Presentation is loading. Please wait.

Presentation is loading. Please wait.

Health IT Workforce Curriculum Version 1.0/Fall 2010

Similar presentations


Presentation on theme: "Health IT Workforce Curriculum Version 1.0/Fall 2010"— Presentation transcript:

1 Component 4: Introduction to Information and Computer Science Unit 8c: Security

2 Health IT Workforce Curriculum Version 1.0/Fall 2010
Unit Objectives List and describe common security concerns Describe safeguards against common security concerns, including firewalls, encryption, virus protection software and patterns, programming for security, etc. Describe security concerns for wireless networks and how to address them List security concerns/regulations for health care applications Describe security safeguards used for health care applications Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

3 Security and Wireless Networking
Wireless networks unsecure by their very nature. Home networks. Hot spots. Campus environments. Wireless networks everywhere in medical environment. Doctors & nurses move from room-to-room constantly. Hot spots include airports, coffee shops, hotels, and even city-wide wireless access. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

4 Wireless Device Security
Wireless Access Points (WAPs) must be configured for security: Change default password. Select unique SSID. Do not broadcast SSID. Require WPA2 authentication. Restrict access to known devices. Can program MAC addresses into WAP memory. WAPs are shipped with default passwords. Anyone can look up your WAPs default password on the Internet. The SSID is the service set identifier for the wireless network. It is the name for the network. If you do not broadcast your WAP’s SSID, it is harder, but not impossible, for others to find your wireless network. WEP (wireless equivalency protection) is an older technology that should not be used. WPA2 (wireless protected access, version 2) is a much better choice. All NICs have their own address, known as a MAC (media access control) address. Modern WAPs allow administrators to allow only recorded MAC addresses to authenticate their identify on the WAP. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

5 Wireless Device Security (cont’d)
Install digital certificates on sensitive devices. Only devices with known/valid certificates can communicate on network. Requires use of special servers. Not usually for small offices. Security with certificates is also a complex topic! Indeed, all security topics are complex. Certificates are used in wired and wireless environments. Every time you open a browser and perform online banking, your browser checks your bank’s certificate to ensure it is valid. In Windows Vista and Windows 7, the browser address bar turns green when the certificate is valid. If the address bar turns red, the certificate is invalid. You should not visit financial sites with an invalid certificate. The image shows a partial browser address bar with a valid bank certificate. Click the gold lock to view the bank’s certificate. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

6 Wireless Device Security (cont’d)
Smartphones All portable devices connecting to network need AV protection. Do not use a portable device for sensitive transactions unless it is AV protected. Do not open or attachments from unsolicited sources. Known sources might be virus infected, meaning that they did not send the /attachment. No exceptions. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

7 Health Care Applications and Security
U. S. Government’s stated goal: Most American’s to have access to electronic health records by 2014. Why EHRs? Mainly to... Improve quality of care. Decrease cost. Ensure privacy and security. Outsourcing introduces risk Medical transcriptionists in countries with different cultural values & EHR regulations. HHS, “HHS Announces Project to Help 3.6 Million Consumers Reap Benefits of Electronic Health Records”. Online: Informatics Professor, “Meaningful Use: A Highly Useful Construct for Informatics”. Online: Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

8 Concerned About Security of Health Data?
Incorrect health data recorded. Someone else’s information in your record. Job discrimination. Denied employment or health coverage based on pre-existing condition. Personal privacy violated. Friends & family find out about embarrassing but non-infectious condition. Sharing of data between providers adds risk. Use of Internet always introduces risk. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

9 Health IT Workforce Curriculum Version 1.0/Fall 2010
What is an EHR System? Collection of health data about the business, patients, doctors, nurses, etc. Health data stored as records in database system. Records represent a complete event. What is stored in a database as one record? A patient’s personal information An office visit to your doctor. A blood test. An x-ray. Etc. An EHR is an electronic health record system. It represents a wide collection of data which includes electronic medical records. An EMR is an electronic medical record. Basically, an EMR is not an EHR because an EHR is made up of many EMRs. An EHR then provides the ability to accumulate EMR and other data to improve quality of care, reduce cost, etc. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

