Title: Hipaa sECURITY
1 Hipaa sECURITY
- How not to get lost in the Big Ocean of Portable
Electronic Health Records Riding the Wave of
Digital Health Information
Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008
2Influencing the move to eHealthcare
- Need to reduce the cost of health care
- Increase quality of health care
- Consumer driven health care
- Online health records
- Payer support for community health records
- Transparency in health care
- Pay for performance programs
- Governmental
3Terminology
EMR
HR
EHR
PHR
CCR
Acronyms
Hybrids
PHI
4Terminology
- Health Records (AHIMA)
- The legal business record for a healthcare
organization. - Individually identifiable information
- Any medium
- Collected, processed, stored, displayed
5Terminology
- Health Records contain
- Diagnosis
- Medications
- Procedures
- Problems
- Clinical Notes
- Diagnostic Results
- Images
- Graphs
- Other items deemed necessary
6Terminology
- Health Records
- Support continuity of care
- Planning patient care
- Provides planning information
- Resource allocation
- Trend analysis
- Forecasting
- Workload management
- Justification for billing information
7Terminology
- Electronic Medical Record (EMR) (HIMSS)
- An application environment composed of
- Clinical Data Repository (CDR)
- Clinical Decision Support (CDS)
- Controlled medical terminology
- Order entry
- Computerized provider order entry
- Pharmacy
- Clinical document applications
- Enterprise support
- Inpatient and Outpatient
- Use to document, monitor and manage delivery of
health care - Electronic Medical Record (EMR) (HIMSS)
- The EMR is the legal record
- Owned by the Care Delivery Organization (CDO)
8Terminology
- Electronic Health Record (EHR) (HIMSS)
- Longitutal electronic medical record across
encounters in any care delivery setting. - Resource for clinicians
- Secure
- Real-time
- Point-of-care
- Patient centric information source
- Aids collection of data for other uses
- Billing
- Quality management
- Outcomes reporting
- Resource planning
- Public health disease surveillance
- Reporting
9Terminology
- Electronic Health Record (EHR) (HIMSS)
- Includes
- Patient demographics
- Progress notes
- Problems
- Medications
- Vital signs
- Past medical history
- Immunizations
- Laboratory data
- Radiology reports
10Terminology
- Electronic Health Record (EHR) (HIMSS)
- Automates / streamlines clinicians workflow
- Complete record of clinical encounter
- Supports other care-related activities
- Evidence-based decision support
- Quality management
- Outcome reporting
11Terminology
- Personal Health Record (PHR)
- Created by the individual
- Summarizes health and medical history
- Gathered from many sources
- Format of PHR
- Paper
- Personal computer
- Internet based
- Portable storage
12Terminology
- Continuity of Care Record (CCR)
- Patient Health Summary Standard
- ASTM / MMS / HIMSS / AAFP / AAP co-development
- Core health care components
- Sent from one provider to another
- Includes
- Patient demographics
- Insurance information
- Diagnosis and problem
- Medications
- Allergies
- Care plan
13Terminology
- Hybrid Health Record
- Both
- Paper health records
- Electronic health records
14Terminology
- Protected Health Information (PHI)
- Any health care information linked to a person
- Health Status
- Provision of Health Care
- Payment of Health Care
- Includes
- Names
- Geographic subdivision smaller than a state
- Dates related to an individual
- Phone Numbers
- Fax Numbers
- Email Addresses
- SSN
- Medical Record Numbers
- Beneficiary Numbers
- Account Numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers
- Finger
- voice prints
- Full face photographic images and any comparable
images - Any other unique identifying number,
characteristic, or code
15Security Concerns
- Privacy
- Can anyone else read it?
- Authentication
- How do I know who sent it?
- Data Integrity
- Did it arrive exactly as sent?
- Non-repudiation of receipt
- Can the receiver deny receipt?
- How do I know it got there?
- How do I track these activities?
16Modes of Communication
- Internet / Intranet
- Wired
- Wireless
- Wifi (802.11a, b, g, i, n)
- Bluetooth (Personal Area Network - PAN)
- VoiP
- Dial-up
- Mobile Devices
- Smart Phones
- Mobile Standards (GSM, GPRS, etc.)
