Security and Privacy of Data in Healthcare-the CIA triad and HIPAA Security Rules

CSE 5339-4392

Introduction to Data Issues for Clinical and Administrative Decision Making in Healthcare

Instructor: Dr. Dimitrios Zikos

Week 5-Theory 9

What is Private Health Information

• Name

• Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes

• Dates directly related to patient

• Telephone Number

• Fax Number

• email addresses

• Social Security Number

• Medical Record Number

• Health Plan Beneficiary Number

• Account Number

• Certificate/License Number

• Any vehicle or device serial number

• Web URL, Internet Protocol (IP) Address

• Finger or voice prints

• Photographic images

• Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)

• Age greater than 89 (due to the 90 year old and over population is relatively small)

How Information Exchange Has Evolved Over the Past 25 years

New security concerns arise

• Patient care: instant access to current, correct, readable data

• Data transfer to other external treatment facilities

• Prescriptions – written vs. electronic

• Insurance and billing business processes

• Notification of infectious diseases to state and federal authorities

• Telemedicine (DICOM)

Healthcare is a “High Security Environment”

at high risk of attack or data exposure

encompasses computers that are usually limited in their functionality to specific specialized purposes

They may contain confidential information (e.g. personnel records, medical records, financial information) or perform vital organizational functions (e.g. accounting, payroll processing, web servers, and firewalls)

Healthcare IS a high security environment

Information Technology Security National Institute of Standards and Technology

Government Regulations

• Privacy Act of 1974

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• State-Specific Privacy & Security Laws

• Electronic Signature Act of 2000

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summ

ary/index.html

HIPAA Security Standards: the Security Rule

• Legislation to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).

• Comprised of three main categories of “standards” pertaining to the administrative, physical, and technical aspects of ePHI (protected health information)

• Applies to the security and integrity of electronically created, stored, transmitted, received, or managed personal health information.

Security Issues in the Real World Healthcare Environment

• Networks not integrated

• Testing labs have disparate systems

• Doctors' PCs largely uncontrolled and unprotected

• Workstations not tied to individuals, often shared among several people

• This environment encourages poor security practices

Medical Record Security

Technology has always incited worry

Rights of privacy Unreasonable intrusion

Appropriation of name, appearance

Unreasonable publicity

Misrepresentation

Major Areas of Concern

• Audit trails

• Printing, data transfers (FAX)

• Authentication of sender and receiver

• Non-repudiation

• Network access

• Training and awareness

Confidentiality-Integrity-Availability

Systems and applications in healthcare should operate effectively and provide appropriate confidentiality, integrity, and availability.

We must protect information

Understand the level of risk of harm resulting from unauthorized access,

loss, misuse or modification.

Confidentiality

Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. This physician-patient privilege only applies to secrets shared between physician and patient during the course of providing medical care.

Confidentiality: “data or information is not made available or disclosed to unauthorized persons or processes.”

Means that information contained in the message is kept private and only the sender and the intended recipient can read it

The rule dates back to at least the Hippocratic Oath, which reads: Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.

Availability

“data or information is accessible and usable upon demand by an authorized person.”

Must guard against threats and hazards that may deny access to data or render the data unavailable when needed.

Must provide appropriate backup in the event of a threat, hazard, or natural disaster

Must provide appropriate disaster recovery and business continuity plans for departmental operations involving ePHI.

Integrity

Verification that the information contained in the message is not

tampered with, accidentally or deliberately, during transmission

“data or information has not been altered or destroyed in an unauthorized manner.”

• Must protect against improper destruction or alteration of data

• Must provide appropriate backup in the event of a threat, hazard, or natural

disaster

Authenticity

Verification that the people with whom we are corresponding actually are who they claim to be

Ensure that the data, transactions, communications or documents (electronic or physical) are genuine.

It is also important for authenticity to validate that both parties involved are who they claim to be.

Administrative access to data (HIPAA)

• Facilities will monitor logon attempts to the network. Inappropriate logon attempts should be reported to the respective departmental level security designee.

• All facilities computer systems are subject to audit. • Access to the intranet will be monitored. • Access to ePHI is granted only to authorized individuals. • Installation of software without prior approval is prohibited. • Disclosure of ePHI via electronic means is strictly forbidden without

authorization.

Administrative access to data (HIPAA)

• All computers should be manually locked, locked via a screen saver, or logged off when unattended.

Computers with old operating systems (pre Windows 2000 era) should: Utilize a “boot” password Utilize a screen saver with password Shut down your computer when you leave for an extended period of time.

• You must access the healthcare facility information utilizing YOUR username and password – NO PASSWORD SHARING.

• Users are personally responsible for access to information utilizing their password and are subject to disciplinary action

Passwords

• User id and password are critical to ePHI security.

Users should NOT keep an unsecured paper record of passwords NOT post passwords in open view e.g. on your monitor NOT share passwords with anyone NOT include passwords in automated logon processes NOT use “weak” passwords instead A minimum of 8 characters in length.

