Health Care Privacy, Confidentiality, and Security Lecture Insights

The Culture of Health Care Privacy, Confidentiality, and Security Lecture b This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.

Privacy, Confidentiality, and Security Learning Objectives Define and discern the differences between privacy, confidentiality, and security (Lecture a). Discuss methods for using information technology to protect privacy and confidentiality (Lecture b). Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy and Security rules (Lectures c and d). Discuss the intersection of a patient s right to privacy with the need to share and exchange patient information (Lecture d). 3

Concerns about Security Comprehensive overview (Herzig, 2010) Guide to Privacy and Security of Electronic Health Information (ONC & OCR, 2015) https://www.youtube.com/watch?v=phrXsdnh E7w Many points of leakage A problem for paper records, too Consequences of poor security Medical identity theft 4

Flow of Information in Health Care: Many Points to Leak 9.2 Chart. Flow of information in health care (Rindfleisch, 1997). 5

Security for Paper Records Is a Significant Problem Difficult to audit trail of paper chart Fax machines, scanners are easily accessible Records frequently copied for many reasons New providers, insurance purposes Records abstracted for variety of purposes Research Quality assurance Insurance fraud Medical Information Bureau (Rothfeder, 1992) 6

Potential Consequences of Poor Security According to Rindfleish (1997) Patients avoid health care Patients lie Providers avoid entering sensitive data Providers devise workarounds California Health Care Foundation (2005) 13% of consumers admit to engaging in privacy- protective behaviors that might put health at risk, such as o Asking doctor to lie about diagnosis o Paying for a test because they did not want to submit a claim o Avoid seeing their regular doctor 7

Medical Identity Theft AHIMA reported in 2008 a growing concern of general identity theft 2015 Medical Identity Fraud Alliance Annual Report Medical info more valuable than financial Costly to the victim Can be complex to solve over a long time HHS report outlines approaches to prevention, detection, and remediation (ONC & OCR, 2015) 8

Tools for Protecting Health Information Brought to wider light by IOM report For the Record (Committee on Maintaining Privacy and Security,1997) Guide to Privacy and Security of Electronic Health Information (ONC & OCR, 2015) NIST Critical Cybersecurity Infrastructure Framework SANS And many more . 9

Threats to Security Insider Accidental disclosure Curiosity Malicious/subornation Outsider Organized crime Hacktivists Cyber thieves 10

Technologies to Secure Information Deterrents Alerts Audit trails System management precautions Software management Analysis of vulnerability Obstacles Authentication Authorization Integrity management Digital signatures Encryption Firewalls Rights management 11

Encryption Necessary but not sufficient to ensure security Is a safe harbor under federal and state laws when data loss occurs Should, however, be used for all communications over public networks, such as the Internet, and with mobile devices Information is scrambled and unscrambled using a key Types: Symmetric and asymmetric Asymmetric, also known as public key encryption, can be used for digital certificates, electronic signatures, and so on 12

Standards for Encryption and Related Functions Advanced Encryption Standard (AES): NIST-designated standard for encryption/decryption (Daemen & Rijmen, 2002) Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL): Cryptographic protocols that provide security for communications over all points on networks (Rescorla, 2001) Internet Protocol Security (IPsec): Protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream Part of IPv6 but also added as standalone on top of IPv4 Secure Hash Algorithm (SHA): Protocols that ensure integrity of transmitted information and documents (NIST, 2002) Security flaws have been identified in SHA-1, so SHA-2 family of protocols has been developed For more: Secure Hash Algorithm https://en.wikipedia.org/wiki/Secure_Hash_Algorithm NIST s Cryptographic Toolkithttp://csrc.nist.gov/groups/ST/toolkit/index.html 13

For the Record Best Practices (Committee on Maintaining Privacy and Security, 1997) Organizational Information & security governance Confidentiality and security policies and committees Education and training programs Sanctions Patient access to audit trails Management dashboards Risk management and compliance Technical Authentication of users Audit trails Physical security and disaster recovery Protection of remote access points and external communications Software discipline Ongoing system vulnerability assessment Infrastructure management 14

