This document discusses information security and copyright in a healthcare context. It covers fair use principles, securing network information through authentication, authorization and other methods. It also discusses threats like hackers, viruses and insiders and tools to enhance security like firewalls and intrusion detection. The document concludes with questions about fair use of copyrighted material and appropriate use of patient information.

1. Chapter 15
Information Copyright and
Fair Use and Network Security

2. Objectives
• Explore information fair use and copyright
restrictions.
• Describe processes for securing information in a
computer network.
• Identify various methods of user authentication
and relate authentication to security of a
network.
• Explain methods to anticipate and prevent typical
threats to network security.

3. Fair Use of Information and
Sharing
• Copyright laws in the world of technology
are notoriously misunderstood.
• The same copyright laws that cover
physical books, artwork, and other creative
material are still applicable in the digital
world.

4. Fair Use of Information and
Sharing
• Almost all software, music CDs, and movie DVDs
come with restrictions of how and when copies
may be made.
• Most computer software developers allow for a
backup copy of the software without restriction.
• Technology advances have made the sharing of
information easy and extremely fast, thus open to
violations of copyright and fair use.

5. Fair Use of Information and
Sharing
• Avoid downloading music illegally from the
Internet and do not use information from the
Internet without permission to do so or citing the
reference appropriately.
• Health care organizations that allow access to the
Internet from a network computer should ensure
that users are well aware of and compliant with
copyright and fair use principles.

6. Fair use
• Permits the limited use of original works
without copyright holder’s permission.
• An example would be quoting or citing an
author in a scholarly manuscript.
• The user is responsible for developing
appropriate citations.
• Citing inappropriately or not at all is
plagiarism.

7. Securing Network Information
• The linking of computers together and to
the outside creates the possibility of a
breach of network security, and exposes
the information to unauthorized use.
• The three main areas of secure network
information are confidentiality, availability,
and integrity.

8. Confidentiality
• Safeguarding all personal information by
ensuring that access is limited to only those
who are authorized.
• “Shoulder surfing” or watching over
someone’s back as they are working, is still
a major way that confidentiality is
compromised.

9. Acceptable Use
• Organizations protect the availability of
their networks with an acceptable use
policy.
• Defines the types of activities that are
acceptable and not acceptable on the
corporate computer network
• Defines the consequences for violations.

10. Information Integrity
• Quality and accuracy of networked
information
• Organizations need clear policies to clarify:
– how data is actually inputted,
– who has the authorization to change such data
and
– to track how and when data are changed and
by whom.

11. Authentication of Users
• Authentication of employees is also used
by organizations in their security policies.
• Organizations authenticate by:
– something the user knows (password),
– something the user has (ID badge), or
– something the user is (biometrics)

12. More About Authentication
• Policies typically include the enforcement
of changing passwords every thirty or sixty
days.
• Biometric devices include recognizing
thumb prints, retina patterns or facial
patterns.
• Organizations may use a combination of
these types of authentication.

13. Threats to Security
• A 2003 nationwide survey by the Computing
Technology Industry Association (CompTIA) found
that human error was the most likely cause of
problems with security breaches.
• The first line of defense is strictly physical.
• The power of a locked door, an operating system
that locks down after five minutes of inactivity,
and regular security training programs are
extremely effective.

14. Threats to Security
• One way to address this physical security
risk is to limit the authorization to ‘write’
files to a device.
• Organizations are also ‘turning’ off the
CD/DVD burners and USB ports on
company desktops.

15. Threats to Security
• The most common threats a corporate
network faces from the outside world are
hackers, malicious code (spyware, viruses,
worms, Trojan horses) and the malicious
insider.
• Spyware is normally controlled by limiting
functions of the browser used to surf the
Internet.

16. Cookies
• A “cookie” is a very small file written to the
hard drive of a user surfing the Internet.
• On the negative side, cookies can also
follow the user’s travels on the Internet.
• Spying cookies related to marketing
typically do not track keystrokes to steal
user ids and passwords.

17. Threats to Security
• Spyware that does steal user ids and
passwords contains malicious code that is
normally hidden in a seemingly innocent
file download.
• Another huge threat to corporate security
is social engineering, or the manipulation of
a relationship based on one’s position in an
organization.

18. Malicious Insider
• The number one security threat to a
corporate network is the malicious insider.
• There is also software available to track
and thus monitor employee activity.
• Depending on the number of employees,
organizations may also employ a full time
electronic auditor who does nothing but
monitor activity logs.

19. Security Tools
• There are a wide range of tools available to
an organization to protect the
organizational network and information.
• These tools can be either a software
solution such as antivirus software or a
hardware tool such as a proxy server.

20. Security Tools
• E-mail scanning software and antivirus
software should never be turned off and
updates should be run weekly, and ideally,
daily.
• Software is also available to scan instant
messages and to automatically delete spam
e-mail.

21. Firewalls
• A firewall can be either hardware or
software or a combination of both.
• A firewall can be set up to examines traffic
to and from the network
• Firewalls are basically electronic security
guards at the gate of the corporate
network.

22. Proxy Servers
• Hardware security tool to help protect the
organization against security breaches by:
– preventing users from directly accessing the
Internet from corporate computers.
– Issuing masks to protect the identity of a
corporation’s employees accessing the World
Wide Web.
– tracking which employees are using which
masks and directing the traffic appropriately.

23. Intrusion detection systems
• Hardware and software to monitor who is
using the organizational network and what
files that user has accessed.
• Corporations must diligently monitor for
unauthorized access of their networks.
• Remember: Any use of a secured network
leaves a digital footprint that can be easily
tracked by electronic auditing software.

24. Offsite Use of Portable Devices
• Off site uses of portable devices such as laptops,
PDA’s, home computing systems, smart phones,
and portable data storage devices can help to
streamline the delivery of health care.
• Some agencies have developed a virtual private
network (VPN) that the user must log in to in
order to reach the network.
• The VPN ensures that all data transmitted via this
gateway is encrypted.

25. Offsite Use of Portable Devices
• Only essential data for the job should be
contained on the mobile device, and other non-
clinical information such as a social security
numbers should never be carried outside the
secure network.
• The agency is ultimately responsible for the
integrity of the data contained on these devices
as required by HITECH and HIPAA regulations.

26. Offsite Use of Portable Devices
• If a device is lost or stolen, the agency must have clear
procedures in place to help insure that sensitive data
does not get released or used inappropriately.
• The Department of Health and Human Services (2006)
identifies potential risks and proposes risk
management strategies for accessing, storing, and
transmitting EPHI. Visit this website for detailed
tabular information (p 4-6) on potential risks and risk
management strategies:
http://www.cms.hhs.gov/SecurityStandard/Download
s/SecurityGuidanceforRemoteUseFinal122806.pdf

27. Thought Provoking Questions
1. Jean, a diabetes nurse educator recently
read an article in an online journal that she
accessed through her health agency’s
database subscription. The article provided
a comprehensive checklist for managing
diabetes in older adults that she prints and
distributes to her patients in a diabetes
education class. Does this constitute fair
use or is this a copyright violation?

28. Thought Provoking Questions
2. Sue is a COPD clinic nurse enrolled in a Master’s
education program. She is interested in writing a
paper on the factors that are associated with poor
compliance with medical regimens and associated
re-hospitalization of COPD patients. She downloads
patient information from the clinic database to a
thumb drive that she later accesses on her home
computer. Sue understands rules about privacy of
information and believes that since she is a nurse
and needs this information for a graduate school
assignment that she is entitled to the information.
Is Sue correct in her thinking?