- PDA
- Tablet PCs
- Physical Media
- Magnetic, optical, flash (thumb drives), others
17 Wireless Security
- RC4 (ARC4 /ARCFOUR) Stream Cypher (easily
broken) - Secure Sockets Layer (SSL)
- WEP Wire Equivalent Privacy
- WPA WiFi Protected Access
- WPA2 (based upon 802.11i)
- Data Encryption Standards (DES)
- Advanced Encryption Standards (AES)
- Government strength encryption
18Internet Security
- Firewall machines
- IP address selection
- ID Passwords
- Security techniques
- Encryption
- Digital Signatures
- Data Integrity Verification
- Non-repudiation
- Trading Partner Agreements (TPA)
19Symmetric Key(Private)
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PRIVATE KEY
20Symmetric Key(Private)
- n (n-1) / 2 keys to manage
- 100 users would require 4950 keys
- Key size 128 bits
- Generally considered fast
Gary
Alice
Julie
Karen
Frank
Erin
Dale
Mary
21Asymmetric Keys (Public/Private)PKI
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PAYERS PUBLIC KEY
PAYERS PRIVATE KEY
22Asymmetric Keys (Public/Private)
- n key pairs needed for n partners
- key size (128, 768, 1024, 2048 bits)
- Generally considered slower
- What happens if you lose your key?
Gary
Alice
Julie
Public Key Directory
Karen
Frank
Gary Mary E Alice Dale F Frank
Karen G Erin Julie H
Erin
Dale
Mary
23AuthenticationDigitized vs. Digital Signature
- A digitized signature is a scanned image
- A digital signature is a numeric value that is
created by performing a cryptographic
transformation of the hash of the data using the
signers private key.
Ö m25_ __ò_5wA___enru\½PÑ7qGß__
Ae_7?ââ-áH-90Y åú'Ælt_8óXpìÉ_V1ª
Gary A. Beatty ltgaryb_at_eci.comgt
24Data Integrity
- Part of the digital signature process
- A secure one way hashing algorithm used to create
a hash of the data
Provider B
PROVIDER A
Encoded
Cypher
Cypher
Encoded
EHR
EHR
PROVIDER A PRIVATE KEY
PROVIDER A PUBLIC KEY
Provider B PRIVATE KEY
Provider B PUBLIC KEY
25Applicability Statement StandardsEDIINT
Workgroup of IETF
- AS1 Applicability Statement 1
- Email exchange of electronic transactions
- S/MIME Secure Multi-Purpose Internet Mail
Extensions - Uses SMTP (Simple Mail Transfer Protocol)
- Satisfies Security Requirements
- Encryption
- Authentication
- Integrity
- Non-repudiation
- Whats needed
- Email capability
- Electronic Transaction
- Digital Certificate
26Applicability Statement StandardsEDIINT
Workgroup of IETF
- AS2 Applicability Statement 2
- HTTP exchange of electronic transactions
- S/MIME Secure Multi-Purpose Internet Mail
Extensions - Uses HTTPS
- Hypertext Transfer Protocol over Secure Socket
Layer - Allows for REAL TIME delivery
- Satisfies Security Requirements
- Encryption
- Authentication
- Integrity
- Non-repudiation
- Whats needed
- Web Server (static IP address)
- Electronic Transaction
- Digital Certificate
27Applicability Statement StandardsEDIINT
Workgroup of IETF
- AS3 Applicability Statement 3
- FTP exchange of electronic transactions
- S/MIME Secure Multi-Purpose Internet Mail
Extensions - Uses FTP File Transfer Protocol
- Allows for REAL TIME delivery
- Satisfies Security Requirements
- Encryption
- Authentication
- Integrity
- Non-repudiation
- Whats needed
- FTP Server
- Electronic Transaction
- Digital Certificate
28Digital Certificates
- Electronic Credit Card
- Establishes Credentials for electronic
transactions - Issues by Credential Authority
- Name
- Serial Number
- Expiration Dates
- Certificate Holders Public Key
- Digital Certificate of Certification Authority
- Verified by Registration Authority
- X.509 Standards
- Registry of Digital Certificates
- Access with HIPAA Identifiers
29Security Weak Links
- We can secure transmission of data!
- Weakest link usually when data is
- AT REST!
- Paper
- On the screen
- Waste baskets
- Physical Security
- Building access
- Data Center access
- Electronic Security
- Screen Savers
- Auto Logoff
30Thank you
Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008