Difference between revisions of "Information security"

From Clinfowiki
Jump to: navigation, search
Line 1: Line 1:
== '''''Introduction:''''' ==
+
==Introduction:==
  
'''Security''':” state of freedom from danger or risk”.
+
==Security==
 +
state of freedom from danger or risk”.
 +
 
 +
==Information Security==
  
'''Information Security:'''
 
 
Maintaining:
 
Maintaining:
  
Confidentiality: Keeping your information:
+
* Confidentiality: Keeping your information:
 +
** Hidden
 +
** Safe
 +
** Private
 +
* Availability: Making sure IT resources are:
 +
** Present
 +
** Ready for immediate use!
 +
* Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
  
1. Hidden
+
==What do we need to protect?==
  
2. Safe
+
* Hardware
 +
* Software
 +
* Data
 +
** Your time
 +
** Your money
 +
** Confidential or non-replaceable information
  
3. Private
+
==From whom?==
  
• Availability: Making sure IT resources are:
+
* Natural Hazard
 +
* Computer Failure / Media Failure
 +
* Malicious People
 +
* Sometimes, yourself
  
1. Present
+
==Information Security Goals:==
  
2. Ready for immediate use!
+
* Data Integrity
 +
* Data is correct
 +
* No unauthorized modification
 +
* Data Confidentiality
 +
* Only authorized parties can view
 +
* Data Accessibility
 +
* Authorized parties can easily and quickly access
 +
* Often a casualty of information security
  
• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
+
==EHR security==
  
'''What do we need to protect?'''
+
==Pros==
 
+
• Hardware
+
 
+
• Software
+
 
+
• Data
+
 
+
1. Your time
+
2. Your money
+
3. Confidential or non-replaceable information
+
 
+
'''From whom?'''
+
 
+
• Natural Hazard
+
 
+
• Computer Failure / Media Failure
+
 
+
• Malicious People
+
 
+
• Sometimes, yourself
+
 
+
 
+
== '''''Information Security Goals:''''' ==
+
 
+
 
+
• Data Integrity
+
 
+
• Data is correct
+
 
+
• No unauthorized modification
+
 
+
• Data Confidentiality
+
 
+
• Only authorized parties can view
+
 
+
• Data Accessibility
+
 
+
• Authorized parties can easily and quickly access
+
 
+
• Often a casualty of information security
+
 
+
 
+
== '''''EHR security:''''' ==
+
 
+
 
+
'''Pros:'''
+
  
 
EHRs can provide great privacy and security, e.g.,  
 
EHRs can provide great privacy and security, e.g.,  
  
o Access controls can be more granular  
+
* Access controls can be more granular  
 +
* Authentication mechanisms provide audit trails and non-repudiation
 +
* Disaster recovery plans assure greater availability
 +
* Encryption can provide confidentiality and data integrity
  
o Authentication mechanisms provide audit trails and non-repudiation
+
==Cons==
  
o Disaster recovery plans assure greater availability
+
* Information flows more easily, risk of mishap is greater
 +
* Collection of large volumes of data more feasible and risky
 +
* Sharing of information for treatment, payment, and operations misunderstood
 +
* New methods to attack data are continuously being developed
  
o Encryption can provide confidentiality and data integrity
+
== Flow of information in health care have many points to “leak” ==
  
'''Cons:'''
 
  
o Information flows more easily, risk of mishap is greater
+
==Direct patient care:==
  
o Collection of large volumes of data more feasible and risky
+
* Provider
 +
* Clinic
 +
* Hospital
  
o Sharing of information for treatment, payment, and operations misunderstood
+
==Support activity:==
  
o New methods to attack data are continuously being developed
+
* Payers
 +
* Quality reviews
 +
* Administration
  
 +
==“Social” uses:==
  
==  '''''Flow of information in health care have many points to “leak”:''''' ==
+
* Insurance eligibility
 +
* Public health
 +
* Medical research
  
 +
==Commercial uses:==
  
'''Direct patient care:'''
+
* Marketing
 +
* Managed care
 +
* Drug usage
  
• Provider
+
NB: Even [[Identifiable Health Data|de-identified]] data is not necessarily secure
  
• Clinic
 
  
• Hospital
+
==The Shields:==
  
 
+
==1-Risk assessment==
'''Support activity:'''
+
 
+
• Payers
+
 
+
• Quality reviews
+
 
+
• Administration
+
 
+
'''“Social” uses:'''
+
 
+
• Insurance eligibility
+
 
+
• Public health
+
 
+
• Medical research
+
 
+
'''Commercial uses:'''
+
 
+
• Marketing
+
 
+
• Managed care
+
 
+
• Drug usage
+
 
+
NB: Even “de-identified” data is not necessarily secure
+
 
+
 
+
== '''''The Shields:''''' ==
+
 
+
 
+
'''1-Risk assessment'''
+
  
 
We should balance :
 
