Information security

From Clinfowiki
Revision as of 22:23, 5 October 2014 by Epotts2 (Talk | contribs)

Jump to: navigation, search

Information security is maintaining confidentiality and availability simultaneously. Information should be hidden, safe, private, and also ready for immediate use.

Introduction

Everything that handles information needs to be protected: Hardware, software, and data, etc. Anything that is confidential or non-replaceable, or loss of would cost time and money. The most common culprits are natural hazards, computer failure, media failure, malicious people, and sometimes, yourself.

Information Security Goals

Confidentiality

Integrity

Availability

Non-repudiation. (Accomplishing these is a management issue before it's a technical one, as they are essentially business objectives.)


Confidentiality is about controlling access to files either in storage or in transit. This requires systems configuration or products (a technical job). But the critical definition of the parameters (who should be able to access what) is a business-related process.

Integrity is a matter of version control - making sure only the right people can change documents. It also requires an audit trail of the changes, and a fallback position in case changes prove detrimental. This meshes with non-repudiation (the change record must include who as well as what and when).

Availability is the Cinderella of information security as it is rarely discussed. But however safe from hackers your information is, it is no use if you can't get at it when you need to. So you need to think about data back-ups, bandwidth and standby facilities, which many people still leave out of their security planning.[1]

Electronic medical record security

Pros

EHRs can provide great privacy and security, e.g.,

  • Access controls can be more granular
  • Authentication mechanisms provide audit trails and non-repudiation
  • Disaster recovery plans assure greater availability
  • Encryption can provide confidentiality and data integrity

Cons

  • Information flows more easily, risk of mishap is greater
  • Collection of large volumes of data more feasible and risky
  • Sharing of information for treatment, payment, and operations misunderstood
  • New methods to attack data are continuously being developed

Flow of information in health care have many points to “leak”

Direct patient care:

  • Provider
  • Clinic
  • Hospital

Support activity:

  • Payers
  • Quality reviews
  • Administration

“Social” uses:

  • Insurance eligibility
  • Public health
  • Medical research

Commercial uses:

  • Marketing
  • Managed care
  • Drug usage

NB: Even de-identified data is not necessarily secure


The Shields:

1-Risk assessment

We should balance :

  • risk,
  • benefit,
  • cost and
  • loss of accessibility

2-Access Restriction

  • Authentication
  • Access Control
  • Accounting

Security Policies

We should set documented:

  • goals
  • procedures
  • organization
  • responsibilities

Technologies to secure information:

Deterrents

System management precautions

-Software management

-Analysis of vulnerability

Obstacles

Conclusion

The threats are real and dangerous and recovery costs are large. We must shield ourselves in as many ways as possible with a reasonable loss of accessibility

References

  1. Introduction to Biomedical Informatics, William Hersh; 2007
  2. EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
  3. Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
  4. Four Goals of Security, Mike Barwise; 2006; http://www.computerweekly.com/opinion/Four-goals-of-security
  1. Barwise, M. Four Goals of Security. http://www.computerweekly.com/opinion/Four-goals-of-security
Retrieved from "http://www.clinfowiki.org/wiki/index.php?title=Information_security&oldid=17946"