Difference between revisions of "Information security"
Dalia.mego (Talk | contribs) |
Dalia.mego (Talk | contribs) |
||
Line 1: | Line 1: | ||
− | '''Introduction:''' | + | '''''Introduction:''''' |
+ | |||
'''Security''':” state of freedom from danger or risk”. | '''Security''':” state of freedom from danger or risk”. | ||
Line 38: | Line 39: | ||
• Sometimes, yourself | • Sometimes, yourself | ||
− | Information Security Goals: | + | '''''Information Security Goals:''''' |
• Data Integrity | • Data Integrity | ||
+ | |||
• Data is correct | • Data is correct | ||
+ | |||
• No unauthorized modification | • No unauthorized modification | ||
+ | |||
• Data Confidentiality | • Data Confidentiality | ||
+ | |||
• Only authorized parties can view | • Only authorized parties can view | ||
+ | |||
• Data Accessibility | • Data Accessibility | ||
+ | |||
• Authorized parties can easily and quickly access | • Authorized parties can easily and quickly access | ||
+ | |||
• Often a casualty of information security | • Often a casualty of information security | ||
− | EHR security: | + | '''''EHR security:''''' |
+ | |||
+ | '''Pros:''' | ||
− | |||
EHRs can provide great privacy and security, e.g., | EHRs can provide great privacy and security, e.g., | ||
+ | |||
o Access controls can be more granular | o Access controls can be more granular | ||
+ | |||
o Authentication mechanisms provide audit trails and non-repudiation | o Authentication mechanisms provide audit trails and non-repudiation | ||
+ | |||
o Disaster recovery plans assure greater availability | o Disaster recovery plans assure greater availability | ||
+ | |||
o Encryption can provide confidentiality and data integrity | o Encryption can provide confidentiality and data integrity | ||
− | Cons: | + | '''Cons:''' |
+ | |||
o Information flows more easily, risk of mishap is greater | o Information flows more easily, risk of mishap is greater | ||
+ | |||
o Collection of large volumes of data more feasible and risky | o Collection of large volumes of data more feasible and risky | ||
+ | |||
o Sharing of information for treatment, payment, and operations misunderstood | o Sharing of information for treatment, payment, and operations misunderstood | ||
+ | |||
o New methods to attack data are continuously being developed | o New methods to attack data are continuously being developed | ||
− | Flow of information in health care have many points to “leak”: | + | '''''Flow of information in health care have many points to “leak”:''''' |
− | Direct patient care: | + | '''Direct patient care:''' |
• Provider | • Provider | ||
• Clinic | • Clinic | ||
• Hospital | • Hospital | ||
− | Support activity: | + | |
+ | '''Support activity:''' | ||
• Payers | • Payers | ||
• Quality reviews | • Quality reviews | ||
• Administration | • Administration | ||
− | “Social” uses: | + | |
+ | '''“Social” uses:''' | ||
• Insurance eligibility | • Insurance eligibility | ||
• Public health | • Public health | ||
• Medical research | • Medical research | ||
− | Commercial uses: | + | |
+ | '''Commercial uses:''' | ||
• Marketing | • Marketing | ||
• Managed care | • Managed care | ||
Line 85: | Line 105: | ||
NB: Even “de-identified” data is not necessarily secure | NB: Even “de-identified” data is not necessarily secure | ||
− | The Shields: | + | '''''The Shields:''''' |
− | 1-Risk assessment | + | |
+ | '''1-Risk assessment''' | ||
We should balance : | We should balance : | ||
• risk, | • risk, | ||
Line 93: | Line 114: | ||
• loss of accessibility | • loss of accessibility | ||
− | 2-Access Restriction | + | '''2-Access Restriction''' |
• Authentication | • Authentication | ||
• Access Control | • Access Control | ||
• Accounting | • Accounting | ||
− | 3-Security Policies | + | '''3-Security Policies''' |
We should set documented: | We should set documented: | ||
• goals | • goals | ||
Line 105: | Line 126: | ||
• responsibilities | • responsibilities | ||
− | Technologies to secure information: | + | '''''Technologies to secure information:''''' |
− | • Deterrents | + | '''• Deterrents''' |
– Alerts | – Alerts | ||
– Audit trails | – Audit trails | ||
− | • System management precautions | + | '''• System management precautions''' |
-Software management | -Software management | ||
-Analysis of vulnerability | -Analysis of vulnerability | ||
− | • Obstacles | + | '''• Obstacles''' |
– Authentication | – Authentication | ||
– Authorization | – Authorization | ||
Line 124: | Line 145: | ||
– Rights management | – Rights management | ||
− | Conclusion: | + | '''''Conclusion:''''' |
• The threats are real and dangerous | • The threats are real and dangerous | ||
+ | |||
• Recovery cost large | • Recovery cost large | ||
+ | |||
• We must shield ourselves in as many ways as possible with a reasonable loss of accessibility | • We must shield ourselves in as many ways as possible with a reasonable loss of accessibility | ||
− | References: | + | '''References:''' |
Introduction to Biomedical Informatics, William Hersh; 2007 | Introduction to Biomedical Informatics, William Hersh; 2007 |
Revision as of 23:20, 26 March 2008
Introduction:
Security:” state of freedom from danger or risk”.
Information Security: Maintaining: • Confidentiality: Keeping your information:
1. Hidden
2. Safe
3. Private
• Availability: Making sure IT resources are:
1. Present
2. Ready for immediate use!
• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
What do we need to protect? • Hardware
• Software
• Data
1. Your time 2. Your money 3. Confidential or non-replaceable information
From whom?
• Natural Hazard • Computer Failure / Media Failure • Malicious People • Sometimes, yourself
Information Security Goals:
• Data Integrity
• Data is correct
• No unauthorized modification
• Data Confidentiality
• Only authorized parties can view
• Data Accessibility
• Authorized parties can easily and quickly access
• Often a casualty of information security
EHR security:
Pros:
EHRs can provide great privacy and security, e.g.,
o Access controls can be more granular
o Authentication mechanisms provide audit trails and non-repudiation
o Disaster recovery plans assure greater availability
o Encryption can provide confidentiality and data integrity
Cons:
o Information flows more easily, risk of mishap is greater
o Collection of large volumes of data more feasible and risky
o Sharing of information for treatment, payment, and operations misunderstood
o New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”:
Direct patient care: • Provider • Clinic • Hospital
Support activity: • Payers • Quality reviews • Administration
“Social” uses: • Insurance eligibility • Public health • Medical research
Commercial uses: • Marketing • Managed care • Drug usage
NB: Even “de-identified” data is not necessarily secure
The Shields:
1-Risk assessment We should balance : • risk, • benefit, • cost and • loss of accessibility
2-Access Restriction • Authentication • Access Control • Accounting
3-Security Policies We should set documented: • goals • procedures • organization • responsibilities
Technologies to secure information:
• Deterrents – Alerts – Audit trails
• System management precautions -Software management -Analysis of vulnerability
• Obstacles – Authentication – Authorization – Integrity management – Digital signatures – Encryption – Firewalls – Rights management
Conclusion:
• The threats are real and dangerous
• Recovery cost large
• We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References:
Introduction to Biomedical Informatics, William Hersh; 2007
EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
Submitted by Dahlia Abd-Ellatif