Difference between revisions of "Information security"
(→Information Security Goals) |
(→References) |
||
Line 129: | Line 129: | ||
# Privacy, information technology, and health care, Thomas C. Rindfleisch;1997. | # Privacy, information technology, and health care, Thomas C. Rindfleisch;1997. | ||
# Four Goals of Security, Mike Barwise; 2006; http://www.computerweekly.com/opinion/Four-goals-of-security | # Four Goals of Security, Mike Barwise; 2006; http://www.computerweekly.com/opinion/Four-goals-of-security | ||
+ | <references/> |
Revision as of 22:23, 5 October 2014
Information security is maintaining confidentiality and availability simultaneously. Information should be hidden, safe, private, and also ready for immediate use.
Contents
- 1 Introduction
- 2 Information Security Goals
- 3 Electronic medical record security
- 4 Flow of information in health care have many points to “leak”
- 5 Direct patient care:
- 6 Support activity:
- 7 “Social” uses:
- 8 Commercial uses:
- 9 The Shields:
- 10 1-Risk assessment
- 11 2-Access Restriction
- 12 Security Policies
- 13 Technologies to secure information:
- 14 Deterrents
- 15 System management precautions
- 16 Obstacles
- 17 Conclusion
- 18 References
Introduction
Everything that handles information needs to be protected: Hardware, software, and data, etc. Anything that is confidential or non-replaceable, or loss of would cost time and money. The most common culprits are natural hazards, computer failure, media failure, malicious people, and sometimes, yourself.
Information Security Goals
Confidentiality
Integrity
Availability
Non-repudiation. (Accomplishing these is a management issue before it's a technical one, as they are essentially business objectives.)
Confidentiality is about controlling access to files either in storage or in transit. This requires systems configuration or products (a technical job). But the critical definition of the parameters (who should be able to access what) is a business-related process.
Integrity is a matter of version control - making sure only the right people can change documents. It also requires an audit trail of the changes, and a fallback position in case changes prove detrimental. This meshes with non-repudiation (the change record must include who as well as what and when).
Availability is the Cinderella of information security as it is rarely discussed. But however safe from hackers your information is, it is no use if you can't get at it when you need to. So you need to think about data back-ups, bandwidth and standby facilities, which many people still leave out of their security planning.[1]
Electronic medical record security
Pros
EHRs can provide great privacy and security, e.g.,
- Access controls can be more granular
- Authentication mechanisms provide audit trails and non-repudiation
- Disaster recovery plans assure greater availability
- Encryption can provide confidentiality and data integrity
Cons
- Information flows more easily, risk of mishap is greater
- Collection of large volumes of data more feasible and risky
- Sharing of information for treatment, payment, and operations misunderstood
- New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”
Direct patient care:
- Provider
- Clinic
- Hospital
Support activity:
- Payers
- Quality reviews
- Administration
“Social” uses:
- Insurance eligibility
- Public health
- Medical research
Commercial uses:
- Marketing
- Managed care
- Drug usage
NB: Even de-identified data is not necessarily secure
The Shields:
1-Risk assessment
We should balance :
- risk,
- benefit,
- cost and
- loss of accessibility
2-Access Restriction
- Authentication
- Access Control
- Accounting
Security Policies
We should set documented:
- goals
- procedures
- organization
- responsibilities
Technologies to secure information:
Deterrents
- Alerts
- Audit trails
System management precautions
-Software management
-Analysis of vulnerability
Obstacles
- Authentication
- Authorization
- Integrity management
- Digital signatures
- Encryption
- Firewalls
- Rights management
Conclusion
The threats are real and dangerous and recovery costs are large. We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References
- Introduction to Biomedical Informatics, William Hersh; 2007
- EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
- Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
- Four Goals of Security, Mike Barwise; 2006; http://www.computerweekly.com/opinion/Four-goals-of-security
- ↑ Barwise, M. Four Goals of Security. http://www.computerweekly.com/opinion/Four-goals-of-security