Uploaded byCMDLearning
PPTX, PDF25 views

Security & Privacy - Lecture E

This document provides an overview of the key learning objectives and content covered in Lecture e of an Introduction to Computer Science course on Security and Privacy. The lecture explains security and privacy concerns associated with Electronic Health Records (EHRs), describes security safeguards used for healthcare applications, and provides basics of ethical behavior online. References are also included that were cited in Lecture e.

Embed presentation

Download to read offline
Introduction to Computer Science Security and Privacy Lecture e This material (Comp 4 Unit 7) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
Security and Privacy Learning Objectives - 1 • Define cybercrime and cybersecurity (Lecture a) • List common information technology (IT) security and privacy concerns (Lecture a) • List hardware components that are usually attacked by the hackers (Lecture a) • Explain some of the common methods of attack (Lecture b) 2
Security and Privacy Learning Objectives - 2 • Describe common types of malware (Lecture b) • Explain social engineering methods used by cybercriminals (Lecture b) • Describe methods and tools available for protection against cyberattacks (Lecture c) • Describe practices designed to minimize the risk of successful cyberattack (Lecture d) 3
Security and Privacy Learning Objectives - 3 • Address specifics of wireless device security (Lecture d) • Explain security and privacy concerns associated with EHRs (Lecture e) • Describe security safeguards used for health care applications (Lecture e) • Provide the basics of ethical behavior online (Lecture e) 4
Health Care Applications and Security • U.S. Government’s stated goal: – Most Americans to have access to electronic health records (EHRs) by 2014 • Why EHRs? – Improve quality of care – Decrease cost – Ensure privacy and security • Outsourcing introduces risk – Countries with different cultural values and EHR regulations 5
Health Record Security Concerns • Incorrect health data recorded • Job discrimination • Personal privacy violated • Sharing of data between providers adds risk • Use of Internet always introduces risk 6
What is an EHR System? • Collection of health data about the business, patients, doctors, nurses • Health data stored as records in database system • Records represent a complete event – Example: o A patient’s personal information o Reason for office visit o Tests ordered and their results 7
EHRs are… 1 • Used and maintained by health care providers • Covered by Health Insurance Portability and Accountability Act (HIPAA) rules • Centralized database systems used to integrate patient intake, medical care, pharmacy, and billing into one system 8
EHRs are… 2 • Used to send data over the Internet when departments/entities are not in same physical location • Accessible by individual patient 9
EHR Security Q & A - 1 • How is data sent over the Internet? – It should be sent in an encrypted, secure manner over the Internet • Is my personal data safe? – Much depends on each organization’s physical record and network security practices – No data is 100% secure against theft or misuse 10
EHR Security Q & A - 2 • Who can view my health records? – Only those who need to know or view the contents of a health record should be able to view it o Patient must authorize all other access 11
Federal Rules Emerge • HIPAA enacted in 1996 • HIPAA establishes privacy and security standards established for: – Health care providers – Health insurance companies – Care clearinghouses (organizations that translate claims data in to and out of HIPAA- standard format) 12
HIPAA and Privacy • Privacy Rule – Requires those covered to provide patients a “Notice of Privacy Practices” when care is first provided – Covers paper and electronic private health information • Security Rule – Covers administrative, physical, and technical data safeguards that secure electronic health record data 13
What is Privacy? • Most privacy laws revolves around privacy between a person and the government • “The law of privacy regulates the type of information which may be collected and how this information may be used and stored.” Wikipedia, 2016 • Privacy relates to people. 14
What is Confidentiality? • “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” Wikipedia. 2016 • Confidentiality relates to data 15
Steps to Secure EHR - 1 • Authenticate and authorize ALL record access – Only those who “need to know” can view – Only pertinent people can change records – Limit who can print electronic documents – All views and changes recorded for audit trail 16
Steps to Secure EHR - 2 • Examples: – A clerk can view the dates and charges related to an office visit but nothing about treatment – Nurses and doctors can view medical records only for patients under their direct care • Security outlines the structure to enforce privacy and security 17
Steps to Secure EHR - 3 • Device security – Apply operating system critical updates immediately – Install current Anti-virus definitions – Restrict physical access to servers – Allow only authenticated device access 18
Steps to Secure EHR - 4 • Secure electronic communications – Encrypt all EHR communications – Client-server environment – Configure user accounts and groups – Implement network access protection mechanisms 19
Steps to Secure EHR - 5 • Web environment considerations – Implement HTTPS for all web transactions – Validate all data entered into web forms – Perform regular audits of access and changes • Implement redundant devices – Ensures that devices are available as expected – Load-balance heavily used hardware devices 20
Steps to Secure EHR - 6 • Prosecute security violations vigorously • Backup EHR data with secure storage 21
Free Online PHR Systems – PHRs maintained by individuals – Some PHRs not covered by HIPAA rules – Resources o Microsoft HealthVault - www.healthvault.com/ o WebMD Health Manager - http://www.webmd.com/phr 22
Ethical Behavior Online • Mistakes Happens • Need to Know vs. Want to Know • Online Ratings • Data Breaches 23
Security and Privacy Summary – Lecture e • Explained security and privacy concerns associated with Electronic Health Records (EHRs) • Described security safeguards used for health care applications • Provided basics of ethical behavior when online 24
Security and Privacy Summary - 1 • Cybercrime and cybersecurity • Common IT security and privacy concerns • Hardware components usually attacked by the hackers; common methods of attack • Common types of malware • Social engineering methods used by cybercriminals • Methods and tools available for protection against cyberattacks 25
Security and Privacy Summary - 2 • Practices designed to minimize the risk of successful cyberattack • Specifics of wireless device security • Security and privacy concerns associated with EHRs • Security safeguards used for health care applications • Basics of ethical behavior online 26
Security and Privacy References – 1 – Lecture e References Dyer, K. A. (2011, June 2). Ethical Challenges of Medicine and Health on the Internet: A Review. Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1761893/ Greysen, S. (2010, July 15). Online Professionalism and the Mirror of Social Media. Retrieved April 20, 2016, from http://link.springer.com/article/10.1007/s11606-010- 1447-1 Health and Human Services. HHS Announces Project to Help 3.6 Million Consumers Reap Benefits of Electronic Health Records. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.hhs.gov/news/press/2007pres/10/pr20071030a.html. Improving Ethics Quality in Health Care. (n.d.). Retrieved April 20, 2016, from http://www.ethics.va.gov/elprimer.pdf Informatics Professor, Meaningful Use: A Highly Useful Construct for Informatics. [Internet]. 2010 May [cited 2011 Nov 07]. Available from: http://informaticsprofessor.blogspot.com/2010/05/meaningful-use-highly-useful- construct.html. Kraus, R. (2004). Ethical and Legal Considerations for Providers of Mental Health Services Online. In Online Counseling, 2nd ed.: A Handbook for Mental Health Professionals. San Diego, CA: Elsevier Academic Press. 27
Security and Privacy References – 2 – Lecture e References Wikipedia. Network security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Network_security. Wikipedia. Wireless security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_security. Wikipedia. Wireless LAN security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_LAN_security. Wikipedia. Electronic health record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_health_record. Wikipedia. Electronic medical record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_medical_record. 28
Introduction Computer Science Security and Privacy Lecture e This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. 29

