Security in Health Informatics



external image bigstockphoto_Security_Pad_Locks_40080.jpg



A major worry that patients have about having their medical information stored electronically is the security of that information. This worry is not only a worry that the patients have, because professionals practicing Health Informatics know that if there is inadequate security outsiders could get this information and do whatever they pleased with it. Then they would have to worry about potential lawsuits from patients who were assured that their information was confidential and secure.

The HHS Health Informatics Initiative has identified this topic as being very important and put it as one of the main topics in their overview:
(1) Strengthening Health Information Confidentiality and Security
.
Improving health information systems depends on adequate confidentiality and security protections, an area to which HHS has always been committed. However, as technology provides vastly increased capabilities and benefits, new issues arise concerning how to protect the confidentiality and security of that information. HHS is increasingly looked to for national leadership in these areas. Accordingly, the Initiative provides support for leadership activities as well as research and development, evaluation and dissemination of cross-cutting approaches, techniques and tools for protecting the confidentiality and security of health information across HHS, and in partnership with industry and the research and public health communities. Examples include the development of standards and tools for disclosure avoidance, and research on methods of encryption, de-identification, and other privacy enhancing technologies

These security breaches do not always come in the form of someone remotely hacking a computer as many might think. The security of these systems could also be breached by someone physically stealing the hardware that the information is stored on. In January of this year this exact thing happened to the Department of Veteran affairs. They have since learned first hand how expensive that it can be to lose information regarding health information of patients.
(2)
It looks like a recent data breach suffered by the Department of Veterans Affairs could be very pricey. Officials continue to deal with the recent loss of a hard drive, which disappeared from a VA medical center in Birmingham, AL in January of this year. The disk contained confidential data on any U.S. doctor billed Medicaid or Medicare through 2004, as well as more than 500,000 VA patients. To date, the hard drive has not been found, despite a $25,000 reward for information on its whereabouts. According to VA officials, security weaknesses at the heart of the VA's VistA health information system played a role in the breach. While the VA is working to update VistA security, the process could take until 2015. In the mean time, the agency has gotten hammered by members of Congress over this incident, as well as a lapse last year which exposed 26.5 million records. That breach cost the agency $160.5 million just for credit counseling and related services for affected patients.

One approach on securing this information is to more tightly restrict who has access to this information. Security would be much easier to monitor if every person that has access to this confidential information has been taught to keep this information secure, and security methods are put in place and enforced. These thoughts were laid out in the Waterloo Institute for Health Informatics Research privacy policy as one of their concepts for improving the security for health information:
(3) Institute and develop procedures to safeguard the security of visitors' personal information, governing access to, use of and disclosure of personal information.
Health Informatics will ensure that visitor information is securely stored and that such data is available only to Health Informatics staff who have a legitimate need and authorization to access the data. Further, staff who have access to visitor data will be informed of Health Informatics's policies as they relate to the use of the data. At the same time, similar approaches to privacy will be expected of external parties who have access to visitor data.

It is obvious to everyone that no security method will ever be impenetrable to outsiders. The best theory seems to be to reduce the availability of the information so that it is very difficult for anyone to see except for those who are supposed to see it. As health informatics grows as a field the security of the information will become even more important. With practices currently updating their records from paper to electronic they need to keep in mind that information security still needs to be one of their top priorities.

Security Updates
The update process is triggered by the release of a patch from a product vendor that removes a newly discovered vulnerability. All vendors, users, and healthcare facilities need to be aware of any vulnerabilities or threats that exist. It is the vendors responsibility to monitor what risks could affect the proper operation of their product. Users should also monitor patch releases since many of the risks apply across their IT infrastructure. Due to the number of patch releases and the low percentage that impact safety, it is impractical for vendors to notify users at the release stage.

Choosing the Best Solution

In For the Record: Protecting Electronic Health Information (1996), The National Research Council Computer Science and Telecommunications Board encourages all healthcare organizations to implement technical measures for managing data security of the following types:
1. Strong authentication. Organizations should adopt authentication systems incorporating single-session or encrypted authentication protocols and token-based authentication systems. These systems should take into account the aspect of physical security, as well as logical security. Logical solutions consist of passwords, whereas physical solutons would include smart cards or proximity cards.
2. Enterprise-wide authentication. Enterprise-wide authentication solutions consist of a system-wide solution that allows users to become authenticated. Rather than requiring numerous different option on each machine, it is best to use an option, like Server administration, to implement the security.

1. Access validation. Access should be limited to users at the beginning. As they gain more responsibility, you can increase the amount of permissions that they have.
2. Expanded audit trails. All HIT organizations should be able to maintain logs of all internal accesses to clinical information. This allows data changes to be tracked, as well as security audits as well.
3. Electronic authentication of records. Healthcare organizations should adopt an electronic signature system; this allows the organization to keep a record of who made changes to the files and what changes were made.

What Happens if Data is Compromised?
Once the patch is announced, it is necessary to understand the potential risk posed by the vulnerability addressed by the patch. Vendors will need to evaluate the impact of the security vulnerability to see what impact it will have or has had on the system. This evaluation will consider what type of impact it will have on the current system. To determine the risk, he Common Vulnerabilities and Exposures3 classification system will be used as shared vocabulary and for assessing the severity of a vulnerability.
The actual threat may vary for each healthcare system depending on how the software is used. Many factors can reduce or even eliminate the potential security consequences of a vulnerability. For vulnerabilities that affect a component that is disabled or not installed in the system, or vulnerabilities that otherwise pose minimal risk to the system, the product vendor may decide not to release the patch. However, in most cases it is better to protect yourself from the potential of impact, rather than to face the consequences of becoming a victim.


Security Practices
Initiated/owned by:
1.Physician Covered by HIPAA
2.Plan Covered by HIPAA
3.Patient Not covered by HIPAA
4.Employer Not covered by HIPAA

RHIOs must maintain the privacy and security of protected health information (PHI) and must do so in a manner that complies with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards. This is true despite the fact that these standards will not apply directly to most RHIOs, because most RHIOs will not be covered entities. However, covered entities that participate in a RHIO by either providing data to the RHIO or obtaining data from the RHIO must comply with the privacy and security rules and will want to ensure compliance by the RHIO. Accordingly, RHIOs must build information privacy and security into both their technology and business processes.




Citations/References:
(1) http://aspe.hhs.gov/datacncl/informatics.htm
(2) http://www.fiercehealthit.com/story/va-could-spend-20m-on-data-breach-response/2007-06-18
(3) http://learningspace.uwaterloo.ca/hi/privacypolicy.php
(4) http://www.himss.org/content/files/Patching_OffTheShelfSoftware_Used_in_MedIS_October_2004.pdf
(5) http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=212
(6) http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=225
(7) http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=226

HIMSS
HIMSS
HIT.JPGmoz-screenshot-3.jpgexternal image VistAASPSign_large.jpg