Information security
Security is the state of freedom from danger or risk. Information security is maintaining confidentiality and availability simultaneously. Information should be hidden, safe, private, and also ready for immediate use.
Contents
- 1 What do we need to protect?
- 2 From whom?
- 3 Information Security Goals:
- 4 EHR security
- 5 Pros
- 6 Cons
- 7 Flow of information in health care have many points to “leak”
- 8 Direct patient care:
- 9 Support activity:
- 10 “Social” uses:
- 11 Commercial uses:
- 12 The Shields:
- 13 1-Risk assessment
- 14 2-Access Restriction
- 15 Security Policies
- 16 Technologies to secure information:
- 17 Deterrents
- 18 * System management precautions
- 19 Obstacles
- 20 Conclusion
- 21 References
What do we need to protect?
Everything that handles information needs to be protected: Hardware, software, and data, anything that is confidential or non-replaceable, or loss of would cost time and money.
From whom?
- Natural Hazard
- Computer Failure / Media Failure
- Malicious People
- Sometimes, yourself
Information Security Goals:
- Data Integrity
- Data is correct
- No unauthorized modification
- Data Confidentiality
- Only authorized parties can view
- Data Accessibility
- Authorized parties can easily and quickly access
- Often a casualty of information security
EHR security
Pros
EHRs can provide great privacy and security, e.g.,
- Access controls can be more granular
- Authentication mechanisms provide audit trails and non-repudiation
- Disaster recovery plans assure greater availability
- Encryption can provide confidentiality and data integrity
Cons
- Information flows more easily, risk of mishap is greater
- Collection of large volumes of data more feasible and risky
- Sharing of information for treatment, payment, and operations misunderstood
- New methods to attack data are continuously being developed
Flow of information in health care have many points to “leak”
Direct patient care:
- Provider
- Clinic
- Hospital
Support activity:
- Payers
- Quality reviews
- Administration
“Social” uses:
- Insurance eligibility
- Public health
- Medical research
Commercial uses:
- Marketing
- Managed care
- Drug usage
NB: Even de-identified data is not necessarily secure
The Shields:
1-Risk assessment
We should balance :
- risk,
- benefit,
- cost and
- loss of accessibility
2-Access Restriction
- Authentication
- Access Control
- Accounting
Security Policies
We should set documented:
- goals
- procedures
- organization
- responsibilities
Technologies to secure information:
Deterrents
- Alerts
- Audit trails
* System management precautions
-Software management
-Analysis of vulnerability
Obstacles
- Authentication
- Authorization
- Integrity management
- Digital signatures
- Encryption
- Firewalls
- Rights management
Conclusion
- The threats are real and dangerous
- Recovery cost large
- We must shield ourselves in as many ways as possible with a reasonable loss of accessibility
References
Introduction to Biomedical Informatics, William Hersh; 2007
EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match by: Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS
Privacy, information technology, and health care, Thomas C. Rindfleisch;1997.
Submitted by Dahlia Abd-Ellatif