Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Published bySybil Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,"— Presentation transcript:

1 Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024.

2 What We’ll Cover Regulatory requirements –HIPAA privacy and security rules Best practices Identify and assess protection measures –Access control –Firewalls –Intrusion detection –Encryption –Importance of user training Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 2

3 Security and Privacy Federal, state, and local laws govern access to and control of health record information, particularly: –Who can have access –What should be done to protect the data –How long the records should be kept –Whom to notify and what to do if a breach is discovered Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 3

4 Security and Privacy: HIPAA HIPAA = Health Insurance Portability and Accountability Act of 1996 –Protected health information (ePHI) includes any health information that: Explicitly identifies an individual Could reasonably be expected to allow individual identification. –Excludes PHI in education records covered by Family Educational Rights and Privacy Act (FERPA), employment records. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 4

5 Security and Privacy: HIPAA (cont’d) 18 identifiers recognized as providing identifiable links to individuals. –Name, address, ZIP code –Dates (birth dates, discharge dates, etc.) –Contact info, including email, web URLs –Social Security Number or record numbers –Account numbers of any sort –License number, license plates, ID numbers –Device identifiers, IP addresses –Full face photos, finger prints, recognizable markings Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 5

6 Security and Privacy (cont’d) State and local laws vary. Federal law tends to supersede state and local laws. Where overlap occurs, always choose the tightest constraint. Our lecture will focus on federal regulatory obligations. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 6

7 What is HIPAA Privacy? Federal law governing privacy of patients' medical records and other health information maintained by covered entities including: –Health plans, including Veterans Health Administration, Medicare, and Medicaid –Most doctors & hospitals –Healthcare clearinghouses Gives patients access to records and significant control over use and disclosure. Compliance required since April 2003. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 7

8 HIPAA Privacy Rule Privacy and security complaints –All investigated by Office of Civil Rights (OCR) of Dept. of Health and Human Services (HHS), as of 2009. –54,562 complaints received (as of August 2010), of which 11,632 required corrective actions. –Steep fines for validated complaints. –Entities needing the most corrective actions: Private health care practices General hospitals Pharmacies Outpatient facilities Group health plans Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 8

9 HIPAA Privacy Rule (cont’d) Violations investigated most often: 1.Impermissible uses and disclosures of protected health information (ePHI) 2.Lack of safeguards of ePHI 3.Lack of patient access to their ePHI 4.Uses or disclosures of more than the minimum necessary ePHI 5.Complaints to the covered entity Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 9

10 HIPAA Security Rule Established standards for securing electronic protected health information (ePHI) created, received, maintained, or transmitted. –Delineated as “required” or “addressable”. –Designed to be flexible, scalable. By 2005, entities required to: –Ensure confidentiality, integrity, availability. –Identify and protect against reasonably anticipated threats to the security or integrity of the information. –Protect against reasonably anticipated, impermissible uses or disclosures. –Ensure compliance by workforce. Works in tandem with Privacy Rule. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 10

11 What is Required by HIPAA Security Rule? Categories: 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards 4.Organizational requirements Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 11

12 Common Security Breaches According to the TCP/IP Core Networking Guide from Microsoft: Inside jobs, social engineering Brute force Eavesdropping, sniffing, snooping Data modification Identity spoofing Password-based attacks Denial of service attacks Man in the middle attacks Application layer attacks Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 12

13 Administrative Safeguards Address process of security management in your organization. Risk analysis –Evaluating likelihood and impact of potential risks to ePHI –Implementing appropriate security measures to address identified risks –Documenting security measures chosen, with rationale –Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 13

14 Administrative Safeguards (cont’d) –Designated security official Responsible for developing and implementing security policies and procedures. Knowledge of good HIPAA practices Familiarity with established IT security standards Ability to interface well with all levels of management and staff Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 14

15 Administrative Safeguards (cont’d) –Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access when no longer needed? Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 15

16 Administrative Safeguards (cont’d) –Processes for appropriate authorization and supervision of workforce members who work with ePHI. –Well-documented training of all workforce members in security policies and procedures Appropriate sanctions against violators. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 16

17 Physical Safeguards: Access Limit physical access to facilities, while ensuring that authorized access is allowed. –Server rooms where ePHI is stored –Work areas where ePHI is accessed –Back-up media storage potentially containing ePHI Inventory hardware and software. –Know where inventory is kept. –Know value of hardware, software, equipment. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 17

18 Physical Safeguards: Access (cont’d) Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. –Lock down publicly-accessible systems potentially containing ePHI. –Strong passwords (8-14 characters with variety of letters, symbols, numbers) changed regularly. –At least 256-bit encryption, especially for wireless, backups, & offsite data. –Media destroyed after being thoroughly wiped. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 18

19 Technical Safeguards: Access Control Access controls, audit controls, integrity, person, user/entity authentication, transmission security Most effective: layered approach. –Multiple technologies employed concurrently. Adequate access controls include: –AD (Active Directory), LDAP (Lightweight Directory Access Protocol) –Vendor-specific controls usually part of EHR Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 19

20 Technical Safeguards: Firewall Inspects incoming network traffic; permits or denies access based on criteria. Hardware- or software-driven. Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). Most commonly placed on network perimeter (network-based) or network device (host- based). EHR will require certain ports to remain open. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 20

21 Firewalls Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 21 Blocked Allowed NETWORK FIREWALL COMPUTER FIREWALL

22 Summary Protected health information (ePHI) –Strictly regulated by HIPAA and other government guidelines prohibiting unwanted, unauthorized access. –Should be protected using layered approach, including numerous, administrative, physical, and technical safeguards. Firewalls as first-level technical safeguard. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring 2011 22

23 Reference Summary of the HIPAA Security Rule, US Department of Health & Human Services –http://www.hhs.gov/ocr/privacy/hipaa/understanding/s rsummary.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/s rsummary.html “Common Types of Network Attacks” Microsoft Windows TCP/IP Core Networking Guide. Distributed Systems Guide, Windows 2000 Server –http://technet.microsoft.com/en- us/library/cc959354.aspxhttp://technet.microsoft.com/en- us/library/cc959354.aspx Strong Password Definition, Requirements, and Guidelines –http://ebenefitswebsites.com/home/sub1/faq/http://ebenefitswebsites.com/home/sub1/faq/ Component 8/Unit 8aHealth IT Workforce Curriculum Version 2.0 Spring 2011 23

Download ppt "Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Hipaa privacy and Security

Hipaa privacy and Security
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Similar presentations

Ads by Google