We should balance :
  
risk,  
+
* risk,  
benefit,
+
* benefit,
cost and  
+
* cost and  
loss of accessibility
+
* loss of accessibility
  
'''2-Access Restriction'''
+
==2-Access Restriction==
  
Authentication
+
* Authentication
Access Control
+
* Access Control
Accounting
+
* Accounting
  
'''3-Security Policies'''
+
== Security Policies==
  
 
We should set documented:
 
We should set documented:
  
goals
+
* goals
procedures
+
* procedures
organization
+
* organization
responsibilities
+
* responsibilities
  
  
== '''''Technologies to secure information:''''' ==
+
==Technologies to secure information:==
  
  
'''• Deterrents'''
+
== Deterrents==
  
Alerts
+
* Alerts
 +
* [[Audit trails]]
  
–Audit trails
+
==* System management precautions==
 
+
'''• System management precautions'''
+
  
 
-Software management
 
-Software management
Line 173: Line 133:
 
-Analysis of vulnerability
 
-Analysis of vulnerability
  
'''• Obstacles'''
+
== Obstacles==
 
+
– Authentication
+
 
+
– Authorization
+
 
+
– Integrity management
+
 
+
– Digital signatures
+
 
+
– Encryption
+
 
+
– Firewalls
+
 
+
– Rights management
+
 
+
 
+
== '''''Conclusion:''''' ==
+
 
+
  
• The threats are real and dangerous
+
* [[Authentication]]
 +
* Authorization
 +
* Integrity management
 +
* Digital signatures
 +
* [[Encryption]]
 +
* Firewalls
 +
* Rights management
  
• Recovery cost large
+
==Conclusion==
  
We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
+
* The threats are real and dangerous
 +
* Recovery cost large
 +
* We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
  
'''References:'''
+
==References==
  
 
Introduction to Biomedical Informatics, William Hersh; 2007
 
Introduction to Biomedical Informatics, William Hersh; 2007

Revision as of 22:45, 13 October 2011

Introduction:

Security

state of freedom from danger or risk”.

Information Security

Maintaining:

  • Confidentiality: Keeping your information:
    • Hidden
    • Safe
    • Private
  • Availability: Making sure IT resources are:
    • Present
    • Ready for immediate use!
  • Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.

What do we need to protect?

  • Hardware
  • Software
  • Data
    • Your time
    • Your money
    • Confidential or non-replaceable information

From whom?

  • Natural Hazard
  • Computer Failure / Media Failure
  • Malicious People
  • Sometimes, yourself

Information Security Goals:

  • Data Integrity
  • Data is correct
  • No unauthorized modification
  • Data Confidentiality
  • Only authorized parties can view
  • Data Accessibility
  • Authorized parties can easily and quickly access
  • Often a casualty of information security

EHR security

Pros

EHRs can provide great privacy and security, e.g.,

  • Access controls can be more granular
  • Authentication mechanisms provide audit trails and non-repudiation
  • Disaster recovery plans assure greater availability
  • Encryption can provide confidentiality and data integrity

Cons

  • Information flows more easily, risk of mishap is greater
  • Collection of large volumes of data more feasible and risky
  • Sharing of information for treatment, payment, and operations misunderstood
  • New methods to attack data are continuously being developed

Flow of information in health care have many points to “leak”

Direct patient care:

  • Provider
  • Clinic
  • Hospital

Support activity:

  • Payers
  • Quality reviews
  • Administration

“Social” uses:

  • Insurance eligibility
  • Public health
  • Medical research

Commercial uses:

  • Marketing
  • Managed care
  • Drug usage

NB: Even de-identified data is not necessarily secure


The Shields:

1-Risk assessment

We should balance :

  • risk,
  • benefit,
  • cost and
  • loss of accessibility

2-Access Restriction

  • Authentication
  • Access Control
  • Accounting

Security Policies

We should set documented:

  • goals
  • procedures
  • organization
  • responsibilities


Technologies to secure information:

Deterrents

* System management precautions

-Software management

-Analysis of vulnerability

Obstacles

Conclusion

  • The threats are real and dangerous
  • Recovery cost large
  • We must shield ourselves in as many ways as possible with a reasonable loss of accessibility

References

Introduction to Biomedical Informatics, William Hersh; 2007

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS

Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.

Submitted by Dahlia Abd-Ellatif

Retrieved from "http://www.clinfowiki.org/wiki/index.php?title=Information_security&oldid=12000"