This document discusses health data security in Utah, looking back at its history and forward to future challenges. It notes that privacy, confidentiality, and data security have long been important principles, dating back to the Hippocratic Oath. Over time, computerization and increased access to data have improved functionality but also created new security risks. Recent high-profile data breaches have resulted in millions of dollars in penalties. Moving forward, greater central control over information systems will be needed to comply with regulations, but this may reduce flexibility and innovation. Improving security practices must be an integral part of system development rather than an afterthought. Overall costs for secure IT systems are expected to increase.

1. Looking Back and Forward
Improving Health Data Security
in Utah
Robert Rolfs, MD, MPH
22 May 2013

2. Privacy, Confidentiality, Data Security
Not New!
• Hippocratic Oath (5th century BC)
All that may come to my knowledge in the exercise of my
profession or in daily commerce with men, which ought
not to be spread abroad, I will keep secret and will never
reveal.
• Privacy Act of 1974 – Fair information practices
• Recognition of AIDS - 1981
• HIPAA – Privacy Rule 2001
• Federal Information Security Management Act of 2002
– FISMA designated NIST to develop standards, guidelines,
methods, and practices for information security

3. Health Data Security
Looking Back
Today’s Problems come from Yesterday’s
“Solutions”
Senge – The Fifth Discipline

4. Evolution of Public Health Data
Security
• 1994 – Principles and Practices of Public Health Surveillance
– Ch 11 – “Computerizing PH Surv. Systems”
• 2002 – PH Informatics and Information Systems
– Chapters on legal framework, security, etc.
• 2011 – Data Security and Confidentiality Guidelines
For HIV, Viral Hepatitis, STD, and TB Programs

5. Computerization of Public Health Data
• 1980s – mainframes, stand-alone computers
– Restricted access to mainframes
– Security often achieved by locking in filing cabinets
• 1990s – Wave of integration
– Development of networks, widespread PC’s
– Focus on improving function, access to data, deriving value
– Katz report, IS Vision, Data Stewardship, etc.
• 21st century
– Dramatic increase in access, flexibility, ability of individuals to
develop and implement information systems
– Internet, web-based access, social media, etc.

6. Approaches to Information System
Development and Management
• Central control and management very difficult
– Rapid change, difficulty anticipating needs/future
• Innovation and entrepreneurial approach
• Centralization of IT services at DTS

7. IT Security Today
• Breaches and consequences
– Financial
• Since 2012, OCR penalties
– BCBS Tennessee – 57 unencrypted drives – $1.5 million
– Alaska DHHS – stolen USB from vehicle - $1.7 million
– UDOH – medicaid breach - $?
– Trust
• Legislation, cHIE, CSD
• not confined to responsible party

8. IT Security
Looking Forward
• Greater central control is needed
– There will be cost to flexibility, innovation, etc
• Need to comply with complex and demanding
regulations
• Need to fundamentally improve IT practices so
that security is part of development and not
after thought
• Cost of IT systems will increase

10. Health Data Security
Looking Forward
Today’s Problems come from Yesterday’s
“Solutions”
Senge – The Fifth Discipline