EVALUATION OF HIPAA SECURITY REQUIREMENTS ON ENCRYPTION FOR RADIOLOGY THROUGHPUT RATES Spencer B. Gay, M.D., Andrew M. Snyder, M.S., Alfred C. Weaver,

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
By : Alanoud Al Saleh. The practice of radiology is a complex system that includes generation of images with multiple modalities, image display, image.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA Security Standards What’s happening in your office?
Security Controls – What Works
Principles of Information Security, 2nd edition1 Cryptography.
2 The Use of Health Information Technology in Physician Practices.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Technologies
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
IHE Radiology Scheduled Workflow for Import Peter Kuzmak, Cindy Levy, Dr. Ruth Dayhoff and Andrew Casertano November 2005.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.
Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Introduction to the Mobile Security (MD)  Chaitanya Nettem  Rawad Habib  2015.
The Use of Health Information Technology in Physician Practices
HIPAA PRIVACY AND SECURITY AWARENESS.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
IHE Profile – SOA Analysis: In Progress Update Brian McIndoe December 6, 2010.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
June 28-29, 2005 IHE - Effective Integration of the Enterprise and the Health System 1 Integrating the Healthcare Enterprise Presentation of Grouped Procedures.
Cryptography, Authentication and Digital Signatures
Computer Emergency Notification System (CENS)
Internet Security. Four Issues of Internet Security Authenticity: Is the sender of a message who they claim to be? Privacy: Are the contents of a message.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Eliza de Guzman HTM 520 Health Information Exchange.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
IHE Profile – SOA Analysis: In Progress Update Brian McIndoe January 18, 2011.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Networking and communication basics. Areej Aloufi.
Working with HIT Systems
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Presentation of Grouped Procedures Charles Parisot, GE Healthcare.
February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Presentation of Grouped Procedures Charles Parisot, GE Healthcare.
HIPAA Health Insurance Portability and Accountability Act of 1996.
1 The e-Logistics of Securing Distributed Medical Data Andrew M. Snyder Alfred C. Weaver.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
IHE Workshop – February 2007 What IHE Delivers 1 Credits for many slides to: Cynthia A. Levy, Cedara Software IHE Technical Committee Import Reconciliation.
The Federal Information Processing Standards (FIPS) Encryption Suite Sean Smith COSC
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Electronic Medical Record (EMR)
e-Health Platform End 2 End encryption
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Final HIPAA Security Rule
HIPAA Security Standards Final Rule
Introduction to the PACS Security
Presentation transcript:

EVALUATION OF HIPAA SECURITY REQUIREMENTS ON ENCRYPTION FOR RADIOLOGY THROUGHPUT RATES Spencer B. Gay, M.D., Andrew M. Snyder, M.S., Alfred C. Weaver, Ph.D., Matthew J. Bassignani, M.D., Samuel J. Dwyer, III, Ph.D. University of Virginia Health System, Charlottesville, VA As expected, DES was fastest because it has the shortest key and is therefore the least secure. Predictably, the RSA public key algorithm was slowest because it was never meant to be used with large files such as images. The significance of Table 7 is that it reveals for the first time (in a.NET environment) what computational price is being paid for the superior protection of the new AES-256 encryption algorithm. AES is many orders of magnitude more secure than the other techniques, and we have shown that its use entails acceptable computational costs. Applying the data flow model as shown in Figure 1, we were able to predict the radiology department’s expected throughput when images were and were not encrypted and decrypted upon storage and transmission (Table 8). BACKGROUND Almost a decade after the passage of the Health Insurance Portability and Accountability Act of 1996 [1], HIPAA will require compliance with its Security Standards (Section 164, 68 Fed. Reg. 8333) by April 20, 2005, for all entities covered by these rules (except small health plans which have an additional year). The Security Standards guard electronic Protected Health Information (PHI), which includes any health care or health payment information that identifies or could be used to identify the individual to whom it pertains and that is stored or transmitted using electronic media. The structure of the security rule is based upon three standards: 1. Administrative safeguards (section ) 2. Physical safeguards (section ) 3. Technical safeguards (section ) and two administrative standards: 1. Organizational requirements (section ) 2. Policies and procedures and documentation requirements (section ). The HIPAA security matrix (Appendix A, 45 CFR Part 164, Subpart C, Security Standards for the Protection of Electronic Protected Health Information, published Feb. 20, 2003, 68 Fed. Reg. 8334) identifies the standards, the sections, and the implementation specifications which are either required (R) or addressable (A). Under the technical safeguard section, encryption and decryption (section (a)(1)) and transmission security (section (e)(1)) are both marked as “addressable.” A number of security protection schemes which proclaim HIPAA compliance are currently in use. Passwords and biometric devices provide limited authentication; firewalls are often employed for intra-hospital security; digital signatures are used to prove message integrity. Modern data encryption and decryption algorithms are powerful techniques for data security, but their impact on throughput is not yet known. This study provides an estimate of the performance impact of data encryption/decryption when applied to PACS throughput. EVALUATION METHODS The metric selected for this study is “throughput.” To determine the “addressable” implementation specifications of encryption on access control and transmission security, we conducted testbed experiments to evaluate the effect of several popular methods on radiology workflow. The methods we evaluated are shown in Table 1. MethodComments Data Encryption Standard (DES)Twenty years of use Triple DES (3-DES)Successor to DES Advanced Encryption Standard (AES)Newest technique approved by the National Institute of Standards and Technology (NIST) Rivest, Shamir, and Adleman (RSA)The most popular public key cryptosystem Table 1 ENCRYPTION METHODS SELECTED FOR EVALUATION Table 3 shows the resources utilized in a typical patient encounter. STEPR1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R7R7 R8R8 R9R9 R 10 R 11 R 12 Time A T1T1 B T2T2 C T3T3 D T4T4 E T5T5 F T6T6 G T7T7 H T8T8 I T9T9 J T 10 K T 11 L T 12 M T 13 B1B1 B2B2 B3B3 B4B4 B5B5 B6B6 B7B7 B8B8 B9B9 B 10 B 11 B 12 RADIOLOGY DEPARTMENT WORKFLOW MODEL The use of a radiology workflow model details how the department operates and how data flows throughout the department (Figure 1). Models are valuable performance prediction tools, because modification of an operational PACS would disrupt the daily work of the department. The selected workflow model is a resource allocation table for estimating throughput and identifying bottlenecks. The resource allocation table (Table 2) is constructed with columns labeled for each of the particular resources (HIS, RIS, Networks, PACS Archive, etc.). The successive rows of the table represent the successive steps of a job or process. The right-most column of a row identifies the average time needed for the step. The matrix entries are Boolean, with a one signifying that the resource is used in the step and a zero signifying that it is not. The “bottleneck” of a job is identified by inspecting each column in the table and determining the average limitation of the resource throughput for each resource (the reciprocal of the sum of the execution times of the resources involved). Table 2 RESOURCE ALLOCATION TABLE R 1 =Hospital registration system R 2 =HIS (hospital information system) R 3 =RIS (radiology information system) R 4 =Examination schedule system R 5 =HL7 communications for text data R 6 =DICOM communications for image data R 7 =Image modality unit R 8 =DICOM gateway R 9 =Relational database R 10 =PACS archive R 11 =Workstation R 12 =Reporting system Steps A.Patient registration by hospital registration system B.Notify HIS of patient and data using HL7 C.Schedule exam and notify RIS D.Patient data to RIS and to PACS archive E.DICOM worklist to image modality F.Conduct patient exam G.Patient image data to gateway using DICOM H.Relational data to gateway (required prior images) I.DICOM image data from gateway to PACS archive J.DICOM image data to workstation from PACS archive K.Patient report generated in reporting system L.Patient report sent to RIS from reporting system M.Patient report sent from RIS to HIS Table 4 STEPS IN WORKFLOW MODEL Table 3 RESOURCES TO BE MODELED T 1 =15 min (900 sec) – Patient registration by hospital registration system T 2 =5 sec – Notify HIS of patient and data using HL7 T 3 =30 sec – Schedule exam and notify RIS T 4 =10 sec – Patient data to RIS and to PACS archive T 5 =10 sec – DICOM worklist to image modality T 6 =20 min (1200 sec) – Conduct patient exam T 7 =3 min (180 sec) – Patient image data to gateway via DICOM T 8 =3 min (180 sec) – Relational database image data to gateway (prior exam) T 9 =3 min (180 sec) – Image data from gateway to PACS archiving T 10 =2 min (120 sec) – Image data to workstation T 11 =2 min (120 sec) – Patient report generated in reporting system T 12 =30 sec – Patient report to RIS from reporting system T 13 =30 sec – Patient report sent from RIS to HIS Table 5 ESTIMATED TIMES FOR COMPLETION OF THE STEPS PER JOB B 1 =1/(T 1 + T 2 ) B 2 =1/(T 2 + T 4 + T 13 ) B 3 =1/(T 3 + T 4 + T 5 + T 12 + T 13 ) B 4 =1/(T 3 ) B 5 =1/(T 2 + T 3 + T 4 + T 12 + T 13 ) B 6 =1/(T 5 + T 7 + T 8 + T 9 + T 10 ) B 7 =1/(T 5 + T 6 + T 7 ) B 8 =1/(T 7 + T 8 + T 9 ) B 9 =1/(T 8 ) B 10 =1/(T 4 + T 9 + T 10 ) B 11 =1/(T 10 ) B 12 =1/(T 11 + T 12 ) Table 6 RESOURCE BOTTLENECKS EncryptionMB/sPercent of Fastest Algorithm DecryptionMB/sPercent of Fastest Algorithm DES 56-bit %DES 56-bit % 3-DES 112-bit %AES 128-bit % AES 128-bit %3-DES 112-bit % 3-DES 168-bit %3-DES 168-bit % AES 192-bit %AES 192-bit % AES 256-bit %AES 256-bit % RSA 512-bit %RSA 512-bit % RSA 1024-bit %RSA 1024-bit % Table 7 THROUGHPUT OF ENCRYPTION AND DECRYPTION ON 3 GHz PENTIUM 4 TimeAverage time without Encryption Average time with Encryption Short Description T1T1 900 seconds Patient registration T2T2 5 seconds Notify HIS of patient T3T3 30 seconds Schedule exam T4T4 10 seconds11 secondsPatient data to RIS and PACS T5T5 10 seconds Worklist to image modality T6T seconds Conduct patient exam T7T7 180 seconds240 secondsPatient image data to gateway T8T8 180 seconds240 secondsRelational DB images to gateway T9T9 180 seconds240 secondsImage data from gateway to PACS T seconds180 secondsImage data to workstation T seconds Patient report generation T seconds Patient report to RIS T seconds Patient report from RIS to HIS Table 8 AVERAGE TIMES FOR EACH STEP IN THE SYSTEM CONCLUSION Our study shows that when using the Department of Radiology dataflow model (Figure 1), a resource allocation table (Table 2) analysis, and using symmetric key encryption on all patient data and images, throughput would be reduced 5-7%. Knowing that the impact of encryption is small, a department could embrace it without fearing disastrous consequences. Alternatively, if encryption were applied only to the patient data and not to the images, then the impact of encryption would be negligible. Either way, we have demonstrated that symmetric key encryption, especially the new AES algorithm with 256-bit keys, is a highly secure technique that achieves HIPAA’s goals with minimal disturbance to the radiology department’s throughput. TESTING THE PERFORMANCE OF THE ENCRYPTION ALGORITHMS Each encryption technique shown in Table 1 was tested using four file sizes. The first file size was one byte— the smallest possible file, and thus the one that will provide a lower bound on the overhead associated with invoking each algorithm. The second file was 1 MB, which represents a single, compressed, 2000x1500x16 screen image. The third file size was 3 MB, which represents an uncompressed 4000x3000x16 image. The fourth file was a 500 image MRI set, each image being 256x256x16, yielding a total file size of 68 MB. Each file size was processed using DES with its 56-bit key, 3-DES using 128- and 192-bit keys, AES using 128-, 192-, and 256-bit keys, and RSA with key sizes of 512 and 1024 bits. Each experiment performed 100 encryptions and decryptions on a given file size using a particular technique and key size, and then averaged the results. The throughput of each algorithm was calculated from the resulting data logs. Figure 2 shows the results for the three symmetric key algorithms while Table 7 shows the results for all experiments, sorted by throughput. Figure 2 The encryption step is included in T4 (patient data to RIS and PACS archive) and the decryption step is included in T10 (image data to workstation). Table 5 shows the expected average times for completion of each step of the job. These mean values were measured from an operational PACS. Thirteen steps in a typical information flow are shown in Table 4. The bottleneck(s) can also be obtained from the resource allocation table, and that calculation is shown in Table 6. The smallest value of B i identifies the bottleneck because resource i is operating at full capacity and therefore step i is the rate- limiting procedure. THE COMPUTING ENVIRONMENT Our experiments were performed using the Microsoft.NET framework and our test scenarios were developed in C# using Visual Studio.NET. By using a web services approach, we ensured that we are moving along a language-neutral, platform- independent path. The testbed consisted of a network of 3 GHz Pentium 4 computers with 1 GB RAM each, connected via 100 Mbps Ethernet. Figure 1 MODEL FOR DATA FLOW ABOUT DEPARTMENT REFERENCES: 1.Public Law , “Health Insurance Portability and Accountability Act of 1996.” “Standards for Electronic Transactions.” Federal Registry, Volume 65, Number 160, August 17, 2000, Stallings W. “Cryptography and Network Security.” Prentice Hall, King CM, Dalton CE, Osmanoglu TE. “Security Architecture.” Osborne/McGraw-Hill, New York, Wagner N. “The Laws of Cryptography: The RSA Cryptosystem.” 6.Andriole KP, Arvin DE, Yin L, Gould RG, Arenson RL. “PACS database and enrichment of the folder manager concept.” J Digital Imaging 2000; 13: Stuck BW, Arthurs E. “A Computer and Communication Network Performance Analysis Primer.” Prentice-Hall Inc., Englewood Cliffs, NJ, Gay SB, Sobel AH, Young LQ, Dwyer SJ III. “Processes involved in reading imaging studies: workflow analysis and implications for workstation development.” J Digital Imaging 2002; 15(3):