More Related Content

PPTX
HIPAA Audit Implementation
byValency Networks
 
PPTX
HIPPA Security Presentation
byRebecca Norman
 
PPT
Group presentation hippa ppt
byMari Mina
 
PPTX
ELECTRONIC HEALTH RECORD SYSTEMS:
byMirasolmanginyog
 
PPTX
Week 7 issues and challenges
byRoy Dahildahil
 
PPT
Electronic Records
byThomasSchuler
 
PPT
Legal and Ethical Considerations in Nursing Informatics
byKimarie Brown
 
PDF
Hipaa and social media using new
byOnlineAudio Training
 
HIPAA Audit Implementation
byValency Networks
 
HIPPA Security Presentation
byRebecca Norman
 
Group presentation hippa ppt
byMari Mina
 
ELECTRONIC HEALTH RECORD SYSTEMS:
byMirasolmanginyog
 
Week 7 issues and challenges
byRoy Dahildahil
 
Electronic Records
byThomasSchuler
 
Legal and Ethical Considerations in Nursing Informatics
byKimarie Brown
 
Hipaa and social media using new
byOnlineAudio Training
 

What's hot

PPTX
Health Database and Regulations in Taiwan (APrIGF2018)
byYingChu Chen
 
PPT
HIPAA Compliance
byManny Oliverez
 
PPT
Hipaa
bybelziebub
 
PPTX
Information technology in health care management
bymohamedmoosa2
 
PDF
Personal Health Record over Encrypted Data Using Cloud Service
byYogeshIJTSRD
 
PDF
Health Information Technology Workforce Development Program Presentation
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Safety of protected health information (phi)
byJosette Pribilla
 
PPT
HIPAA week1
bywbryant1
 
PPTX
Medical applications using io t
byKPR INSTITUE OF ENGINEERING AND TECHNOLOGY
 
PPTX
Health insurance portability and act(hipaa)2
by9535814851
 
PPT
What is hipaa
bydigitalpractice
 
PPTX
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
byAlessandro Sappia
 
PDF
Telemedicine software platform for hospitals & healthcare providers an ul...
byAndrewSebastian17
 
PDF
IRJET- MedBlock System for Securing Medical Records
byIRJET Journal
 
PPTX
Medical device security_anirudh
byanirudh duggal
 
PPSX
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
byApollo Hospitals Group and ATNF
 
PDF
IRJET-A Survey on provide security to wireless medical sensor data
byIRJET Journal
 
PDF
Cybersécurité des dispositifs médicaux
byMarket iT
 
Health Database and Regulations in Taiwan (APrIGF2018)
byYingChu Chen
 
HIPAA Compliance
byManny Oliverez
 
Hipaa
bybelziebub
 
Information technology in health care management
bymohamedmoosa2
 
Personal Health Record over Encrypted Data Using Cloud Service
byYogeshIJTSRD
 
Health Information Technology Workforce Development Program Presentation
byBDPA Charlotte - Information Technology Thought Leaders
 
Safety of protected health information (phi)
byJosette Pribilla
 
HIPAA week1
bywbryant1
 
Medical applications using io t
byKPR INSTITUE OF ENGINEERING AND TECHNOLOGY
 
Health insurance portability and act(hipaa)2
by9535814851
 
What is hipaa
bydigitalpractice
 
connected Medical devices IoT Cybersecurity reference architecture Telemedicine
byAlessandro Sappia
 
Telemedicine software platform for hospitals & healthcare providers an ul...
byAndrewSebastian17
 
IRJET- MedBlock System for Securing Medical Records
byIRJET Journal
 
Medical device security_anirudh
byanirudh duggal
 
8.2 Demonstration Health - IT benifits - Bagmishika Puhan ( Session 8)
byApollo Hospitals Group and ATNF
 
IRJET-A Survey on provide security to wireless medical sensor data
byIRJET Journal
 
Cybersécurité des dispositifs médicaux
byMarket iT
 

Similar to Security & Privacy - Lecture E

PPTX
HIPAA Privacy and Security
byParsons Behle & Latimer
 
PPTX
Standards and Best Practices for Confidentiality of Electronic Health Records
byremoved_62798267384a091db5c693ad7f1cc5ac
 
PPTX
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
byXiaoming Zeng
 
PPTX
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
PPTX
Privacy, Confidentiality, and Security_lecture 1_slides
byZakCooper1
 
PPTX
telemedicineppt.pptx
byRiyaMathur18
 
PDF
HIPAA Compliant Cloud Computing, An Overview
byClearDATACloud
 
PPTX
Electronic health records
byJocelyn Garcia
 
DOCX
Nationwide Privacy and Security Framework for Electronic Exchange of.docx
bystirlingvwriters
 
PPTX
Comp8 unit6a lecture_slides
byCMDLMS
 
DOCX
Virtual Mentor American Medical Association Journal of Ethi.docx
bysheronlewthwaite
 
PDF
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
byfeuzehayaad
 
PPTX
Privacy, Confidentiality, and Security Lecture 3_slides
byZakCooper1
 
PPTX
Privacy, Confidentiality, and Security Lecture 4_slides
byZakCooper1
 
PDF
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
PDF
Bleaking_8_Gonnella_Privacy and Security of Patient Healthcare Information Us...
byPaul Bleaking
 
PPTX
Regulating Healthcare - Lecture D
byCMDLearning
 
PPTX
EHR PPT Chapter 3.pptx
byanjalatchi
 
PPT
Baker HIMSS Staffers Final
bybakerdb
 
PDF
DVHIMSS Ensuring Privacy and Security of HIEs in PA
byWilliam Buddy Gillespie ITIL Certified
 
HIPAA Privacy and Security
byParsons Behle & Latimer
 
Standards and Best Practices for Confidentiality of Electronic Health Records
byremoved_62798267384a091db5c693ad7f1cc5ac
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
byXiaoming Zeng
 
Healthcare and Cyber security
byBrian Matteson, CISSP CISA
 
Privacy, Confidentiality, and Security_lecture 1_slides
byZakCooper1
 
telemedicineppt.pptx
byRiyaMathur18
 
HIPAA Compliant Cloud Computing, An Overview
byClearDATACloud
 
Electronic health records
byJocelyn Garcia
 
Nationwide Privacy and Security Framework for Electronic Exchange of.docx
bystirlingvwriters
 
Comp8 unit6a lecture_slides
byCMDLMS
 
Virtual Mentor American Medical Association Journal of Ethi.docx
bysheronlewthwaite
 
HIPAA Guidelines a QuickStudy Laminated Reference Guide First Edition, New Ed...
byfeuzehayaad
 
Privacy, Confidentiality, and Security Lecture 3_slides
byZakCooper1
 
Privacy, Confidentiality, and Security Lecture 4_slides
byZakCooper1
 
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
Bleaking_8_Gonnella_Privacy and Security of Patient Healthcare Information Us...
byPaul Bleaking
 
Regulating Healthcare - Lecture D
byCMDLearning
 
EHR PPT Chapter 3.pptx
byanjalatchi
 
Baker HIMSS Staffers Final
bybakerdb
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
byWilliam Buddy Gillespie ITIL Certified
 

