Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (19)
Ähnlich wie Security & Privacy - Lecture E
Ähnlich wie Security & Privacy - Lecture E (20)
Mehr von CMDLearning
Mehr von CMDLearning (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Security & Privacy - Lecture E
- 1. Introduction to Computer Science Security and Privacy Lecture e This material (Comp 4 Unit 7) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
- 2. Security and Privacy Learning Objectives - 1 • Define cybercrime and cybersecurity (Lecture a) • List common information technology (IT) security and privacy concerns (Lecture a) • List hardware components that are usually attacked by the hackers (Lecture a) • Explain some of the common methods of attack (Lecture b) 2
- 3. Security and Privacy Learning Objectives - 2 • Describe common types of malware (Lecture b) • Explain social engineering methods used by cybercriminals (Lecture b) • Describe methods and tools available for protection against cyberattacks (Lecture c) • Describe practices designed to minimize the risk of successful cyberattack (Lecture d) 3
- 4. Security and Privacy Learning Objectives - 3 • Address specifics of wireless device security (Lecture d) • Explain security and privacy concerns associated with EHRs (Lecture e) • Describe security safeguards used for health care applications (Lecture e) • Provide the basics of ethical behavior online (Lecture e) 4
- 5. Health Care Applications and Security • U.S. Government’s stated goal: – Most Americans to have access to electronic health records (EHRs) by 2014 • Why EHRs? – Improve quality of care – Decrease cost – Ensure privacy and security • Outsourcing introduces risk – Countries with different cultural values and EHR regulations 5
- 6. Health Record Security Concerns • Incorrect health data recorded • Job discrimination • Personal privacy violated • Sharing of data between providers adds risk • Use of Internet always introduces risk 6
- 7. What is an EHR System? • Collection of health data about the business, patients, doctors, nurses • Health data stored as records in database system • Records represent a complete event – Example: o A patient’s personal information o Reason for office visit o Tests ordered and their results 7
- 8. EHRs are… 1 • Used and maintained by health care providers • Covered by Health Insurance Portability and Accountability Act (HIPAA) rules • Centralized database systems used to integrate patient intake, medical care, pharmacy, and billing into one system 8
- 9. EHRs are… 2 • Used to send data over the Internet when departments/entities are not in same physical location • Accessible by individual patient 9
- 10. EHR Security Q & A - 1 • How is data sent over the Internet? – It should be sent in an encrypted, secure manner over the Internet • Is my personal data safe? – Much depends on each organization’s physical record and network security practices – No data is 100% secure against theft or misuse 10
- 11. EHR Security Q & A - 2 • Who can view my health records? – Only those who need to know or view the contents of a health record should be able to view it o Patient must authorize all other access 11
- 12. Federal Rules Emerge • HIPAA enacted in 1996 • HIPAA establishes privacy and security standards established for: – Health care providers – Health insurance companies – Care clearinghouses (organizations that translate claims data in to and out of HIPAA- standard format) 12
- 13. HIPAA and Privacy • Privacy Rule – Requires those covered to provide patients a “Notice of Privacy Practices” when care is first provided – Covers paper and electronic private health information • Security Rule – Covers administrative, physical, and technical data safeguards that secure electronic health record data 13
- 14. What is Privacy? • Most privacy laws revolves around privacy between a person and the government • “The law of privacy regulates the type of information which may be collected and how this information may be used and stored.” Wikipedia, 2016 • Privacy relates to people. 14
- 15. What is Confidentiality? • “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” Wikipedia. 2016 • Confidentiality relates to data 15
- 16. Steps to Secure EHR - 1 • Authenticate and authorize ALL record access – Only those who “need to know” can view – Only pertinent people can change records – Limit who can print electronic documents – All views and changes recorded for audit trail 16
- 17. Steps to Secure EHR - 2 • Examples: – A clerk can view the dates and charges related to an office visit but nothing about treatment – Nurses and doctors can view medical records only for patients under their direct care • Security outlines the structure to enforce privacy and security 17
- 18. Steps to Secure EHR - 3 • Device security – Apply operating system critical updates immediately – Install current Anti-virus definitions – Restrict physical access to servers – Allow only authenticated device access 18
- 19. Steps to Secure EHR - 4 • Secure electronic communications – Encrypt all EHR communications – Client-server environment – Configure user accounts and groups – Implement network access protection mechanisms 19
- 20. Steps to Secure EHR - 5 • Web environment considerations – Implement HTTPS for all web transactions – Validate all data entered into web forms – Perform regular audits of access and changes • Implement redundant devices – Ensures that devices are available as expected – Load-balance heavily used hardware devices 20
- 21. Steps to Secure EHR - 6 • Prosecute security violations vigorously • Backup EHR data with secure storage 21
