The Culture of Healthcare

Privacy, Confidentiality, and

Security
Lecture b
This material (Comp11_Unit9b) was developed by Oregon Health and Science University, funded by the Department of Health
and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015.
Privacy, Confidentiality, and Security
Learning Objectives
Define and discern the differences between privacy,
confidentiality, and security (Lecture a)
Discuss the major methods for protecting privacy
and confidentiality, including through the use of
information technology (Lecture b)
Describe and apply privacy, confidentiality, and
security under the tenets of HIPAA Privacy Rule
(Lecture c)
Describe and apply privacy, confidentiality, and
security under the tenets of the HIPAA Security Rule
(Lecture d)
2
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Concerns about Security
Comprehensive overview (Herzig, 2010)
Many points of leakage
A problem for paper too
Consequences of poor security
Medical identity theft
3
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Flow of Information in Healthcare
Many Points to Leak
9.2 Chart. Flow of information in healthcare (Rindfleisch, 1997).
4
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Security for Paper Records is a
Significant Problem
Difficult to audit trail of paper chart
Fax machines are easily accessible
Records frequently copied for many reasons
New providers, insurance purposes
Records abstracted for variety of purposes
Research
Quality assurance
Insurance fraud Health Information Bureau
(Rothfeder, 1992)
5
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Potential Consequences of Poor
Security
Rindfleish, 1997
Patients avoid healthcare
Patients lie
Providers avoid entering sensitive data
Providers devise work-arounds
CHCF, 2005
13% of consumers admit to engaging in privacy-
protective behaviors that might put health at risk,
such as
Asking doctor to lie about diagnosis
Paying for a test because they did not want to submit a claim
Avoid seeing their regular doctor
6
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Medical Identity Theft
A growing concern, emanating from general
identity theft, defined as use of IIHI for obtaining
access to property or services (AHIMA, 2008)
Victims are not only individuals but also health
providers and plans as well as society at large
Value of medical identity information much
higher than just Social Security number
HHS report outlines approaches to prevention,
detection, and remediation (2009)
7
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Tools for Protecting Health
Information
Brought to wider light by IOM report: For the Record
(anonymous,1997)
Commissioned by National Library of Medicine
(NLM); informed Health Insurance Portability &
Accountability (HIPAA) legislation
Looked at then-current practices at six institutions
Recommended immediate and future best practices
Some content dated, but framework not
8
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Threats to Security
Insider
Accidental disclosure
Curiosity
Subornation
Secondary use settings
Outside institution
A lot of press, few examples
9
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Technologies to Secure
Information
Deterrents
Alerts
Audit trails
System management
precautions
Software management
Analysis of vulnerability
Obstacles
Authentication
Authorization
Integrity management
Digital signatures
Encryption
Firewalls
Rights management
10
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Encryption
Necessary but not sufficient to ensure security
Is a safe harbor under federal and state laws when
data loss occurs
Should, however, be used for all communications over
public networks, e.g., the Internet, and with mobile
devices
Information is scrambled and unscrambled using a key
Types: symmetric vs. asymmetric
Asymmetric, aka public key encryption, can be used
for digital certificates, electronic signatures, etc.
11
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Standards for Encryption and Related
Functions
Advanced Encryption Standard (AES) NIST-designated standard
for encryption/decryption (Daemen, 2002)
Transport Layer Security (TLS) and predecessor, Secure Sockets
Layer (SSL) cryptographic protocols that provide security for
communications over all points on networks (Rescorla, 2001)
Internet Protocol Security (IPsec) protocol for securing Internet
Protocol (IP) communications by authenticating and encrypting each
IP packet of a data stream
Part of IPv6 but also added as standalone on top of IPv4
Secure Hash Algorithm (SHA) protocols insure integrity of
transmitted information and documents (NIST, 2002)
Security flaws have been identified in SHA-1 so SHA-2 family of
protocols has been developed
For more: Wikipedia and
http://csrc.nist.gov/groups/ST/toolkit/
12
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
For the Record Best Practices
(anonymous,1997)
Organizational
Confidentiality and security
policies and committees
Education and training
programs
Sanctions
Patient access to audit trails
Technical
Authentication of users
Audit trails
Physical security and disaster
recovery
Protection of remote access
points and external
communications
Software discipline
Ongoing system vulnerability
assessment
13
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Authentication and Passwords
Authentication is process of gaining access to secure
computer
Usual approach is passwords (what you know), but secure
systems may add physical entities (what you have), e.g.,
Biometric devices physical characteristic, e.g.,
thumbprint
Physical devices smart card or some other physical key
Ideal password is one you can remember but no one else can
guess
Typical Internet user interacts with many sites for which
he/she must use password
Many clamor for single sign-on, especially in healthcare,
where users authenticate just once (Pabrai, 2008)
14
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Some Challenges with Passwords
Common approach to security is password
aging (i.e., expiration), which is less effective
than other measures (Wagner, 2005)
Session-locking one or small number of
simultaneous logons
Login failure lockout after 3-5 attempts
Password aging may also induce
counterproductive behavior (Allan, 2005)
15
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Health Information Security is
Probably a Trade-off
9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).
16
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
There is a Need for Ongoing Research
One of the four HITECH Strategic Healthcare IT
Advanced Research Projects (SHARP) projects is
focused on security
Strategic Healthcare IT Advanced Research Projects
on Security (SHARPS) project www.sharps.org
Focused on security issues in three environments
EHR e.g., self-protecting and privacy-aware
systems
HIE and PHRs e.g., improved service models and
access controls
Telemedicine e.g., devices, telecommunications,
etc.
17
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Other Issues to Ponder
Who owns information?
How is informed consent implemented?
When does public good exceed personal
privacy?
e.g., public health, research, law enforcement
What conflicts are there with business interests?
How do we let individuals opt out of systems?
What are the costs? When do we override?
18
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Privacy, Confidentiality, and Security
Summary Lecture b
There are many points for information to leak
out of the system
There are many technologies for protecting
security
Encryption is necessary but not sufficient
Paper-based information has its own security
problems