More from CMDLearning

PPT
What is Health Informatics - Lecture B
byCMDLearning
 
PPTX
Evolution of and Trends in Health Care - Lecture D
byCMDLearning
 
PPTX
Evolution of and Trends in Health Care - Lecture C
byCMDLearning
 
PPTX
Evolution of and Trends in Health Care - Lecture B
byCMDLearning
 
PPTX
Evolution of and Trends in Health Care - Lecture A
byCMDLearning
 
PPTX
Public Healthcare (Part 2) Lecture C
byCMDLearning
 
PPTX
Public Healthcare (Part 2) Lecture B
byCMDLearning
 
PPTX
Public Healthcare (Part 2) Lecture A
byCMDLearning
 
PPTX
Public Health (Part 1) Lecture C
byCMDLearning
 
PPTX
Public Health (Part 1) Lecture B
byCMDLearning
 
PPTX
Public Health (Part 1) Lecture A
byCMDLearning
 
PPTX
Regulating Healthcare - Lecture E
byCMDLearning
 
PPTX
Regulating Healthcare - Lecture C
byCMDLearning
 
PPTX
Regulating Healthcare - Lecture A
byCMDLearning
 
PPTX
Regulating Healthcare - Lecture B
byCMDLearning
 
PPTX
Financing Healthcare (Part 2) Lecture C
byCMDLearning
 
PPTX
Financing Healthcare (Part 2) Lecture B
byCMDLearning
 
PPTX
Financing Healthcare (Part 2) Lecture A
byCMDLearning
 
PPTX
Financing Healthcare (Part 2) Lecture D
byCMDLearning
 
PPTX
Financing Healthcare (Part 1) Lecture D
byCMDLearning
 
What is Health Informatics - Lecture B
byCMDLearning
 
Evolution of and Trends in Health Care - Lecture D
byCMDLearning
 
Evolution of and Trends in Health Care - Lecture C
byCMDLearning
 
Evolution of and Trends in Health Care - Lecture B
byCMDLearning
 
Evolution of and Trends in Health Care - Lecture A
byCMDLearning
 
Public Healthcare (Part 2) Lecture C
byCMDLearning
 
Public Healthcare (Part 2) Lecture B
byCMDLearning
 
Public Healthcare (Part 2) Lecture A
byCMDLearning
 
Public Health (Part 1) Lecture C
byCMDLearning
 
Public Health (Part 1) Lecture B
byCMDLearning
 
Public Health (Part 1) Lecture A
byCMDLearning
 
Regulating Healthcare - Lecture E
byCMDLearning
 
Regulating Healthcare - Lecture C
byCMDLearning
 
Regulating Healthcare - Lecture A
byCMDLearning
 
Regulating Healthcare - Lecture B
byCMDLearning
 
Financing Healthcare (Part 2) Lecture C
byCMDLearning
 
Financing Healthcare (Part 2) Lecture B
byCMDLearning
 
Financing Healthcare (Part 2) Lecture A
byCMDLearning
 
Financing Healthcare (Part 2) Lecture D
byCMDLearning
 
Financing Healthcare (Part 1) Lecture D
byCMDLearning
 

Recently uploaded

PDF
UNIT CONCEPT OF ISOLATION (2).pdf and control of micro organism
byrobinam733
 
PPTX
Disability Service Providers Padstow Helping You Live Independently and Confi...
bycircleofhopesndis
 
PPTX
Hospital-Administrative-Statistics- advanced II
byEphy .
 
PDF
Tran Quoc Bao led Top Voices in Vietnam Healthcare - The Leaders Rewriting a ...
byIgnite Capital A.G
 
PPTX
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
PPTX
Vitamin A deficiency, Vitamin A deficiency.pptx
byMeghna Verma
 
PDF
Unit 1 cosmetic-science INTRODUCTION CLASSIFICATION
byPravara Rural Education Societies Institute of Pharmacy, Loni
 
PPTX
Hatha Yoga Teacher Training Course Overview.pptx
byKaruna Yoga Vidya Peetham
 
PPTX
FRACTURE HEALING.pptxooo.pptx orthopaedics
by282rksv9zt
 
PPT
NON-EPITHELIAL tumors-Benign LIPOMA, GIANT CELL GRANULOMA
byssuser3eb2ec
 
PPTX
iv fluid therapy with special emphasis in renal disease
bykrishiprasad71
 
PDF
NABH Entry Level Certification – Complete Implementation & Assessment Manual.pdf
byDr Jitu Lal Meena
 
PDF
The Role of Mid Day Meal Schemes in Reducing Classroom Hunger
byAkshaya Patra Foundation USA
 
PDF
Big Push for Dholera in Gujarat Budget 2026 Semiconductor, MSME & Infra Get M...
byShivgan Infratech
 
PDF
eClaim Solution | Your Trusted Partner in Medical Billing
byeClaim Solution
 
PPTX
Find Your Focus:The Tolerance Window Guide
byUtkarsh Srivastava
 
PPTX
Beginner's Yoga Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
PDF
Chest XRay Normal vs Abnormal A Complete Visual Guide By Durjay Laha Radio...
byDurjay Laha
 
PPTX
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
PDF
What is Medical Coding & Its Role in Revenue Cycle Management
byeClaim Solution
 
UNIT CONCEPT OF ISOLATION (2).pdf and control of micro organism
byrobinam733
 
Disability Service Providers Padstow Helping You Live Independently and Confi...
bycircleofhopesndis
 
Hospital-Administrative-Statistics- advanced II
byEphy .
 