- 22. Free Online PHR Systems – PHRs maintained by individuals – Some PHRs not covered by HIPAA rules – Resources o Microsoft HealthVault - www.healthvault.com/ o WebMD Health Manager - http://www.webmd.com/phr 22
- 23. Ethical Behavior Online • Mistakes Happens • Need to Know vs. Want to Know • Online Ratings • Data Breaches 23
- 24. Security and Privacy Summary – Lecture e • Explained security and privacy concerns associated with Electronic Health Records (EHRs) • Described security safeguards used for health care applications • Provided basics of ethical behavior when online 24
- 25. Security and Privacy Summary - 1 • Cybercrime and cybersecurity • Common IT security and privacy concerns • Hardware components usually attacked by the hackers; common methods of attack • Common types of malware • Social engineering methods used by cybercriminals • Methods and tools available for protection against cyberattacks 25
- 26. Security and Privacy Summary - 2 • Practices designed to minimize the risk of successful cyberattack • Specifics of wireless device security • Security and privacy concerns associated with EHRs • Security safeguards used for health care applications • Basics of ethical behavior online 26
- 27. Security and Privacy References – 1 – Lecture e References Dyer, K. A. (2011, June 2). Ethical Challenges of Medicine and Health on the Internet: A Review. Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1761893/ Greysen, S. (2010, July 15). Online Professionalism and the Mirror of Social Media. Retrieved April 20, 2016, from http://link.springer.com/article/10.1007/s11606-010- 1447-1 Health and Human Services. HHS Announces Project to Help 3.6 Million Consumers Reap Benefits of Electronic Health Records. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.hhs.gov/news/press/2007pres/10/pr20071030a.html. Improving Ethics Quality in Health Care. (n.d.). Retrieved April 20, 2016, from http://www.ethics.va.gov/elprimer.pdf Informatics Professor, Meaningful Use: A Highly Useful Construct for Informatics. [Internet]. 2010 May [cited 2011 Nov 07]. Available from: http://informaticsprofessor.blogspot.com/2010/05/meaningful-use-highly-useful- construct.html. Kraus, R. (2004). Ethical and Legal Considerations for Providers of Mental Health Services Online. In Online Counseling, 2nd ed.: A Handbook for Mental Health Professionals. San Diego, CA: Elsevier Academic Press. 27
- 28. Security and Privacy References – 2 – Lecture e References Wikipedia. Network security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Network_security. Wikipedia. Wireless security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_security. Wikipedia. Wireless LAN security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_LAN_security. Wikipedia. Electronic health record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_health_record. Wikipedia. Electronic medical record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_medical_record. 28
- 29. Introduction Computer Science Security and Privacy Lecture e This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. 29
Hinweis der Redaktion
- Welcome to the Introduction to Computer Science: Security and Privacy. This is Lecture e. The component, Introduction to Computer Science, provides a basic overview of computer architecture; data organization, representation and structure; the structure of programming languages; and networking and data communication. It also includes the basic terminology of computing.
- The objectives for this unit, Security and Privacy, are to: Define cybercrime and cybersecurity List common information technology, or IT, security and privacy concerns List the hardware components that are usually attacked by hackers Explain some of the common methods of attack
- Describe common types of malware Explain social engineering methods used by cybercriminals Describe methods and tools available for protection against cyberattacks Describe practices designed to minimize the risk of successful cyberattack
- Address specifics of wireless device security Explain security and privacy concerns associated with Electronic Health Records, or EHRs Describe security safeguards used for health care applications And, provide the basics of ethical behavior online
- In this lecture, we will trace the history of the use of electronic health records, or EHRs, in America; discuss the risks inherent in putting health-related information into electronic form, and touch on ethical behavior when on the Internet. For a number of years, the U.S. government had a goal that by 2014 most Americans should have access to EHRs. Putting health records into electronic form means a lot of private and confidential information is now accessible through web browsers and wireless devices. If these devices are not secure, personal medical information is at risk. For example, information could be falsely entered or even changed by somebody with malicious intent. So it is very important that organizations understand the application of security in conjunction with health care. The impetus for EHRs came from the American government. The motivation was to improve quality of care, decrease cost, and insure the privacy and security of the data. One security concern is the current trend of outsourcing medical data entry management to countries outside the United States. If hospitals employ medical transcriptionists in other countries, might these countries have different cultural values and EHR regulations? How can data be protected when it is on the other side of the world being used by people who live by different rules, regulations, and cultural norms?