10 EHRs Used by Health Care Providers
EHRs are maintained by health care providers. EHRs are covered by HIPAA rules. EHRs utilize centralized database systems to integrate patient intake, medical care, pharmacy, billing, etc. into one system. Departments/entities may not be in same physical location, so patient data must travel over the Internet. People can view their own health record, taking ownership of its contents, ensuring accuracy, etc. Patient data must travel over the Internet, such as when a doctor's office bills an insurance company. HIPAA is the Health Insurance Portability and Accountability Act of 1996 (including subsequent amendments). Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

11 Health IT Workforce Curriculum Version 1.0/Fall 2010
EHR Security Q & A How is my data sent over the Internet? It should be sent in an encrypted, secure manner over the Internet. Is my data safe? Much depends on each organization’s physical record and network security practices. No data is 100% secure against theft or misuse. Who can view my health records? Only those who need to know or view the contents of your health record should be able to view it. You must authorize all other access. In some cases, courts can force a health care provider to disclose health record information. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

12 Health IT Workforce Curriculum Version 1.0/Fall 2010
Federal Regulations HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996 by the federal government. HIPAA requires that health care providers, insurance companies, and employers abide by privacy and security standards. Wikipedia, Online: Information about HIPAA. Retrieved: July 6, 2010. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

13 Health IT Workforce Curriculum Version 1.0/Fall 2010
HIPAA and Privacy Privacy Rule HIPAA requires those covered by the act to provide patients a “Notice of Privacy Practices” when care is first provided. The Privacy Rule covers paper and electronic private health information. Security Rule Goes further than the Privacy Rule in that it covers administrative, physical, and technical data safeguards that must be enacted to secure electronic health record data. Governs who views data, how data is transported electronically, security measures, etc. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

14 Health IT Workforce Curriculum Version 1.0/Fall 2010
What is Privacy? Most privacy law revolves around privacy between a person and the government. According to Wikipedia, “The law of privacy regulates the type of information which may be collected and how this information may be used and stored.” i.e., privacy relates to people. Wikipedia, Online: Information about privacy law. Retrieved: July 6, 2010. Privacy, in this context, means that the fact that I visited my doctor is nobody’s business. This is a private matter. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

15 What is Confidentiality?
Not the same as privacy. According to Wikipedia, “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” i.e., confidentiality relates to data. Wikipedia, Online: Confidentiality. Retrieved: July 6, 2010. Confidentiality, in this context, means that the things discussed with my doctor is between me and my doctor. One could say that the fact that you visited your doctor is private and what you and your doctor discuss is confidential! Note that privacy and confidentiality are not mutually exclusive. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

16 Steps to Secure EHR & Records
Authenticate & authorize all record access Only those with ‘need to know’ can view. Only pertinent people can change records. Limit who can print electronic documents. All views and changes recorded for audit trail. Examples: A clerk can view the dates and charges related to an office visit but nothing about treatment. Nurses and doctors can view medical records for patients under their care and no one else. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

17 Steps to Secure EHR & Records (cont’d)
Device security Apply OS critical updates immediately. AV definitions always current. Restrict physical access to servers. Allow only authenticated device access. Secure electronic communications Encrypt all EHR communications. Client-server environment. Configure user accounts and groups. Implement network access protection mechanisms. Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010

18 Steps to Secure EHR & Records (cont’d)
Web environment considerations Implement HTTPS for all Web transactions. Validate all data entered into Web forms. Perform regular audits of access and changes Implement redundant devices Ensures that devices are available as expected. Load balance heavily used hardware devices. Prosecute security violations vigorously Backup EHR data with secure storage Component 4/Unit 8c Health IT Workforce Curriculum Version 1.0/Fall 2010


Download ppt "Health IT Workforce Curriculum Version 1.0/Fall 2010"

Similar presentations


Ads by Google