Password must contain a component from at least 3 of the 4 following categories

• Upper case • Lower case • Numerals • Keyboard symbols

• Passwords must be changed every 90 days.

This was the second health informatics class

!twt2hic@

lovebasketball! so-so

dallas weak

01081980 very weak

Usernames and Passwords

• Why do we have usernames and passwords?

Authenticate and Authorize

“two A’s”

Why are usernames and passwords a bad idea?

• Theft, sniffing, shoulder surfing, brute force attacks, concurrent usage

One Time Password Devices • RSA SecurID

• Addresses many username/password concerns

• Time based

• Event based

• Only good for Authentication

Change of Employee Status

Administrative directors are responsible for informing the appropriate IT administrator of changes in an employee’s employment status.

Upon termination of employment all employees network and PC access is terminated.

All ePHI & computer equipment (laptops, PDAs..) should be retrieved.

The use of a prior employee’s user-ids and passwords is strictly forbidden. “Generic” user-ids are strictly forbidden

Malicious Software

Pirated software, “viruses,” “worms,” “Trojans,” “spyware,” and file sharing software

• All software installed in hospitals must be approved by the

administrative director or department level security officer. • Installation of personal/downloaded software is prohibited. Approved anti-virus software must be installed and kept current on: All computer systems. Home equipment utilized to access the facilities network. Suspicious software should be brought to the attention of the IT technical

support personnel immediately.

• E-mail attachments-take care

Backup and recovery

A system must be in place to ensure recovery from any damage to computer equipment or data within a reasonable time period based on the criticality of function.

Each department must determine and document data criticality, sensitivity, and vulnerabilities.

Each department must devise and document a backup, disaster recovery, and business continuity plan.

Backup data must be stored in an off-site location.

Backup data must be maintained with the same level of security as the original data.

Incident reporting

All known and suspected security violations must be reported to the departmental Administrative Director or their designee.

Security incidents must be fully documented to include time/date, personnel involved, cause, mitigation, and preventive measures.

Physical Damage and theft

• Electronic assets must be protected from physical damage and theft.

• Electronic devices containing ePHI should be secured behind locked doors.

• Special security consideration should be given to portable devices (laptops, smart cell phones, digital cameras, DVDs, USB “drives,”) to protect against damage and theft.

• Private Health Information must never be stored on mobile computing devices or storage media unless the following requirements are met:

Power-on or boot passwords and auto-log off

Encryption of stored data e.g. TrueCrypt®

Physical safeguards also must provide appropriate levels of protection against fire, water, and other environmental hazards such as extreme temperatures and power outages/surges.

Technical safeguards

Technical Safeguards – “the technology and the policy and procedures for

its use that protect electronic health information and control access.”

Technological solutions are required to protect ePHI where

applicable. Examples include data encryption and secure data

transfer over the network.

All wireless networks require security protocols and encryption.

All electronic transmission of ePHI must be encrypted. Encryption

must be achieved through software approved by the IT Department

Security designee, e.g. TrueCrypt®

Packet Sniffers and Honeypots

• Packet sniffers are programs or a hardware that can intercept and log traffic passing over a digital network or part of a networks: can reveal a lot about health networks and HIPAA compliance

• Lure in potential intruders with a Honeypot: a trap to detect or counteract attempts at unauthorized use of information systems. It consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored

Social Engineering

Online discharge summaries available to everyone in hospital. A little information is enough to know more about a person

Criminals use patient info for blackmail

Staff use patient data to get dates or to stalk victims.

Spooky!!

Access to safety sensitive systems caused conflicts

Data protection conflicts with ease of use

Access rights, read, write, append

• Medical and non-medical staff don’t cooperate

• Shared responsibilities complicate audit trail

• Doctors and nurses just want to do their job without technology hassle

Role Based Access Control

• Individual users should not be assigned rights – too difficult to track and change as roles evolve

• Users should belong to groupsGroups should be granted access rights

• Policy should be established for regular audits and updates of group membership (ie yearly)

Role Based Access Control How much patient data should be available to

• Treating physicians?

• Consulting physicians?

• Medical students?

• Pharmacy staff?

• Dietary staff?

• Outpatient treatment personnel after patient discharge?

• Employees in multi-facility applications (clinics)

• Vendors (Managed Care reps, technicians)?

• Information technology staff?

• Volunteers?

• Card/token systems People would leave tokens behind

• Card-swipe systems People would leave systems logged on after they left

• Biometric systems Expensive user resistance failure to log off?

• Proximity cards?

What else needs to be taken into consideration

Education is essential

Security awareness must be an ongoing process

Informatics Risk Management Committee with members

representing the healthcare environment

Money resources must be assigned to improve security

Passwords make people feel better, but a stronger system for

authentication and authorization needs to be adopted

End of Lecture