Difference between revisions of "Information security"
Dalia.mego (Talk | contribs) |
Dalia.mego (Talk | contribs) |
||
Line 1: | Line 1: | ||
− | |||
== '''''Introduction:''''' == | == '''''Introduction:''''' == | ||
Line 23: | Line 22: | ||
'''What do we need to protect?''' | '''What do we need to protect?''' | ||
+ | |||
• Hardware | • Hardware | ||
Line 40: | Line 40: | ||
• Sometimes, yourself | • Sometimes, yourself | ||
− | '''''Information Security Goals:''''' | + | |
+ | == '''''Information Security Goals:''''' == | ||
+ | |||
• Data Integrity | • Data Integrity | ||
Line 58: | Line 60: | ||
• Often a casualty of information security | • Often a casualty of information security | ||
− | '''''EHR security:''''' | + | |
+ | == '''''EHR security:''''' == | ||
+ | |||
'''Pros:''' | '''Pros:''' | ||
Line 82: | Line 86: | ||
o New methods to attack data are continuously being developed | o New methods to attack data are continuously being developed | ||
− | '''''Flow of information in health care have many points to “leak”:''''' | + | |
+ | == '''''Flow of information in health care have many points to “leak”:''''' == | ||
+ | |||
'''Direct patient care:''' | '''Direct patient care:''' | ||
+ | |||
• Provider | • Provider | ||
+ | |||
• Clinic | • Clinic | ||
+ | |||
• Hospital | • Hospital | ||
− | '''Support activity:''' | + | |
+ | '''Support activity:''' | ||
+ | |||
• Payers | • Payers | ||
+ | |||
• Quality reviews | • Quality reviews | ||
+ | |||
• Administration | • Administration | ||
'''“Social” uses:''' | '''“Social” uses:''' | ||
+ | |||
• Insurance eligibility | • Insurance eligibility | ||
+ | |||
• Public health | • Public health | ||
+ | |||
• Medical research | • Medical research | ||
'''Commercial uses:''' | '''Commercial uses:''' | ||
+ | |||
• Marketing | • Marketing | ||
+ | |||
• Managed care | • Managed care | ||
+ | |||
• Drug usage | • Drug usage | ||
NB: Even “de-identified” data is not necessarily secure | NB: Even “de-identified” data is not necessarily secure | ||
− | '''''The Shields:''''' | + | |
+ | == '''''The Shields:''''' == | ||
+ | |||
'''1-Risk assessment''' | '''1-Risk assessment''' | ||
+ | |||
We should balance : | We should balance : | ||
+ | |||
• risk, | • risk, | ||
• benefit, | • benefit, | ||
Line 116: | Line 139: | ||
'''2-Access Restriction''' | '''2-Access Restriction''' | ||
+ | |||
• Authentication | • Authentication | ||
• Access Control | • Access Control | ||
Line 121: | Line 145: | ||
'''3-Security Policies''' | '''3-Security Policies''' | ||
+ | |||
We should set documented: | We should set documented: | ||
+ | |||
• goals | • goals | ||
• procedures | • procedures | ||
Line 127: | Line 153: | ||
• responsibilities | • responsibilities | ||
− | '''''Technologies to secure information:''''' | + | |
+ | == '''''Technologies to secure information:''''' == | ||
+ | |||
'''• Deterrents''' | '''• Deterrents''' | ||
+ | |||
– Alerts | – Alerts | ||
− | + | ||
+ | –Audit trails | ||
'''• System management precautions''' | '''• System management precautions''' | ||
+ | |||
-Software management | -Software management | ||
+ | |||
-Analysis of vulnerability | -Analysis of vulnerability | ||
'''• Obstacles''' | '''• Obstacles''' | ||
+ | |||
– Authentication | – Authentication | ||
+ | |||
– Authorization | – Authorization | ||
+ | |||
– Integrity management | – Integrity management | ||
+ | |||
– Digital signatures | – Digital signatures | ||
+ | |||
– Encryption | – Encryption | ||
+ | |||
– Firewalls | – Firewalls | ||
+ | |||
– Rights management | – Rights management | ||
− | '''''Conclusion:''''' | + | |
+ | == '''''Conclusion:''''' == | ||
+ | |||
• The threats are real and dangerous | • The threats are real and dangerous |
Revision as of 23:29, 26 March 2008
Contents
Introduction:
Security:” state of freedom from danger or risk”.
Information Security: Maintaining: • Confidentiality: Keeping your information:
1. Hidden
2. Safe
3. Private
• Availability: Making sure IT resources are:
1. Present
2. Ready for immediate use!
• Integrity: Knowing and using information that is sound and unchanged by anyone who is not authorized.
What do we need to protect?
• Hardware
• Software
• Data
1. Your time 2. Your money 3. Confidential or non-replaceable information
From whom?
• Natural Hazard • Computer Failure / Media Failure • Malicious People • Sometimes, yourself
Information Security Goals:
• Data Integrity
• Data is correct
• No unauthorized modification
• Data Confidentiality
• Only authorized parties can view
• Data Accessibility
• Authorized parties can easily and quickly access
• Often a casualty of information security
EHR security:
Pros:
EHRs can provide great privacy and security, e.g.,
o Access controls can be more granular
o Authentication mechanisms provide audit trails and non-repudiation
o Disaster recovery plans assure greater availability
o Encryption can provide confidentiality and data integrity
Cons:
o Information flows more easily, risk of mishap is greater
o Collection of large volumes of data more feasible and risky
o Sharing of information for treatment, payment, and operations misunderstood
o New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”:
Direct patient care:
• Provider
• Clinic
• Hospital
Support activity:
• Payers
• Quality reviews
• Administration
“Social” uses:
• Insurance eligibility
• Public health
• Medical research
Commercial uses:
• Marketing
• Managed care
• Drug usage
NB: Even “de-identified” data is not necessarily secure
The Shields:
1-Risk assessment
We should balance :
• risk, • benefit, • cost and • loss of accessibility
2-Access Restriction
• Authentication • Access Control • Accounting
3-Security Policies
We should set documented:
• goals • procedures • organization • responsibilities
Technologies to secure information:
• Deterrents
– Alerts
–Audit trails
• System management precautions
-Software management
-Analysis of vulnerability
• Obstacles
– Authentication
– Authorization
– Integrity management
– Digital signatures
– Encryption
– Firewalls
– Rights management
Conclusion:
• The threats are real and dangerous
• Recovery cost large
• We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References:
Introduction to Biomedical Informatics, William Hersh; 2007
EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
Submitted by Dahlia Abd-Ellatif