Tran Quoc Bao led Top Voices in Vietnam Healthcare - The Leaders Rewriting a ...
byIgnite Capital A.G
 
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
Vitamin A deficiency, Vitamin A deficiency.pptx
byMeghna Verma
 
Unit 1 cosmetic-science INTRODUCTION CLASSIFICATION
byPravara Rural Education Societies Institute of Pharmacy, Loni
 
Hatha Yoga Teacher Training Course Overview.pptx
byKaruna Yoga Vidya Peetham
 
FRACTURE HEALING.pptxooo.pptx orthopaedics
by282rksv9zt
 
NON-EPITHELIAL tumors-Benign LIPOMA, GIANT CELL GRANULOMA
byssuser3eb2ec
 
iv fluid therapy with special emphasis in renal disease
bykrishiprasad71
 
NABH Entry Level Certification – Complete Implementation & Assessment Manual.pdf
byDr Jitu Lal Meena
 
The Role of Mid Day Meal Schemes in Reducing Classroom Hunger
byAkshaya Patra Foundation USA
 
Big Push for Dholera in Gujarat Budget 2026 Semiconductor, MSME & Infra Get M...
byShivgan Infratech
 
eClaim Solution | Your Trusted Partner in Medical Billing
byeClaim Solution
 
Find Your Focus:The Tolerance Window Guide
byUtkarsh Srivastava
 
Beginner's Yoga Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
Chest XRay Normal vs Abnormal A Complete Visual Guide By Durjay Laha Radio...
byDurjay Laha
 
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
What is Medical Coding & Its Role in Revenue Cycle Management
byeClaim Solution
 