19
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Privacy, Confidentiality, and Security
References Lecture b
References
Allan, A. (2005). Password Aging Can Burden an Already-Weak Authentication Method. Stamford, CT: Gartner.
Anonymous. (1997). For the Record: Protecting Electronic Health Information. Washington, DC: National
Academies Press.
Anonymous. (2002). Secure Hash Signature Standard. Gaithersburg, MD: National Institute for Standards and
Technology. Retrieved Jan 2012 from http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
Anonymous. (2008b). Mitigating medical identity theft. Journal of AHIMA, 79(7), 63-69. Retrieved Jan 2012 from
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039058.hcsp?dDocName=bok1_039058
Daemen, J., & Rijmen, V. (2002). The Design of Rijndael: AES - The Advanced Encryption Standard. Berlin,
Germany: Springer-Verlag.
Herzig, T. (Ed.). (2010). Information Security in Healthcare - Managing Risk. Chicago, IL: Healthcare Information
Management Systems Society.
Pabrai, A. (2008, January 23, 2008). The Single Sign-On Solution. H&HN's Most Wired Magazine. Retrieved Jan
2012 from
http://www.hhnmostwired.com/hhnmostwired_app/jsp/articledisplay.jsp?dcrpath=HHNMOSTWIRED/Article/data/F
all2007/080123MW_Online_Pabrai&domain=HHNMOSTWIRED
Rindfleisch, T. (1997). Privacy, information technology, and healthcare. Communications of the ACM, 40(8), 93-
100.
Rothfeder, J. (1992). Privacy for Sale: How Computerization Has Made Everyone's Private Life An Open Secret.
New York: Simon & Schuster.
Wagner, R., Allan, A., & Heiser, J. (2005). Eight Security Practices Offer More Value Than Password Aging.
Stamford, CT: Gartner.

20
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b
Privacy, Confidentiality, and Security
References Lecture b
Charts, Tables, Figures
9.2 Chart. Flow of information in healthcare (Rindfleisch, 1997).
9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).

21
Health IT Workforce Curriculum
Version 3.0/Spring 2012
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture b