidentiality and HIPAA
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.

IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Nic Dibble, Consultant School Social Work (608) 266-0963 Department of Public Instruction

Nic Dibble, Consultant School Social Work (608) Department of Public Instruction
Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:

Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Research Paper Presentation Software Engineering in agent systems.

Research Paper Presentation Software Engineering in agent systems.
WORKSHOP IV Integrating Ethics, Compliance, Privacy and Security into a Single Organizational Initiative Geralyn Kidera JD Senior Vice President Council.

WORKSHOP IV Integrating Ethics, Compliance, Privacy and Security into a Single Organizational Initiative Geralyn Kidera JD Senior Vice President Council.
CONFIDENTIALITY The promise of NOT to share personal information inappropriately. Grounded in an individual’s right of privacy.  “DO NO HARM” Slide 2.

CONFIDENTIALITY The promise of NOT to share personal information inappropriately. Grounded in an individual’s right of privacy.  “DO NO HARM” Slide 2.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Dr. Ihab Nada DOE, MSKMC.  The information a patient reveals to a health care provider is private and has limits on how and when it can be disclosed.

Dr. Ihab Nada DOE, MSKMC.  The information a patient reveals to a health care provider is private and has limits on how and when it can be disclosed.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Legal aspects of Health Data protection Solvita Olsena Medical Law Institute Ltd.

Legal aspects of Health Data protection Solvita Olsena Medical Law Institute Ltd.
Your health record How the local NHS uses and protects the information held about you Other ways that your records may be used Your local NHS services.

Your health record How the local NHS uses and protects the information held about you Other ways that your records may be used Your local NHS services.

Similar presentations

Ads by Google