Security & Privacy - Lecture E

  • 1.
    Introduction to ComputerScience Security and Privacy Lecture e This material (Comp 4 Unit 7) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
  • 2.
    Security and Privacy LearningObjectives - 1 • Define cybercrime and cybersecurity (Lecture a) • List common information technology (IT) security and privacy concerns (Lecture a) • List hardware components that are usually attacked by the hackers (Lecture a) • Explain some of the common methods of attack (Lecture b) 2
  • 3.
    Security and Privacy LearningObjectives - 2 • Describe common types of malware (Lecture b) • Explain social engineering methods used by cybercriminals (Lecture b) • Describe methods and tools available for protection against cyberattacks (Lecture c) • Describe practices designed to minimize the risk of successful cyberattack (Lecture d) 3
  • 4.
    Security and Privacy LearningObjectives - 3 • Address specifics of wireless device security (Lecture d) • Explain security and privacy concerns associated with EHRs (Lecture e) • Describe security safeguards used for health care applications (Lecture e) • Provide the basics of ethical behavior online (Lecture e) 4
  • 5.
    Health Care Applications andSecurity • U.S. Government’s stated goal: – Most Americans to have access to electronic health records (EHRs) by 2014 • Why EHRs? – Improve quality of care – Decrease cost – Ensure privacy and security • Outsourcing introduces risk – Countries with different cultural values and EHR regulations 5
  • 6.
    Health Record SecurityConcerns • Incorrect health data recorded • Job discrimination • Personal privacy violated • Sharing of data between providers adds risk • Use of Internet always introduces risk 6
  • 7.
    What is anEHR System? • Collection of health data about the business, patients, doctors, nurses • Health data stored as records in database system • Records represent a complete event – Example: o A patient’s personal information o Reason for office visit o Tests ordered and their results 7
  • 8.
    EHRs are… 1 •Used and maintained by health care providers • Covered by Health Insurance Portability and Accountability Act (HIPAA) rules • Centralized database systems used to integrate patient intake, medical care, pharmacy, and billing into one system 8
  • 9.
    EHRs are… 2 •Used to send data over the Internet when departments/entities are not in same physical location • Accessible by individual patient 9
  • 10.
    EHR Security Q& A - 1 • How is data sent over the Internet? – It should be sent in an encrypted, secure manner over the Internet • Is my personal data safe? – Much depends on each organization’s physical record and network security practices – No data is 100% secure against theft or misuse 10
  • 11.
    EHR Security Q& A - 2 • Who can view my health records? – Only those who need to know or view the contents of a health record should be able to view it o Patient must authorize all other access 11
  • 12.
    Federal Rules Emerge •HIPAA enacted in 1996 • HIPAA establishes privacy and security standards established for: – Health care providers – Health insurance companies – Care clearinghouses (organizations that translate claims data in to and out of HIPAA- standard format) 12
  • 13.
    HIPAA and Privacy •Privacy Rule – Requires those covered to provide patients a “Notice of Privacy Practices” when care is first provided – Covers paper and electronic private health information • Security Rule – Covers administrative, physical, and technical data safeguards that secure electronic health record data 13
  • 14.
    What is Privacy? •Most privacy laws revolves around privacy between a person and the government • “The law of privacy regulates the type of information which may be collected and how this information may be used and stored.” Wikipedia, 2016 • Privacy relates to people. 14
  • 15.
    What is Confidentiality? •“Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” Wikipedia. 2016 • Confidentiality relates to data 15
  • 16.
    Steps to SecureEHR - 1 • Authenticate and authorize ALL record access – Only those who “need to know” can view – Only pertinent people can change records – Limit who can print electronic documents – All views and changes recorded for audit trail 16
  • 17.
    Steps to SecureEHR - 2 • Examples: – A clerk can view the dates and charges related to an office visit but nothing about treatment – Nurses and doctors can view medical records only for patients under their direct care • Security outlines the structure to enforce privacy and security 17
  • 18.
    Steps to SecureEHR - 3 • Device security – Apply operating system critical updates immediately – Install current Anti-virus definitions – Restrict physical access to servers – Allow only authenticated device access 18
  • 19.
    Steps to SecureEHR - 4 • Secure electronic communications – Encrypt all EHR communications – Client-server environment – Configure user accounts and groups – Implement network access protection mechanisms 19
  • 20.
    Steps to SecureEHR - 5 • Web environment considerations – Implement HTTPS for all web transactions – Validate all data entered into web forms – Perform regular audits of access and changes • Implement redundant devices – Ensures that devices are available as expected – Load-balance heavily used hardware devices 20
  • 21.
    Steps to SecureEHR - 6 • Prosecute security violations vigorously • Backup EHR data with secure storage 21
  • 22.
    Free Online PHRSystems – PHRs maintained by individuals – Some PHRs not covered by HIPAA rules – Resources o Microsoft HealthVault - www.healthvault.com/ o WebMD Health Manager - http://www.webmd.com/phr 22
  • 23.
    Ethical Behavior Online •Mistakes Happens • Need to Know vs. Want to Know • Online Ratings • Data Breaches 23
  • 24.
    Security and Privacy Summary– Lecture e • Explained security and privacy concerns associated with Electronic Health Records (EHRs) • Described security safeguards used for health care applications • Provided basics of ethical behavior when online 24
  • 25.
    Security and Privacy Summary- 1 • Cybercrime and cybersecurity • Common IT security and privacy concerns • Hardware components usually attacked by the hackers; common methods of attack • Common types of malware • Social engineering methods used by cybercriminals • Methods and tools available for protection against cyberattacks 25
  • 26.
    Security and Privacy Summary- 2 • Practices designed to minimize the risk of successful cyberattack • Specifics of wireless device security • Security and privacy concerns associated with EHRs • Security safeguards used for health care applications • Basics of ethical behavior online 26
  • 27.
    Security and Privacy References– 1 – Lecture e References Dyer, K. A. (2011, June 2). Ethical Challenges of Medicine and Health on the Internet: A Review. Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1761893/ Greysen, S. (2010, July 15). Online Professionalism and the Mirror of Social Media. Retrieved April 20, 2016, from http://link.springer.com/article/10.1007/s11606-010- 1447-1 Health and Human Services. HHS Announces Project to Help 3.6 Million Consumers Reap Benefits of Electronic Health Records. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.hhs.gov/news/press/2007pres/10/pr20071030a.html. Improving Ethics Quality in Health Care. (n.d.). Retrieved April 20, 2016, from http://www.ethics.va.gov/elprimer.pdf Informatics Professor, Meaningful Use: A Highly Useful Construct for Informatics. [Internet]. 2010 May [cited 2011 Nov 07]. Available from: http://informaticsprofessor.blogspot.com/2010/05/meaningful-use-highly-useful- construct.html. Kraus, R. (2004). Ethical and Legal Considerations for Providers of Mental Health Services Online. In Online Counseling, 2nd ed.: A Handbook for Mental Health Professionals. San Diego, CA: Elsevier Academic Press. 27
  • 28.
    Security and Privacy References– 2 – Lecture e References Wikipedia. Network security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Network_security. Wikipedia. Wireless security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_security. Wikipedia. Wireless LAN security. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Wireless_LAN_security. Wikipedia. Electronic health record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_health_record. Wikipedia. Electronic medical record. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Electronic_medical_record. 28
  • 29.
    Introduction Computer Science Securityand Privacy Lecture e This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. 29

