Design of Health Technologies lecture 22 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Design of Health Technologies lecture 22

Description:

The Health and Human Services Agency published a proposed 'security rule' in ... A more sanguine perspective is that any mandatory IT upgrade is an opportunity ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 21
Provided by: csBer
Category:

less

Transcript and Presenter's Notes

Title: Design of Health Technologies lecture 22


1
Design of Health Technologieslecture 22
John Canny11/28/05
2
Healthcare IT Security
  • Security is a critical aspect of Health IT
    performance without secure systems, privacy
    protection is impossible.
  • The Health and Human Services Agency published a
    proposed security rule in August 1998. Final
    rule was adopted Feb. 2003.
  • Its a set of best practices for securing
    information systems. Compliance is mandatory for
    health providers, plans, and clearinghouses.

3
Security Rule Compliance
  • Large organizations were required to comply by
    April 21, 2005.
  • Small organizations must comply by April 21,
    2006.
  • Final rule is available here
  • http//www.cms.hhs.gov/hipaa/hipaa2/regulations/se
    curity/default.asp

4
Security Rule Compliance
  • The security rule creates an additional burden on
    providers to improve their IT infrastructure.
  • On the flip side, the same improvements might
    actually improve service (e.g. enabling
    internet-based secure health information access,
    or secure wireless).
  • A more sanguine perspective is that any mandatory
    IT upgrade is an opportunity for global
    improvement many problems can be fixed at once.

5
Data CIA (Confidentiality, Integrity,
Availability)
  • The security rule is divided into 3 parts
  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards

6
Administrative safeguards
  • These steps are required at the highest level
  • Risk Analysis must be performed
  • Risk Management sufficient for compliance
  • Sanction Policy against employees who dont
    comply
  • Information System Activity Review records
    logs
  • Security Responsibility assign a security
    official

7
Administrative safeguards
  • Some required steps
  • Isolate Health Clearinghouse from rest of
    organization
  • Access Control for protected records
  • Access Establishment and modification
  • Security Reminders updates and messages
  • Protection from Malicious Software
  • Log-in Monitoring all login attempts
  • Password Management

8
Administrative safeguards
  • Standards for availability
  • Data Backup Plan
  • Disaster Recovery Plan
  • Emergency Mode Operation Plan
  • Testing and Revision of contingency plans
  • Applications and Data Criticality Analysis
    Identify the critical components in an emergency

9
Physical Safeguards
  • Here are some
  • Facility Access Control
  • Emergency Facility Access
  • Physical Access to Workstations
  • Media Access Controls
  • Disposal Policies
  • Media Erasure before Re-use

10
Technical Safeguards
  • Here are some
  • Access Controls
  • Unique User IDs
  • Emergency Access Procedures
  • Automatic Logoff (optional)
  • Encryption and Decryption (optional)
  • Audit Controls (optional)

11
Technical Safeguards
  • Some more optional sections
  • Access Records who accessed PHI
  • Personal Identity is the user really who they
    claim to be? Biometrics?
  • Transmission Security Secure communication
    channels

12
Over the Atlantic
  • The European Parliament has been passing security
    and privacy rules as well.
  • On the protection of medical data
    (Recommendation R(97)5) is still a
    recommendation.
  • The most recent is Directive 2002/58 Privacy
    and electronic communications Processing of
    personal data and the protection of privacy in
    electronic communication

13
R(97)5 summary
  • The European recommendation covers a lot of
    ground in the short document. It specifies both
    HIPAA-style privacy rules, as well as
    data-protection procedures.
  • Stronger emphasis on results of genetic testing
  • Patients should have access
  • It should not be illegal in the country
  • The information is not likely to cause harm (?)

14
Gritzalis et al. paper
  • This paper is based mostly on EU directives on
    general electronic privacy, as well as the
    medical security proposal.
  • The paper also includes a sample RA (Risk
    Analysis) for the Beta-Thalassemia unit using
    CRAMM (CCTA Risk Analysis and Management
    Methodology).

15
Risk Analysis
16
Risk Analysis
17
Gritzalis et al. paper
  • Proposals
  • Authentication Smart cards, X.509 certificates,
    CHAP, EAP
  • Communication SSL, application-level security
  • Disclosure from client machines (discourage)
  • Through explicit web form fields
  • Cookies and client-side script engines
  • Anonymization methods various technical
    approaches are listed, not clear any of these are
    intended to be used.

18
Gritzalis et al. paper
  • ASP model Control local code execution. Any code
    to be executed locally must be signed by someone
    (e.g. Microsoft or Verisign).
  • Aside Smart phones typically include additional
    quality control for locally-run code e.g. True
    Brew certification for Qualcomm Brew phones.
  • Other Certification Programs
  • Sony (Playstation)
  • Microsoft (Xbox)
  • Nintendo etc.
  • Microsoft for Windows device drivers

19
Medical service provider responsibilities
  • Inform users about their services, ask for
    consent for required uses of client information.
  • Use standards such as CEN and HL7
  • Use RBAC (Role-Based Access Control)
  • Moderated Mailing Lists (?) w/ usage permissions
  • Do not downgrade functionality to users who
    refuse to provide specific information

20
Discussion Questions
  • Q1 Is Quality Certification a viable method for
    helping to secure medical software? Points of
    comparison phone and driver software just
    mentioned, medical equipment, drugs, How could
    it be implemented?
  • Q2 Implementation of the security rule usually
    requires a significant overhaul of IT
    infrastructure. Discuss the trade-off in building
    secure systems from scratch vs. a generalized
    firewall approach which puts secure screens
    around vulnerable IT.
Write a Comment
User Comments (0)
About PowerShow.com