Information security
Information security is maintaining confidentiality and availability simultaneously. Information should be hidden, safe, private, and also ready for immediate use.
Contents
- 1 Introduction
- 2 Information Security Goals
- 3 Electronic medical record security
- 4 Flow of information in health care have many points to “leak”
- 5 Direct patient care:
- 6 Support activity:
- 7 “Social” uses:
- 8 Commercial uses:
- 9 The Shields:
- 10 1-Risk assessment
- 11 2-Access Restriction
- 12 Security Policies
- 13 Technologies to secure information:
- 14 Deterrents
- 15 System management precautions
- 16 Obstacles
- 17 Conclusion
- 18 References
Introduction
Everything that handles information needs to be protected: Hardware, software, and data, etc. Anything that is confidential or non-replaceable, or loss of would cost time and money. The most common culprits are natural hazards, computer failure, media failure, malicious people, and sometimes, yourself.
Information Security Goals
- Data Integrity
- Data is correct
- No unauthorized modification
- Data Confidentiality
- Only authorized parties can view
- Data Accessibility
- Authorized parties can easily and quickly access
- Often a casualty of information security
Electronic medical record security
Pros
EHRs can provide great privacy and security, e.g.,
- Access controls can be more granular
- Authentication mechanisms provide audit trails and non-repudiation
- Disaster recovery plans assure greater availability
- Encryption can provide confidentiality and data integrity
Cons
- Information flows more easily, risk of mishap is greater
- Collection of large volumes of data more feasible and risky
- Sharing of information for treatment, payment, and operations misunderstood
- New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”
Direct patient care:
- Provider
- Clinic
- Hospital
Support activity:
- Payers
- Quality reviews
- Administration
“Social” uses:
- Insurance eligibility
- Public health
- Medical research
Commercial uses:
- Marketing
- Managed care
- Drug usage
NB: Even de-identified data is not necessarily secure
The Shields:
1-Risk assessment
We should balance :
- risk,
- benefit,
- cost and
- loss of accessibility
2-Access Restriction
- Authentication
- Access Control
- Accounting
Security Policies
We should set documented:
- goals
- procedures
- organization
- responsibilities
Technologies to secure information:
Deterrents
- Alerts
- Audit trails
System management precautions
-Software management
-Analysis of vulnerability
Obstacles
- Authentication
- Authorization
- Integrity management
- Digital signatures
- Encryption
- Firewalls
- Rights management
Conclusion
The threats are real and dangerous and recovery costs are large. We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References
- Introduction to Biomedical Informatics, William Hersh; 2007
- EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
- Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.