Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

Published byAmber Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science."— Presentation transcript:

1 Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015.

2 Tools for protecting health information IOM report: For the Record (1997) Report commissioned by NLM; informed HIPAA legislation Looked at current practices at six institutions Recommended immediate and future best practices Some content dated, but framework not Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 2

3 Threats to security Insider –Accidental disclosure –Curiosity –Subornation Secondary use settings Outside institution –A lot of press, few examples Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 3

4 Technologies to secure information Deterrents –Alerts –Audit trails System management precautions –Software management –Analysis of vulnerability Obstacles –Authentication –Authorization –Integrity management –Digital signatures –Encryption –Firewalls –Rights management Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 4

5 Encryption Necessary but not sufficient to ensure security Should, however, be used for all communications over public networks, e.g., the Internet Information is scrambled and unscrambled using a key Types: symmetric vs. asymmetric –Asymmetric, aka public key encryption, can be used for digital certificates, electronic signatures, etc. Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 5

6 Standards for encryption and related functions Advanced Encryption Standard (AES) – NIST-designated standard for encryption/decryption (Daemen, 2002) Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL) – cryptographic protocols that provide security for communications over all points on networks (Rescorla, 2001) Internet Protocol Security (IPsec) – protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream –Part of IPv6 but also added as standalone on top of IPv4 Secure Hash Algorithm (SHA) protocols insure integrity of transmitted information and documents (NIST, 2002) –Security flaws have been identified in SHA-1 so SHA-2 family of protocols has been developed For more: Wikipedia and –http://csrc.nist.gov/groups/ST/toolkit/ Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 6

7 For the Record best practices Organizational –Confidentiality and security policies and committees –Education and training programs –Sanctions –Patient access to audit trails Technical –Authentication of users –Audit trails –Physical security and disaster recovery –Protection of remote access points and external communications –Software discipline –Ongoing system vulnerability assessment Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 7

8 Authentication and passwords Authentication is process of gaining access to secure computer Usual approach is passwords (“what you know”), but secure systems may add physical entities (“what you have”), e.g., –Biometric devices – physical characteristic, e.g., thumbprint –Physical devices – smart card or some other physical “key” Ideal password is one you can remember but no one else can guess Typical Internet user interacts with many sites for which he/she must use password –Many clamor for “single sign-on,” especially in healthcare, where users authenticate just once (Pabrai, 2008) Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 8

9 Some challenges with passwords Common approach to security is password “aging” (i.e., expiration), which is less effective than other measures (Wagner, 2005) –Session-locking – one or small number of simultaneous logons –Login failure lockout – after 3-5 attempts Password aging may also induce counterproductive behavior (Allan, 2005) Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 9

10 Health information security is probably a trade-off Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 10 No security - Web pages Total security - CIA, NSA Where is the happy medium for healthcare?

11 Other issues about privacy and confidentiality to ponder… Who owns information? How is informed consent implemented? When does public good exceed personal privacy? –e.g., public health, research, law enforcement What conflicts are there with business interests? How do we let individuals “opt out” of systems? –What are the costs? When do we override? Component 2/Unit 8-2 Health IT Workforce Curriculum Version 2.0/Fall 2011 11

Download ppt "Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science."

Similar presentations

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Security Controls – What Works

Security Controls – What Works
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 19 Security.

Chapter 19 Security.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share.

WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share.
Web services security I

Web services security I
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Securing Information Systems

Securing Information Systems
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google