- Other issues include concerns about encountering someone else’s information in your health record, making the information in both records incorrect and compromising security. Additionally, individuals might be discriminated against in employment, denied employment, or even denied health coverage based on pre-existing conditions if private medical information is made public. Personal privacy might be violated, such as when friends, family, and others find out about an embarrassing, but non-infectious medical condition. A final concern about the security of health data involves the sharing of data between providers. Any time data travels over the Internet, there is always a risk to data security and privacy.
- An EHR system is a collection of health data about medical practices, patients, doctors, nurses, and all entities involved in the health care process. Health data is stored as a record in a database system. For every visit to a doctor, an entry is recorded in the EHR, and that record is stored in a database. The patient’s name and contact information are one record in the database. The patient’s diagnosis and treatment are other records in the database. Tests ordered and procedures performed are yet another record in the database.
- EHR systems are used and maintained by health care providers and others to store health care data. Health care providers, health care clearinghouses, and health plan providers are subject to federal rules governing security and other rules related to EHRs. The primary federal rule governing EHRs is the Health Insurance Portability and Accountability Act, or HIPAA. Organizations that must adhere to HIPAA rules are called “covered entities.” When data in an EHR is maintained by a covered entity, that data is also subject to HIPAA rules. However, free, online, electronic, personal health records are not a covered entity. This means data entered in free, online, electronic, personal health records is not protected by HIPAA rules. EHRs use centralized database systems to integrate functions such as patient intake, medical care, and pharmacy billing into one large database system.
- Departments and other entities might not be in the same physical location, so patient data must often travel over the Internet. As we touched on earlier, any time the Internet and data are combined, an element of risk is introduced. Why does data have to travel over the Internet at all? One reason―and there are many―is that when a doctor’s office bills an insurance company, some of the patient’s medical information must travel over the Internet. Through the use of EHRs, people can view their own health record, taking ownership of its contents, insuring accuracy, and even providing content by adding comments for their doctors to read.
- Let’s now consider some EHR security question and answers. How is―or how should―data be sent over the Internet? In most cases, data will be sent in an encrypted, secure manner over the Internet. If not, patients should question the security practices being used. Is your personal data safe? The answer to this question depends on each organization’s physical record and network security practices, as governed by their security policy. However, no data is 100 percent secure against theft or misuse, regardless of the applicable security policy. Having a good security policy in place, and then auditing for compliance, can significantly improve success in maintaining data security.
- And finally, who can view your private medical records? According to HIPAA, only those who need to know or view the contents of a health record should be able to do so. Patients must authorize all other access to their record.
- HIPAA was enacted in 1996 by the federal government. HIPAA establishes privacy and security standards, and requires that health care providers, insurance companies, and care clearinghouses - organizations that translate claims data in to and out of HIPAA-standard format - abide by privacy and security standards.
- The HIPAA privacy rule requires covered entities to provide patients with what is known as a “Notice of Privacy Practices” when care is first provided. A patient might receive this notice when visiting a walk-in clinic, for example. The privacy rule covers both paper and electronic private health information. HIPAA also incorporates a security rule that goes farther than the privacy rule in that it covers administrative, physical, and technical data safeguards that must be enacted to secure EHR data. All of these should be outlined in the entity’s security policy.
- Most privacy laws revolve around privacy between a person and the government. According to Wikipedia, “The law of privacy regulates the type of information that can be collected and how this information may be used and stored.” Privacy relates to people. For example, a patient’s visit to a doctor is private information.
- Confidentiality is different from privacy. According to Wikipedia, “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” We can infer from this that confidentiality relates to data, data shared between the health provider and the patient. Confidentiality, then, in this context, means that the things discussed with a doctor should remain between the patient and the doctor; they are confidential. To put privacy and confidentiality in context, the fact that someone visited a doctor is private; what the patient and doctor discussed is confidential. Privacy and confidentiality are not mutually exclusive and each slightly overlaps the other in scope.
- What steps can be taken to secure an EHR and its records? It is possible to authenticate and authorize all access to electronic health records. Authorization involves permissions. Permissions limit who can view, change, and/or print medical records and electronic documents. Additionally, all views of and changes to medical information should be recorded for audit.
- As an example of permissions, a clerk would be able to view the dates and charges related to an office visit, but would not be able to view anything that details the treatment received or the information discussed between patient and doctor. Nurses and doctors can view medical records only for patients under their direct care, but should not view medical records for patients not under their care. An important point is that security outlines the structure through which privacy and confidentiality can be enforced. Putting in place security mechanisms such as requiring usernames and passwords; badges to open doors; and keys to open file cabinets, increases the probability of data privacy and confidentiality.
