The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
Security Lecture b This material (Comp11_Unit9b) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. Privacy, Confidentiality, and Security Learning Objectives Define and discern the differences between privacy, confidentiality, and security (Lecture a) Discuss the major methods for protecting privacy and confidentiality, including through the use of information technology (Lecture b) Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy Rule (Lecture c) Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Security Rule (Lecture d) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Concerns about Security Comprehensive overview (Herzig, 2010) Many points of leakage A problem for paper too Consequences of poor security Medical identity theft 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Flow of Information in Healthcare Many Points to Leak 9.2 Chart. Flow of information in healthcare (Rindfleisch, 1997). 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Security for Paper Records is a Significant Problem Difficult to audit trail of paper chart Fax machines are easily accessible Records frequently copied for many reasons New providers, insurance purposes Records abstracted for variety of purposes Research Quality assurance Insurance fraud Health Information Bureau (Rothfeder, 1992) 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Potential Consequences of Poor Security Rindfleish, 1997 Patients avoid healthcare Patients lie Providers avoid entering sensitive data Providers devise work-arounds CHCF, 2005 13% of consumers admit to engaging in privacy- protective behaviors that might put health at risk, such as Asking doctor to lie about diagnosis Paying for a test because they did not want to submit a claim Avoid seeing their regular doctor 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Medical Identity Theft A growing concern, emanating from general identity theft, defined as use of IIHI for obtaining access to property or services (AHIMA, 2008) Victims are not only individuals but also health providers and plans as well as society at large Value of medical identity information much higher than just Social Security number HHS report outlines approaches to prevention, detection, and remediation (2009) 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Tools for Protecting Health Information Brought to wider light by IOM report: For the Record (anonymous,1997) Commissioned by National Library of Medicine (NLM); informed Health Insurance Portability & Accountability (HIPAA) legislation Looked at then-current practices at six institutions Recommended immediate and future best practices Some content dated, but framework not 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Threats to Security Insider Accidental disclosure Curiosity Subornation Secondary use settings Outside institution A lot of press, few examples 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Technologies to Secure Information Deterrents Alerts Audit trails System management precautions Software management Analysis of vulnerability Obstacles Authentication Authorization Integrity management Digital signatures Encryption Firewalls Rights management 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Encryption Necessary but not sufficient to ensure security Is a safe harbor under federal and state laws when data loss occurs Should, however, be used for all communications over public networks, e.g., the Internet, and with mobile devices Information is scrambled and unscrambled using a key Types: symmetric vs. asymmetric Asymmetric, aka public key encryption, can be used for digital certificates, electronic signatures, etc. 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Standards for Encryption and Related Functions Advanced Encryption Standard (AES) NIST-designated standard for encryption/decryption (Daemen, 2002) Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL) cryptographic protocols that provide security for communications over all points on networks (Rescorla, 2001) Internet Protocol Security (IPsec) protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream Part of IPv6 but also added as standalone on top of IPv4 Secure Hash Algorithm (SHA) protocols insure integrity of transmitted information and documents (NIST, 2002) Security flaws have been identified in SHA-1 so SHA-2 family of protocols has been developed For more: Wikipedia and http://csrc.nist.gov/groups/ST/toolkit/ 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b For the Record Best Practices (anonymous,1997) Organizational Confidentiality and security policies and committees Education and training programs Sanctions Patient access to audit trails Technical Authentication of users Audit trails Physical security and disaster recovery Protection of remote access points and external communications Software discipline Ongoing system vulnerability assessment 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Authentication and Passwords Authentication is process of gaining access to secure computer Usual approach is passwords (what you know), but secure systems may add physical entities (what you have), e.g., Biometric devices physical characteristic, e.g., thumbprint Physical devices smart card or some other physical key Ideal password is one you can remember but no one else can guess Typical Internet user interacts with many sites for which he/she must use password Many clamor for single sign-on, especially in healthcare, where users authenticate just once (Pabrai, 2008) 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Some Challenges with Passwords Common approach to security is password aging (i.e., expiration), which is less effective than other measures (Wagner, 2005) Session-locking one or small number of simultaneous logons Login failure lockout after 3-5 attempts Password aging may also induce counterproductive behavior (Allan, 2005) 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Health Information Security is Probably a Trade-off 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012). 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b There is a Need for Ongoing Research One of the four HITECH Strategic Healthcare IT Advanced Research Projects (SHARP) projects is focused on security Strategic Healthcare IT Advanced Research Projects on Security (SHARPS) project www.sharps.org Focused on security issues in three environments EHR e.g., self-protecting and privacy-aware systems HIE and PHRs e.g., improved service models and access controls Telemedicine e.g., devices, telecommunications, etc. 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Other Issues to Ponder Who owns information? How is informed consent implemented? When does public good exceed personal privacy? e.g., public health, research, law enforcement What conflicts are there with business interests? How do we let individuals opt out of systems? What are the costs? When do we override? 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Privacy, Confidentiality, and Security Summary Lecture b There are many points for information to leak out of the system There are many technologies for protecting security Encryption is necessary but not sufficient Paper-based information has its own security problems
19 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Privacy, Confidentiality, and Security References Lecture b References Allan, A. (2005). Password Aging Can Burden an Already-Weak Authentication Method. Stamford, CT: Gartner. Anonymous. (1997). For the Record: Protecting Electronic Health Information. Washington, DC: National Academies Press. Anonymous. (2002). Secure Hash Signature Standard. Gaithersburg, MD: National Institute for Standards and Technology. Retrieved Jan 2012 from http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf Anonymous. (2008b). Mitigating medical identity theft. Journal of AHIMA, 79(7), 63-69. Retrieved Jan 2012 from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039058.hcsp?dDocName=bok1_039058 Daemen, J., & Rijmen, V. (2002). The Design of Rijndael: AES - The Advanced Encryption Standard. Berlin, Germany: Springer-Verlag. Herzig, T. (Ed.). (2010). Information Security in Healthcare - Managing Risk. Chicago, IL: Healthcare Information Management Systems Society. Pabrai, A. (2008, January 23, 2008). The Single Sign-On Solution. H&HN's Most Wired Magazine. Retrieved Jan 2012 from http://www.hhnmostwired.com/hhnmostwired_app/jsp/articledisplay.jsp?dcrpath=HHNMOSTWIRED/Article/data/F all2007/080123MW_Online_Pabrai&domain=HHNMOSTWIRED Rindfleisch, T. (1997). Privacy, information technology, and healthcare. Communications of the ACM, 40(8), 93- 100. Rothfeder, J. (1992). Privacy for Sale: How Computerization Has Made Everyone's Private Life An Open Secret. New York: Simon & Schuster. Wagner, R., Allan, A., & Heiser, J. (2005). Eight Security Practices Offer More Value Than Password Aging. Stamford, CT: Gartner.
20 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b Privacy, Confidentiality, and Security References Lecture b Charts, Tables, Figures 9.2 Chart. Flow of information in healthcare (Rindfleisch, 1997). 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).
21 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture b