Difference between revisions of "Information security"
Dalia.mego (Talk | contribs) |
|||
Line 1: | Line 1: | ||
− | Introduction: | + | '''Introduction:''' |
+ | '''Security''':” state of freedom from danger or risk”. | ||
− | + | '''Information Security:''' | |
− | + | ||
− | Information Security: | + | |
Maintaining: | Maintaining: | ||
• Confidentiality: Keeping your information: | • Confidentiality: Keeping your information: | ||
+ | |||
1. Hidden | 1. Hidden | ||
+ | |||
2. Safe | 2. Safe | ||
+ | |||
3. Private | 3. Private | ||
• Availability: Making sure IT resources are: | • Availability: Making sure IT resources are: | ||
+ | |||
1. Present | 1. Present | ||
+ | |||
2. Ready for immediate use! | 2. Ready for immediate use! | ||
• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized. | • Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized. | ||
− | What do we need to protect? | + | '''What do we need to protect?''' |
• Hardware | • Hardware | ||
+ | |||
• Software | • Software | ||
+ | |||
• Data | • Data | ||
+ | |||
1. Your time | 1. Your time | ||
2. Your money | 2. Your money | ||
3. Confidential or non-replaceable information | 3. Confidential or non-replaceable information | ||
− | From whom? | + | |
+ | '''From whom?''' | ||
• Natural Hazard | • Natural Hazard |
Revision as of 23:13, 26 March 2008
Introduction: Security:” state of freedom from danger or risk”.
Information Security: Maintaining: • Confidentiality: Keeping your information:
1. Hidden
2. Safe
3. Private
• Availability: Making sure IT resources are:
1. Present
2. Ready for immediate use!
• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
What do we need to protect? • Hardware
• Software
• Data
1. Your time 2. Your money 3. Confidential or non-replaceable information
From whom?
• Natural Hazard • Computer Failure / Media Failure • Malicious People • Sometimes, yourself
Information Security Goals:
• Data Integrity • Data is correct • No unauthorized modification • Data Confidentiality • Only authorized parties can view • Data Accessibility • Authorized parties can easily and quickly access • Often a casualty of information security
EHR security:
Pros: EHRs can provide great privacy and security, e.g., o Access controls can be more granular o Authentication mechanisms provide audit trails and non-repudiation o Disaster recovery plans assure greater availability o Encryption can provide confidentiality and data integrity
Cons: o Information flows more easily, risk of mishap is greater o Collection of large volumes of data more feasible and risky o Sharing of information for treatment, payment, and operations misunderstood o New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”:
Direct patient care: • Provider • Clinic • Hospital Support activity: • Payers • Quality reviews • Administration “Social” uses: • Insurance eligibility • Public health • Medical research Commercial uses: • Marketing • Managed care • Drug usage
NB: Even “de-identified” data is not necessarily secure
The Shields: 1-Risk assessment We should balance : • risk, • benefit, • cost and • loss of accessibility
2-Access Restriction • Authentication • Access Control • Accounting
3-Security Policies We should set documented: • goals • procedures • organization • responsibilities
Technologies to secure information:
• Deterrents – Alerts – Audit trails
• System management precautions -Software management -Analysis of vulnerability
• Obstacles – Authentication – Authorization – Integrity management – Digital signatures – Encryption – Firewalls – Rights management
Conclusion:
• The threats are real and dangerous • Recovery cost large • We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References:
Introduction to Biomedical Informatics, William Hersh; 2007
EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
Submitted by Dahlia Abd-Ellatif