Difference between revisions of "Information security"
From Clinfowiki
Dalia.mego (Talk | contribs) |
|||
Line 1: | Line 1: | ||
− | == | + | ==Introduction:== |
− | + | ==Security== | |
+ | state of freedom from danger or risk”. | ||
+ | |||
+ | ==Information Security== | ||
− | |||
Maintaining: | Maintaining: | ||
− | + | * Confidentiality: Keeping your information: | |
+ | ** Hidden | ||
+ | ** Safe | ||
+ | ** Private | ||
+ | * Availability: Making sure IT resources are: | ||
+ | ** Present | ||
+ | ** Ready for immediate use! | ||
+ | * Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized. | ||
− | + | ==What do we need to protect?== | |
− | + | * Hardware | |
+ | * Software | ||
+ | * Data | ||
+ | ** Your time | ||
+ | ** Your money | ||
+ | ** Confidential or non-replaceable information | ||
− | + | ==From whom?== | |
− | + | * Natural Hazard | |
+ | * Computer Failure / Media Failure | ||
+ | * Malicious People | ||
+ | * Sometimes, yourself | ||
− | + | ==Information Security Goals:== | |
− | + | * Data Integrity | |
+ | * Data is correct | ||
+ | * No unauthorized modification | ||
+ | * Data Confidentiality | ||
+ | * Only authorized parties can view | ||
+ | * Data Accessibility | ||
+ | * Authorized parties can easily and quickly access | ||
+ | * Often a casualty of information security | ||
− | + | ==EHR security== | |
− | + | ==Pros== | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | == | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
EHRs can provide great privacy and security, e.g., | EHRs can provide great privacy and security, e.g., | ||
− | + | * Access controls can be more granular | |
+ | * Authentication mechanisms provide audit trails and non-repudiation | ||
+ | * Disaster recovery plans assure greater availability | ||
+ | * Encryption can provide confidentiality and data integrity | ||
− | + | ==Cons== | |
− | + | * Information flows more easily, risk of mishap is greater | |
+ | * Collection of large volumes of data more feasible and risky | ||
+ | * Sharing of information for treatment, payment, and operations misunderstood | ||
+ | * New methods to attack data are continuously being developed | ||
− | + | == Flow of information in health care have many points to “leak” == | |
− | |||
− | + | ==Direct patient care:== | |
− | + | * Provider | |
+ | * Clinic | ||
+ | * Hospital | ||
− | + | ==Support activity:== | |
− | + | * Payers | |
+ | * Quality reviews | ||
+ | * Administration | ||
+ | ==“Social” uses:== | ||
− | + | * Insurance eligibility | |
+ | * Public health | ||
+ | * Medical research | ||
+ | ==Commercial uses:== | ||
− | + | * Marketing | |
+ | * Managed care | ||
+ | * Drug usage | ||
− | + | NB: Even [[Identifiable Health Data|de-identified]] data is not necessarily secure | |
− | |||
− | + | ==The Shields:== | |
− | + | ==1-Risk assessment== | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | == | + | |
− | + | ||
− | + | ||
− | + | ||
We should balance : | We should balance : | ||
− | + | * risk, | |
− | + | * benefit, | |
− | + | * cost and | |
− | + | * loss of accessibility | |
− | + | ==2-Access Restriction== | |
− | + | * Authentication | |
− | + | * Access Control | |
− | + | * Accounting | |
− | + | == Security Policies== | |
We should set documented: | We should set documented: | ||
− | + | * goals | |
− | + | * procedures | |
− | + | * organization | |
− | + | * responsibilities | |
− | == | + | ==Technologies to secure information:== |
− | + | == Deterrents== | |
− | + | * Alerts | |
+ | * [[Audit trails]] | ||
− | + | ==* System management precautions== | |
− | + | ||
− | + | ||
-Software management | -Software management | ||
Line 173: | Line 133: | ||
-Analysis of vulnerability | -Analysis of vulnerability | ||
− | + | == Obstacles== | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | == | + | |
− | + | ||
− | + | * [[Authentication]] | |
+ | * Authorization | ||
+ | * Integrity management | ||
+ | * Digital signatures | ||
+ | * [[Encryption]] | ||
+ | * Firewalls | ||
+ | * Rights management | ||
− | + | ==Conclusion== | |
− | + | * The threats are real and dangerous | |
+ | * Recovery cost large | ||
+ | * We must shield ourselves in as many ways as possible with a reasonable loss of accessibility | ||
− | + | ==References== | |
Introduction to Biomedical Informatics, William Hersh; 2007 | Introduction to Biomedical Informatics, William Hersh; 2007 |
Revision as of 22:45, 13 October 2011
Contents
- 1 Introduction:
- 2 Security
- 3 Information Security
- 4 What do we need to protect?
- 5 From whom?
- 6 Information Security Goals:
- 7 EHR security
- 8 Pros
- 9 Cons
- 10 Flow of information in health care have many points to “leak”
- 11 Direct patient care:
- 12 Support activity:
- 13 “Social” uses:
- 14 Commercial uses:
- 15 The Shields:
- 16 1-Risk assessment
- 17 2-Access Restriction
- 18 Security Policies
- 19 Technologies to secure information:
- 20 Deterrents
- 21 * System management precautions
- 22 Obstacles
- 23 Conclusion
- 24 References
Introduction:
Security
state of freedom from danger or risk”.
Information Security
Maintaining:
- Confidentiality: Keeping your information:
- Hidden
- Safe
- Private
- Availability: Making sure IT resources are:
- Present
- Ready for immediate use!
- Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
What do we need to protect?
- Hardware
- Software
- Data
- Your time
- Your money
- Confidential or non-replaceable information
From whom?
- Natural Hazard
- Computer Failure / Media Failure
- Malicious People
- Sometimes, yourself
Information Security Goals:
- Data Integrity
- Data is correct
- No unauthorized modification
- Data Confidentiality
- Only authorized parties can view
- Data Accessibility
- Authorized parties can easily and quickly access
- Often a casualty of information security
EHR security
Pros
EHRs can provide great privacy and security, e.g.,
- Access controls can be more granular
- Authentication mechanisms provide audit trails and non-repudiation
- Disaster recovery plans assure greater availability
- Encryption can provide confidentiality and data integrity
Cons
- Information flows more easily, risk of mishap is greater
- Collection of large volumes of data more feasible and risky
- Sharing of information for treatment, payment, and operations misunderstood
- New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”
Direct patient care:
- Provider
- Clinic
- Hospital
Support activity:
- Payers
- Quality reviews
- Administration
“Social” uses:
- Insurance eligibility
- Public health
- Medical research
Commercial uses:
- Marketing
- Managed care
- Drug usage
NB: Even de-identified data is not necessarily secure
The Shields:
1-Risk assessment
We should balance :
- risk,
- benefit,
- cost and
- loss of accessibility
2-Access Restriction
- Authentication
- Access Control
- Accounting
Security Policies
We should set documented:
- goals
- procedures
- organization
- responsibilities
Technologies to secure information:
Deterrents
- Alerts
- Audit trails
* System management precautions
-Software management
-Analysis of vulnerability
Obstacles
- Authentication
- Authorization
- Integrity management
- Digital signatures
- Encryption
- Firewalls
- Rights management
Conclusion
- The threats are real and dangerous
- Recovery cost large
- We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References
Introduction to Biomedical Informatics, William Hersh; 2007
EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
Submitted by Dahlia Abd-Ellatif