TOPIC: CHAPTER 10: TRUSTWORTHY SYSTEMS FOR SAFE AND PRIVATE HEALTHCARE
Trustworthy Systems CHALLENGES
FOR SAFE AND PRIVATE HEALTHCARE Electronic information exchange introduces new risks (accidental breaches, malicious HITECH- Health Information Technology for attacks). Economic and Clinical Health as part of the American Recovery and TRUSTWORTHY HEALTH INFORMATION Reinvestment Act (USC, 2009) TECHNOLOGY Assigned the Office of National Coordinator Legal and ethical frameworks, along with (ONC) responsibility for developing a consumer expectations, define nationwide infrastructure that would requirements for trustworthy HIT. facilitate the use and exchange of electronic Requirements: health information, including policy, Availability of data and applications. standards, implementation specifications, Protection of privacy and confidentiality. and certification criteria resulted in most Data integrity and security. significant amendments to the Health User-friendly and responsive systems. Insurance Portability and Accountability Act Safe operation of health-critical functions. (HIPAA) Security and Privacy Rules since the rules became law PRIVACY Deals with individual rights around the HITECH Act Priorities collection, use, and sharing o their personal Technologies that protect the privacy of health information. Principles like openness, health information and promote security in a transparency, fairness, and choice are qualified electronic health record (EHR) crucial for privacy. A nationwide HIT infrastructure that allows SECURITY for the electronic use and accurate Focuses more on protecting the exchange of health information. confidentiality, integrity, and availability of Technologies that as a part of a qualified health data and systems through EHR allow for an accounting of disclosures mechanisms like access controls, auditing, made by a covered entity encryption etc. Technologies that allow individually EIGHT PRIVACY PRINCIPLES identifiable health information to be Core privacy principles for health IT were rendered unusable, unreadable, or first defined in 1973 and later updated to indecipherable to unauthorized individuals address modern e-health risks like widespread data sharing through health “Information is the lifeblood of modern medicine. information exchanges. Health information technology is destined to be its individual access circulatory system. Without that system, neither Correction individual physicians nor healthcare institutions can Openness and transparency perform at their best or deliver the highest-quality Individual choice care” Collection and use Data quality and integrity TRUST Safeguards Caregivers will keep the health information Accountability confidential and will disclose and use it only to extent as necessary SECURITY MECHANISM AND ASSURANCE Caregivers and technology will “do no harm” METHODS Benificience Technology and Information are readily ADVANTAGE available confidentiality and authenticity of Information in the patient’s EHR are information, the integrity of data, and the accurate and complete availability of information and services, as well as to provide an accurate record of NURSES........ activities and accesses to information “promote, advocate for, and strive to protect the health, safety, and rights of the patient” DISADVANTAGE “holds in confidence personal information” critical to protecting personal privacy, they and are also essential in protecting patient “ensures that use of technology…[is] safety and care quality—and in engendering compatible with the safety, dignity, and trust in electronic systems and information rights of people” Examples Illustrating the Importance of HEALTH INFORMATION TECHNOLOGY Security in HIT Corruption of Laboratory Results OPPORTUNITIES Overwriting EHR Data However, HIT also offers significant benefits Fraudulent Electronic Messages like faster lab results, remote monitoring, Safety Risks in Clinical Decision-Support and personalized treatment plans. Systems NCM 110: NURSING INFORMATICS CORPORAL, MARIEL S. I BSN 2A – 2nd Semester TOPIC: CHAPTER 10: TRUSTWORTHY SYSTEMS FOR SAFE AND PRIVATE HEALTHCARE
TRUSTWORTHINESS workstation-security measures
This critical attribute encompasses both device and media controls security and privacy. Trustworthy systems inspire confidence and Layer 4: Operational Safeguards reliability formhealthcare professionals. This layer outlines processes and Building trustworthiness requires upfront procedures for handling health information design and ongoing maintenance. securely throughout its lifecycle. It ensures Retrofitting existing systems for adherence to the information assurance trustworthiness can be difficult and costly policy established in Layer 2.
When Things Go Wrong KEY SAFEGUARD
CareGroup Network Infrastructure Failure (2003) Microsoft Azure Cloud Outage (2013) Identity Theft and Personal Privacy Genomic Data Breach Malware Threats and Medical Devices HIPAA Breaches and Reporting (2009-2014
HIT TRUST FRAMEWORK
Layer 1: Risk Management Layer 5: Architectural Safeguards Layer 2: Information Assurance Policy refer to technical design principles and Layer 3: Physical Safeguards system components that collectively Layer 4: Operational Safeguards establish a secure and resilient foundation Layer 5: Architectural Safeguards for health IT systems. Layer 6: Security Technology Safeguards Architectural safeguards apply whether Layer 7: Usability Features systems are centralized onsite, distributed, or utilize cloud components and Layer 1: Risk Management virtualization. this layer focuses on Identifies potential threats and weaknesses designing the technical infrastructure with that could compromise patient information. security in mind from the ground up. By This groundwork is crucial for all the other incorporating these architectural principles, layers. the foundation for robust security Risk management considers various factors safeguards is established. including patient safety, privacy, information KEY PRINCIPLES security, reputation, and financial stability. 1. Scalability - ability to handle growing data Layer 2: Information Assurance Policy and users Creates policies based on risk assessments 2. Reliability - consistency and uptime to guide how staff handles information through redundancy securely. It covers operational aspects, 3. Safety - fail-safe behaviors if components information technology use, and individual fail behavior. These policies comply with 4. Interoperability - systems ability to relevant laws (HIPAA) and professional exchange data ethics. 5. Availability - services and data accessible POLICY COMPONENTS when needed Defines rules for protecting patient privacy 6. Simplicity - straightforward designs for and confidential information. security and recovery Ensures transparency in how individuals' 7. Isolation - separating processes and apps health data is used and shared. to limit infection spread Establishes protocols to safeguard people Layer 6: Security Technology Safeguards (patients, staff, visitors) from physical harm are software/hardware components that caused by data breaches or service perform specific security functions like disruptions. access control, encryption, intrusion Layer 3: Physical Safeguards detection etc. Physical safeguards are critical for ensuring this layer focuses on the technical tools and the availability, trustworthiness, and mechanisms used to implement the security usability of electronic health policies and procedures outlined in previous information(EPHI) at the point of care. layers. These safeguards work together to Implements physical measures to protect create a robust security infrastructure for information assets as outlined in the protecting ePHI. policies. These safeguards KEY SAFEGUARD addresshardware, software, facilities, and 1. Authentication - verifying identity of users personnel involved in handling health data. and systems HIPPA Security Rule 2. Access Control - allowing only authorized facility-access controls access to resources work station-use policies and procedures 3. Audit logs - recording security-relevant system activity NCM 110: NURSING INFORMATICS CORPORAL, MARIEL S. I BSN 2A – 2nd Semester TOPIC: CHAPTER 10: TRUSTWORTHY SYSTEMS FOR SAFE AND PRIVATE HEALTHCARE
4. Data integrity - detecting unauthorized data
modifications 5. Non-repudiation - proving authenticity of data source 6. Encryption - encoding data during storage and transmission 7. Anti-malware - preventing, detecting and removing viruses/spyware 8. Transmission security - protecting data exchanged over networks
Layer 7: Usability Features
Usability features make security protections and technologies easier and more convenient for end users. Single sign-on allows a user to authenticate once to access multiple authorized applications and systems within an organization. Federated identity enables authenticated access across multiple organizations without reauthenticating. Both single sign-on and identity federation work by passing the user's verified identity and attributes to other systems through encrypted security assertions.