Difference between revisions of "Security"

Revision as of 22:19, 27 April 2015

Security: physical and environmental security in CIS

Introduction

In clinical information system (CIS), important information contained. There are a lot of threats that violate the security of the clinical data and personal information. One of our main roles in a CIS organization is to protect the data and information from those threats .We will discover some main threats that may violate the security. Also we are going to present some advices to protect the data from hacking.

Any successful organization has a lot of difficulties and obstacles that hinder its progress. The aim of these articles to identify some of these obstacles and some proposed methods of protection of such threats.

A threat is any agency that has undesirable effects to CIS security such as system failure and harm.

In this article we will discuss some factors that should be considered to protect CISs and the organization itself from some environmental threats. We also concentrate on illustrating the concept of physical and environmental security, the benefits of implementation of some physical security controls and the importance of applying some protection factors in any health organization dealing with computer systems.

Physical and Environmental Security

We can define physical and environmental security as the security measures that taken in the organization to protect computer systems and employees from some intended or unintended threats. Then we should take into consideration these measures to

1. Protect the physical facility including building, computers and network component from threats such as fire, proof leaks and unauthorized access.
2. Protect from natural threats such as earthquakes and flooding or either man-made threats as burglary, interception of messaging, electromagnetic interruption and damaging nearby facility such as chemical spoil.
3. Conserve the supporting facilities such as heating and air conditioning, electric power and telecommunication.

Importance & Benefits

Security measures aid in protection against many threats in health organization. It provides protection of CISs from:

• Disconnection with other computer services.
• Physical damage: such as hardware and network components destruction.
• Data destroy.
• Unauthorized disclosure of information.
• Security hacking.
• Loss of control over system integrity: If the intruder gains access to Central Processing Unit (CPU), logical access control could be escaped. Then access to clinical and personal data.
• Physical theft: hardware could be stolen.

Some examples of physical and environmental security controls:

• Physical access controls,
• Fire safety,
• Supporting utilities,
• Plumbing leaks,
• Interception of data, and
• Mobile and portable systems.

References

1. S.K.PARMAR, Cst N.Cowichan Duncan RCMP Det 060 Canada Ave., Duncan, BC”INFORMATION RESOURCE GUIDE Computer, Internet and Network Systems Security”, 2000.

http://www.hamptonu.edu/events/ia_symposium/presentations_09/DanielRyan.pdf

Submitted by (Adham Emam)

Security of Electronic Health Information

Both The Health Information Technology for Economic and Clinical Health (HITECH) Act and the American Recovery and Reinvestment Act of 2009 serve to promote and encourage the use and exchange of electronic health information in the delivery of healthcare. With the encouragement of the Federal Government, health information will be transformed from paper records into electronic medical data.

The use of electronic data transmission via the Internet and through wireless radio transmission (wifi, Bluetooth and etc.) represents another segment of health information within the healthcare environment that must be protected against vulnerabilities. Recent health information breaches include cyber attacks on the private health insurers such as Premera and Anthem. These attacks affected millions of healthcare patients as well as providers. The extent of the data stolen includes, treatment history, patient demographic information and patient financial information.

In order to safely guard against threats to electronic medical information, several security measures should be taken:

• Encrypt all electronic information and data for both senders and receivers
• Encrypt all information stored on devices that access health information
• Use multiple layers of user authentication in different settings

    * A single authentication factor such as a password may suffice for on-site data access
    * Dual or multiple authentication factors should be used for off-site data access

• Access to information should be partitioned and granted to users only on a need to know basis
• Maintain firewalls and continuously monitor network access and intrusion
• Train employees on the consequences of non-adherence to security practices
• Configure mobile devices to be remotely wiped if lost or stolen
• Configure mobile device geo tracking to monitor lost or stolen devices
• Keep software up-to-date
• Stay up to date on firmware for operational devices and hardware

    * Install certified and/or approved patches in a timely manner
    * Encourage vendor support of security protocols and updates

• Do not download or use mobile applications or non approved software
• Establish and strictly adhere to internal security protocols

Vulnerabilities of Wireless/Mobile Devices

Access and security of mobile devices is more complex than traditional isolated workstations. Traditional workstations like the office computer may have a variety of physical safeguards such as physical barriers (door and window locks), access restrictions (isolated to certain areas of a building) and monitoring (the use of security cameras and monitoring of environmental factors like temperature or moisture in a given area). Not all of these safeguards may be readily available to ensure the integrity of mobile devices.

Mobile devices must be safeguarded at all times; they are vulnerable at the grocery store, the gym, the home and even the office. More so, mobile devices can be accessed by an unauthorized user and restored to its original state to give the illusion of device integrity. Mobile devices can also be misplaced, lost or physically damaged enough to render them useless. These mishaps however, are superficial as healthcare information and data can still be accessed on a device that is found or only superficially damaged. It’s important to consider sensitive data can exists on devices whether or not the screen lights up.

In addition to the vulnerabilities presented by mobile devices, mobile device software is also vulnerable to exploitation. Mobile devices often have a memory capacity or communicate with “apps.” This demands increased network protection and use of encryption and firewalls as data is often transmitted to offsite storage facilities such as when using the “cloud” or when communicating via the internet or wireless network with software and “apps”. The high production rate of mobile software and technology ensures constant updates and fixes to software issues used on mobile devices. These updates can be downloaded directly from the internet or done through applications themselves. Therefore, mobile devices system and software updates should be verified and applied immediately to ensure the integrity of mobile devices. Out of date software can affect the efficacy of these devices in a healthcare setting.

References

1. Taitsman, Julie K., Christi Macrina Grimm, and Shantanu Agrawal. "Protecting Patient Privacy and Data Security." New England Journal of Medicine. New England Journal of Medicine, 14 Mar. 2013. Web. 24 Apr. 2015. <http://www.nejm.org/doi/full/10.1056/NEJMp1215258>.
2. Levinson, Daniel. "Audit of information technology security included in health information technology standards." Office of Inspector General, Office of Audit Services. May 2011 (https://oig.hhs.gov/oas/reports/other/180930160.pdf). Web. 24 Apr. 2015.
3. Bajwa, Mohammad. “mHealth Security.” Pakistan Journal of Medical Sciences 30.4 (2014): 904–907. Print.

Submitted by (Kenneth Dunham)