Information security

From Clinfowiki
Revision as of 19:20, 26 March 2008 by Shapiromr (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction:

Security:” state of freedom from danger or risk”.

Information Security: Maintaining: • Confidentiality: Keeping your information: 1. Hidden 2. Safe 3. Private

• Availability: Making sure IT resources are: 1. Present 2. Ready for immediate use!

• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.

What do we need to protect? • Hardware • Software • Data 1. Your time 2. Your money 3. Confidential or non-replaceable information

      From whom?

• Natural Hazard • Computer Failure / Media Failure • Malicious People • Sometimes, yourself

Information Security Goals:

• Data Integrity • Data is correct • No unauthorized modification • Data Confidentiality • Only authorized parties can view • Data Accessibility • Authorized parties can easily and quickly access • Often a casualty of information security

EHR security:

Pros: EHRs can provide great privacy and security, e.g., o Access controls can be more granular o Authentication mechanisms provide audit trails and non-repudiation o Disaster recovery plans assure greater availability o Encryption can provide confidentiality and data integrity

Cons: o Information flows more easily, risk of mishap is greater o Collection of large volumes of data more feasible and risky o Sharing of information for treatment, payment, and operations misunderstood o New methods to attack data are continuously being developed

 Flow of information in health care have many points to “leak”:

Direct patient care: • Provider • Clinic • Hospital Support activity: • Payers • Quality reviews • Administration “Social” uses: • Insurance eligibility • Public health • Medical research Commercial uses: • Marketing • Managed care • Drug usage

NB: Even “de-identified” data is not necessarily secure

The Shields: 1-Risk assessment We should balance : • risk, • benefit, • cost and • loss of accessibility

2-Access Restriction • Authentication • Access Control • Accounting

3-Security Policies We should set documented: • goals • procedures • organization • responsibilities

Technologies to secure information:

• Deterrents – Alerts – Audit trails

• System management precautions -Software management -Analysis of vulnerability

• Obstacles – Authentication – Authorization – Integrity management – Digital signatures – Encryption – Firewalls – Rights management

Conclusion:

• The threats are real and dangerous • Recovery cost large • We must shield ourselves in as many ways as possible with a reasonable loss of accessibility

References:

Introduction to Biomedical Informatics, William Hersh; 2007

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS

Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.

Submitted by Dahlia Abd-Ellatif