Editor's Notes

  • #2 Welcome to the Introduction to Computer Science: Security and Privacy. This is Lecture e. The component, Introduction to Computer Science, provides a basic overview of computer architecture; data organization, representation and structure; the structure of programming languages; and networking and data communication. It also includes the basic terminology of computing.
  • #3  The objectives for this unit, Security and Privacy, are to: Define cybercrime and cybersecurity List common information technology, or IT, security and privacy concerns List the hardware components that are usually attacked by hackers Explain some of the common methods of attack
  • #4 Describe common types of malware Explain social engineering methods used by cybercriminals Describe methods and tools available for protection against cyberattacks Describe practices designed to minimize the risk of successful cyberattack
  • #5 Address specifics of wireless device security Explain security and privacy concerns associated with Electronic Health Records, or EHRs Describe security safeguards used for health care applications And, provide the basics of ethical behavior online
  • #6 In this lecture, we will trace the history of the use of electronic health records, or EHRs, in America; discuss the risks inherent in putting health-related information into electronic form, and touch on ethical behavior when on the Internet. For a number of years, the U.S. government had a goal that by 2014 most Americans should have access to EHRs. Putting health records into electronic form means a lot of private and confidential information is now accessible through web browsers and wireless devices. If these devices are not secure, personal medical information is at risk. For example, information could be falsely entered or even changed by somebody with malicious intent. So it is very important that organizations understand the application of security in conjunction with health care. The impetus for EHRs came from the American government. The motivation was to improve quality of care, decrease cost, and insure the privacy and security of the data. One security concern is the current trend of outsourcing medical data entry management to countries outside the United States. If hospitals employ medical transcriptionists in other countries, might these countries have different cultural values and EHR regulations? How can data be protected when it is on the other side of the world being used by people who live by different rules, regulations, and cultural norms?
  • #7 Other issues include concerns about encountering someone else’s information in your health record, making the information in both records incorrect and compromising security. Additionally, individuals might be discriminated against in employment, denied employment, or even denied health coverage based on pre-existing conditions if private medical information is made public. Personal privacy might be violated, such as when friends, family, and others find out about an embarrassing, but non-infectious medical condition. A final concern about the security of health data involves the sharing of data between providers. Any time data travels over the Internet, there is always a risk to data security and privacy.
  • #8 An EHR system is a collection of health data about medical practices, patients, doctors, nurses, and all entities involved in the health care process. Health data is stored as a record in a database system. For every visit to a doctor, an entry is recorded in the EHR, and that record is stored in a database. The patient’s name and contact information are one record in the database. The patient’s diagnosis and treatment are other records in the database. Tests ordered and procedures performed are yet another record in the database.
  • #9 EHR systems are used and maintained by health care providers and others to store health care data. Health care providers, health care clearinghouses, and health plan providers are subject to federal rules governing security and other rules related to EHRs. The primary federal rule governing EHRs is the Health Insurance Portability and Accountability Act, or HIPAA. Organizations that must adhere to HIPAA rules are called “covered entities.” When data in an EHR is maintained by a covered entity, that data is also subject to HIPAA rules. However, free, online, electronic, personal health records are not a covered entity. This means data entered in free, online, electronic, personal health records is not protected by HIPAA rules. EHRs use centralized database systems to integrate functions such as patient intake, medical care, and pharmacy billing into one large database system.
  • #10 Departments and other entities might not be in the same physical location, so patient data must often travel over the Internet. As we touched on earlier, any time the Internet and data are combined, an element of risk is introduced. Why does data have to travel over the Internet at all? One reason―and there are many―is that when a doctor’s office bills an insurance company, some of the patient’s medical information must travel over the Internet. Through the use of EHRs, people can view their own health record, taking ownership of its contents, insuring accuracy, and even providing content by adding comments for their doctors to read.
  • #11 Let’s now consider some EHR security question and answers. How is―or how should―data be sent over the Internet? In most cases, data will be sent in an encrypted, secure manner over the Internet. If not, patients should question the security practices being used. Is your personal data safe? The answer to this question depends on each organization’s physical record and network security practices, as governed by their security policy. However, no data is 100 percent secure against theft or misuse, regardless of the applicable security policy. Having a good security policy in place, and then auditing for compliance, can significantly improve success in maintaining data security.
  • #12 And finally, who can view your private medical records? According to HIPAA, only those who need to know or view the contents of a health record should be able to do so. Patients must authorize all other access to their record.
  • #13 HIPAA was enacted in 1996 by the federal government. HIPAA establishes privacy and security standards, and requires that health care providers, insurance companies, and care clearinghouses - organizations that translate claims data in to and out of HIPAA-standard format - abide by privacy and security standards.
  • #14 The HIPAA privacy rule requires covered entities to provide patients with what is known as a “Notice of Privacy Practices” when care is first provided. A patient might receive this notice when visiting a walk-in clinic, for example. The privacy rule covers both paper and electronic private health information. HIPAA also incorporates a security rule that goes farther than the privacy rule in that it covers administrative, physical, and technical data safeguards that must be enacted to secure EHR data. All of these should be outlined in the entity’s security policy.
  • #15 Most privacy laws revolve around privacy between a person and the government. According to Wikipedia, “The law of privacy regulates the type of information that can be collected and how this information may be used and stored.” Privacy relates to people. For example, a patient’s visit to a doctor is private information.
