This document summarizes key events and policies related to the meaningful use of electronic health records (EHRs) in the United States. It discusses landmark reports that highlighted issues with patient safety and quality of care. Major legislation like HIPAA, ARRA, and the HITECH Act provided funding and incentives to promote EHR adoption. The Office of the National Coordinator for Health IT established criteria for meaningful use in three stages to gradually increase EHR functionality and use. Regulations specify objectives and standards that providers must meet to receive incentive payments through Medicare and Medicaid.
The document discusses the application of information and communications technology (ICT) for clinical care improvement. It outlines how healthcare is error-prone due to human fallibility, and how health information technology (IT) such as computerized provider order entry (CPOE) and clinical decision support systems can help reduce errors. The document also explains why access to complete and accurate patient information through electronic health records improves care delivery and coordination across different healthcare providers and settings.
The Road toward a Smart Hospital (Presented at Roi Et Hospital) (2 Feb 2016)Nawanan Theera-Ampornpunt
The document discusses guidelines for managing Roi Et Hospital towards becoming a "Smart Hospital". It introduces Dr. Nawanan Theera-Ampornpunt, who received his medical degree in 2002 and PhD in Health Informatics from the University of Minnesota in 2014. His interests include using health IT to improve quality of care, IT management, security and privacy. The document then outlines the topics to be covered, including the road to digitizing healthcare, what constitutes a "smart hospital", and how to move towards becoming a smarter hospital.
Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Telemedicine provides healthcare at a distance using telecommunications technology. It has grown from focusing on increasing access to now emphasizing convenience and cost reduction. Store-and-forward and home-based telemedicine have evidence for treating chronic diseases, while office/hospital telemedicine is effective for verbal interactions in specialties like neurology and psychiatry. Current trends include expanding telemedicine to more chronic conditions and migrating services from clinical settings to homes and mobile devices. However, reimbursement remains limited and fragmented while quality of remote care compared to in-person visits requires more evidence. Proper guidelines, standards, training and balancing innovation with risk-based regulation can maximize telemedicine's benefits while minimizing harms.
This document discusses digital health transformation and the role of health information technology. It begins by exploring concepts like artificial intelligence, blockchain, cloud computing and big data. It then examines the potential for "smart" machines in healthcare while acknowledging the complexities of digitizing such a system. The document emphasizes that clinical judgment is still necessary given variations in patients. It outlines components of healthcare systems and forms of health IT both within and beyond hospitals. Finally, it discusses using health IT to support clinical decision making and reduce errors.
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
The document discusses the field of health informatics and provides definitions and examples. It defines health informatics as the application of information science to healthcare and biomedical research. It describes the relationships between health informatics and other fields like computer science, engineering, and the medical sciences. The document also discusses different areas of health informatics like clinical informatics, public health informatics, and consumer health informatics. It provides examples of common health information technologies used in healthcare settings like electronic health records, computerized physician order entry, and picture archiving systems.
This document provides an introduction to research ethics and ethics for health informaticians. It begins with definitions of ethics, morals, and norms. It then discusses the role of law, professional codes of conduct, and ethics in establishing standards of acceptable behavior. Key topics in research ethics are introduced through discussions of historic cases like the Nazi human experiments, Beecher's research ethics violations, and the Tuskegee Syphilis Study. The document outlines the Belmont Report's three ethical principles of respect for persons, beneficence, and justice. Ethical issues in health informatics like alerts fatigue from clinical decision support systems and unintended consequences of health IT are also discussed.
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
6. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
7. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-
middle” attacks)
- “Replay” attacks
Eve/Mallory
8. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
10. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
11. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
12. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
13. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
14. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
15. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
16. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
19. Physical Security
สภาพ Data Center เข้าถึงได้ง่ายโดยบุคคลภายนอก ไม่มีระบบ access
control ที่ปลอดภัย
Facilities ไม่พร้อม
ขาดระบบไฟสารอง
ขาด Fire alarm, Fire alarm ไม่เชื่อมต่อกับผู้ monitor
ความพร้อมของ A/C & ขาดระบบ temperature sensor
ความเสี่ยงเรื่องนาหยด/ไฟฟ้า/อุณหภูมิ/ฝุ่น ฯลฯ
สภาพของ Data Center
ความเรียบร้อยของ Cabling
ความสะอาด
กระบวนการทางาน
การกาหนดแผนฉุกเฉิน, มีแผนไว้ที่ data center, สื่อสาร+ซ้อมแผน
Server ไม่อยู่ใน data center
Data center ของระบบย่อยๆ เช่น PACS, LIS ขาด facilities ที่สาคัญ
Common Pitfalls จากการเยี่ยมสารวจ
20. User Security
User รับรู้นโยบาย และระเบียบปฏิบัติด้าน security
มีการกาหนด user account แยกรายบุคคล
มีการกาหนด password policy ที่เหมาะสม
User รับรู้ password policy และปฏิบัติตาม
มีการกาหนดสิทธิเข้าถึงข้อมูลที่แตกต่างกันตามความจาเป็น
พฤติกรรม User ตอนใช้งาน เช่น log-out, การไม่ใช้ account ผู้อื่น
การไม่จด password ไว้ที่ใด (Clear Desk, Clear Screen)
Admin account & password ปลอดภัย
พฤติกรรมความปลอดภัยของ user เวลาใช้ PC หรือผ่าน mobile
User และ IT ตระหนักในความเสี่ยงสาคัญๆ เช่น virus, ransomware
Education & Enforcement
Common Pitfalls จากการเยี่ยมสารวจ
21. System Security & Network Security
มีการ patch ระบบปฏิบัติการตามความเหมาะสม
มีอุปกรณ์ป้องกัน network security ตามความเหมาะสม เช่น
Firewall
Limit การเข้าถึง Internet หรือแยกวง LAN ตามความเหมาะสม
มีระบบ Antivirus ที่อัปเดตและถูกลิขสิทธิ์
ระบบสารอง (System redundancy) เช่น DR Site
ระบบ Backup ข้อมูล
ระบบสาคัญที่ใช้ผ่าน Internet เช่น remote EMR หรือ remote
PACS ควรพิจารณาเข้ารหัส (encryption) เช่น ใช้ SSL หรือ VPN
Common Pitfalls จากการเยี่ยมสารวจ
25. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
28. Access control
Selective restriction of access to the system
Role-based access control
Access control based on the person’s role
(rather than identity)
Audit trails
Logs/records that provide evidence of
sequence of activities
User Security
29. Identification
Identifying who you are
Usually done by user IDs or some other unique codes
Authentication
Confirming that you truly are who you identify
Usually done by keys, PIN, passwords or biometrics
Authorization
Specifying/verifying how much you have access
Determined based on system owner’s policy & system
configurations
“Principle of Least Privilege”
User Security
30. Recommended Password Policy
Length
8 characters or more (to slow down brute-force attacks)
Complexity (to slow down brute-force attacks)
Consists of 3 of 4 categories of characters
Uppercase letters
Lowercase letters
Numbers
Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL Injection)
No meaning (“Dictionary Attacks”)
Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
31. Recommended Password Policy
Expiration (to make brute-force attacks not possible)
6-8 months
Decreasing over time because of increasing computer’s
speed
But be careful! Too short duration will force users to write
passwords down
Secure password storage in database or system
(encrypted or store only password hashes)
Secure password confirmation
Secure “forget password” policy
Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
40. แบ่งเป็น 11 หมวด (Domains)
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Regulatory compliance
มาตรฐาน Security ตามวิธีการแบบปลอดภัย