- Device security is important in securing EHR and records. Critical updates to computer operating systems should be applied immediately Antivirus definitions should always be current Physical access to servers that house medical data should be restricted And finally, access to devices must be authenticated
- Encryption can also help secure electronic communications. All communication between an EHR system and a destination device should be encrypted. A client-server environment allows maintenance of a domain environment with a server that manages all devices and all objects. User accounts should be configured in groups, and permissions must be provided to the groups. Finally, organizations should implement network access protection mechanisms. For example, if a device attempts to connect to a network, the system should first examine the device to verify that it has had critical updates applied to its operating system. The system should then require that the device attempting to connect to the network has antivirus protection software installed and verify that its firewall is enabled.
- EHR transmission over the Internet should require that either Hypertext Transfer Protocol Secure, or HTTPS, or secure web browsing be implemented for all web transactions. In other words, all communication over the Internet should be encrypted. Additionally, all data entered into web forms should have to be validated before that data is stored in a database. And, regular audits of data access and changes in medical records should be occurring. Implementing redundant devices within the data environment helps ensure that devices are available as expected. Having redundant devices allows system administrators to load-balance heavily used hardware devices. For example, rather than using only one server to store database records, an administrator can create a five-server cluster. Then, whichever server is the least busy can respond to requests for database records.
- Administrators should prosecute security violations vigorously. If a hacker attacks a network, administrators should immediately report that activity to the authorities. Even internal violations should be pursued and offenders prosecuted. This would discourage others from taking the same actions. Finally, EHR data must be backed up and stored securely.
- Many of the concerns related to medical privacy exist because there are a number of EHR options available for use. If an individual uses a personal health record, or PHR system, this usually means that the individual maintains the record. Notice that PHRs differ from EHR systems. PHRs are maintained by individuals and are usually not covered by HIPAA rules because individuals manage their own health record, not the company that is providing an individual with the ability to have the health record. There are links on this slide for Microsoft Health Vault and WebMD’s Health Manager—two examples of available PHRs. Typically, these PHRs are free, allowing an individual to enter all of his or her medical information and share it with a doctor or medical personnel.
- This is a good time to discuss ethical behavior online, some of which we’ve already touched on. The very nature of the Internet is openness and accessibility. But when it comes to health care data, we all want our data to be accurate and secure. We all know mistakes happen. Computer data can only be accurate if it was entered correctly in the first place. Occasionally medical codes may get transposed when being entered into an EHR, dosages can get mis-transcribed, or medical notes can be placed in the wrong patient’s chart. These types of mistakes, though undesirable, are understandable. However, ethics become a question when someone’s intent is in conflict with known rules and regulations. For example, it should be obvious that just because you could have access to someone’s medical records doesn’t mean you should go ahead and access them. But all you have to do is a simple Internet search on “celebrity HIPAA violations” to see that even medical professionals, who are trained in the importance of abiding by HIPAA, sometimes exercise poor judgment. Websites, such as healthgrades.com allow users to post ratings about doctors, dentists, and hospitals. But who validates those ratings? How can a website ensure that what is posted is accurate? Could a medical professional be offering incentives for positive reviews? Should the website publishing the ratings be responsible for verifying the ratings it publishes? If so, how would this be done without violating a patient’s privacy? If a server holding EHRs gets hacked and your personal health data gets shared on the Internet, what share of the responsibility should be assigned to your health care professional? To their IT department? To the service that was contracted to keep those records secure? Entire courses are taught on the subject of ethical behavior when online. For now, as technology continues to be increasingly intertwined with health care, health care professionals must continue to question, debate, and examine ethics and ethical behavior in the context of the Internet. Resources are included in the References section of this presentation for those interested in learning more about ethical behavior online and health care.
- This concludes lecture e of Security and Privacy. In summary, this lecture: Explained security and privacy concerns associated with Electronic Health Records Described security safeguards used for health care applications And, provided some thoughts on ethical behavior and the Internet
- This also concludes the unit on Security and Privacy. In summary, this unit addressed the following topics: Cybercrime and cybersecurity Common IT security and privacy concerns Hardware components usually attacked by hackers and the common methods of attack Common types of malware Social engineering methods used by cybercriminals Methods and tools available for protection against cyberattacks
- Practices designed to minimize the risk of successful cyberattack Specifics of wireless device security Security and privacy concerns associated with EHRs Security safeguards used for health care applications And, the basics of ethical behavior online
- References slide. No audio.
- References slide. No audio.
- No audio.