  • #16 Confidentiality is different from privacy. According to Wikipedia, “Confidentiality is commonly applied to conversations between doctors and patients. Legal protections prevent physicians from revealing certain discussions with patients, even under oath in court. The rule only applies to secrets shared between physician and patient during the course of providing medical care.” We can infer from this that confidentiality relates to data, data shared between the health provider and the patient. Confidentiality, then, in this context, means that the things discussed with a doctor should remain between the patient and the doctor; they are confidential. To put privacy and confidentiality in context, the fact that someone visited a doctor is private; what the patient and doctor discussed is confidential. Privacy and confidentiality are not mutually exclusive and each slightly overlaps the other in scope.
  • #17 What steps can be taken to secure an EHR and its records? It is possible to authenticate and authorize all access to electronic health records. Authorization involves permissions. Permissions limit who can view, change, and/or print medical records and electronic documents. Additionally, all views of and changes to medical information should be recorded for audit.
  • #18 As an example of permissions, a clerk would be able to view the dates and charges related to an office visit, but would not be able to view anything that details the treatment received or the information discussed between patient and doctor. Nurses and doctors can view medical records only for patients under their direct care, but should not view medical records for patients not under their care. An important point is that security outlines the structure through which privacy and confidentiality can be enforced. Putting in place security mechanisms such as requiring usernames and passwords; badges to open doors; and keys to open file cabinets, increases the probability of data privacy and confidentiality.
  • #19 Device security is important in securing EHR and records. Critical updates to computer operating systems should be applied immediately Antivirus definitions should always be current Physical access to servers that house medical data should be restricted And finally, access to devices must be authenticated
  • #20 Encryption can also help secure electronic communications. All communication between an EHR system and a destination device should be encrypted. A client-server environment allows maintenance of a domain environment with a server that manages all devices and all objects. User accounts should be configured in groups, and permissions must be provided to the groups. Finally, organizations should implement network access protection mechanisms. For example, if a device attempts to connect to a network, the system should first examine the device to verify that it has had critical updates applied to its operating system. The system should then require that the device attempting to connect to the network has antivirus protection software installed and verify that its firewall is enabled.
  • #21 EHR transmission over the Internet should require that either Hypertext Transfer Protocol Secure, or HTTPS, or secure web browsing be implemented for all web transactions. In other words, all communication over the Internet should be encrypted. Additionally, all data entered into web forms should have to be validated before that data is stored in a database. And, regular audits of data access and changes in medical records should be occurring. Implementing redundant devices within the data environment helps ensure that devices are available as expected. Having redundant devices allows system administrators to load-balance heavily used hardware devices. For example, rather than using only one server to store database records, an administrator can create a five-server cluster. Then, whichever server is the least busy can respond to requests for database records.
  • #22 Administrators should prosecute security violations vigorously. If a hacker attacks a network, administrators should immediately report that activity to the authorities. Even internal violations should be pursued and offenders prosecuted. This would discourage others from taking the same actions. Finally, EHR data must be backed up and stored securely.
  • #23 Many of the concerns related to medical privacy exist because there are a number of EHR options available for use. If an individual uses a personal health record, or PHR system, this usually means that the individual maintains the record. Notice that PHRs differ from EHR systems. PHRs are maintained by individuals and are usually not covered by HIPAA rules because individuals manage their own health record, not the company that is providing an individual with the ability to have the health record. There are links on this slide for Microsoft Health Vault and WebMD’s Health Manager—two examples of available PHRs. Typically, these PHRs are free, allowing an individual to enter all of his or her medical information and share it with a doctor or medical personnel.
  • #24 This is a good time to discuss ethical behavior online, some of which we’ve already touched on. The very nature of the Internet is openness and accessibility. But when it comes to health care data, we all want our data to be accurate and secure. We all know mistakes happen. Computer data can only be accurate if it was entered correctly in the first place. Occasionally medical codes may get transposed when being entered into an EHR, dosages can get mis-transcribed, or medical notes can be placed in the wrong patient’s chart. These types of mistakes, though undesirable, are understandable. However, ethics become a question when someone’s intent is in conflict with known rules and regulations. For example, it should be obvious that just because you could have access to someone’s medical records doesn’t mean you should go ahead and access them. But all you have to do is a simple Internet search on “celebrity HIPAA violations” to see that even medical professionals, who are trained in the importance of abiding by HIPAA, sometimes exercise poor judgment. Websites, such as healthgrades.com allow users to post ratings about doctors, dentists, and hospitals. But who validates those ratings? How can a website ensure that what is posted is accurate? Could a medical professional be offering incentives for positive reviews? Should the website publishing the ratings be responsible for verifying the ratings it publishes? If so, how would this be done without violating a patient’s privacy? If a server holding EHRs gets hacked and your personal health data gets shared on the Internet, what share of the responsibility should be assigned to your health care professional? To their IT department? To the service that was contracted to keep those records secure? Entire courses are taught on the subject of ethical behavior when online. For now, as technology continues to be increasingly intertwined with health care, health care professionals must continue to question, debate, and examine ethics and ethical behavior in the context of the Internet. Resources are included in the References section of this presentation for those interested in learning more about ethical behavior online and health care.
  • #25 This concludes lecture e of Security and Privacy. In summary, this lecture: Explained security and privacy concerns associated with Electronic Health Records Described security safeguards used for health care applications And, provided some thoughts on ethical behavior and the Internet
  • #26 This also concludes the unit on Security and Privacy. In summary, this unit addressed the following topics: Cybercrime and cybersecurity Common IT security and privacy concerns Hardware components usually attacked by hackers and the common methods of attack Common types of malware Social engineering methods used by cybercriminals Methods and tools available for protection against cyberattacks
  • #27 Practices designed to minimize the risk of successful cyberattack Specifics of wireless device security Security and privacy concerns associated with EHRs Security safeguards used for health care applications And, the basics of ethical behavior online
  • #28 References slide. No audio.
  • #29 References slide. No audio.
  • #30 No audio.