Authentication and Passwords Authentication: Process of gaining access to secure computer Usual approach is passwords ( what you know ), but secure systems may add physical entities ( what you have ) Biometric devices: Physical characteristic (e.g., thumbprint) Physical devices: Smart card or some other physical key Ideal password is one you can remember but no one else can guess Typical Internet user interacts with many sites for which he/she must use password single sign-on is commonly used Two-factor authentication 15

Some Challenges with Passwords Common approach to security is password aging (i.e., expiration), which is less effective than other measures (Wagner, Allan, & Heiser, 2005) Session-locking: One or small number of simultaneous logons Login failure lockout: After 3 to 5 attempts Password aging may also induce counterproductive behavior (Allan, 2005) 16

Health Information Security Is Probably a Trade-off 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012). 17

A Need for Ongoing Research One of the four HITECH Strategic Healthcare IT Advanced Research Projects (SHARP) projects was focused on security: www.sharps.org Resources provided by ONC on many aspects of privacy and security Security risk assessments, mobile devices, to name a few NIST Many other initiatives 18

Other Issues to Ponder Who owns information? How is informed consent implemented? When does public good exceed personal privacy? e.g., public health, research, law enforcement What conflicts are there with business interests? How do we let individuals opt out of systems? What are the costs? When do we override? 19

Privacy, Confidentiality, and Security Summary Lecture b There are many points where information can leak out of the system Many technologies are available for protecting security Encryption is necessary but not sufficient Paper-based information has its own security problems 20

Privacy, Confidentiality, and Security References Lecture b References Allan, A. (2005). Password aging can burden an already-weak authentication method. Stamford, CT: Gartner. American Health Information Management Association. (2003). Flow of patient health information inside and outside the healthcare industry. Retrieved from http://library.ahima.org/PdfView?oid=22958 Bowe, Robin. (2013). Identity crisis: Organizations are implementing medical identity theft teams to combat rising incidents. Journal of AHIMA, 84(1), 38 42. California Health Care Foundation (CHCF). (2005). National consumer health privacy survey 2005. Oakland: CHCF. Retrieved from http://www.chcf.org/topics/view.cfm?itemID=115694 Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. (1997). For the record: Protecting electronic health information. Washington, DC: National Academies Press. Retrieved from http://www.nap.edu/catalog/5595/for-the-record- protecting-electronic-health-information Daemen, J., & Rijmen, V. (2002). The design of Rijndael: AES The advanced encryption standard. Berlin, Germany: Springer-Verlag. Herzig, T. (Ed.). (2010). Information security in healthcare Managing risk. Chicago, IL: Healthcare Information Management Systems Society. Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). (2004). Break glass procedure: Granting emergency access to critical ePHI systems. Retrieved from http://hipaa.yale.edu/ security/break-glass-procedure-granting-emergency-access-critical-ephi-systems 21

Privacy, Confidentiality, and Security References Lecture b Continued McNabb, J., & Rhodes, H. B. (2014). Combating the privacy crime that can KILL. Journal of AHIMA, 85(4), 26 29. National Academies Press (1997). For the record protecting electronic health information. Retrieved from https://www.nap.edu/read/5595/chapter/2#4 National Institute for Standards and Technology (NIST). (2015). Secure hash standard. Gaithersburg, MD: National Institute for Standards and Technology. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf National Institute of Standards and Technology (NIST). (2014). Cryptographic toolkit. Retrieved from http://csrc.nist.gov/groups/ST/toolkit National Institute of Standards and Technology (NIST). (2014). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/ cybersecurity-framework-021214.pdf Office of the National Coordinator for Health Information Technology (ONC) & Office for Civil Rights (OCR). (2015). Guide to privacy and security of electronic health information. Retrieved from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf Pabrai, A. (2008, January 23). The single sign-on solution. H&HN s Most Wired Magazine. Ponemon Institute. (2015). Fifth annual benchmark study on privacy and security of healthcare data. Retrieved from https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security- incidents-of-healthcare-data 22

Privacy, Confidentiality, and Security References Lecture b Continued 2 Rescorla, E. (2001). SSL and TLS: Designing and building secure systems. Boston: Addison Wesley. Rindfleisch, T. (1997). Privacy, information technology, and healthcare. Communications of the ACM, 40(8), 93 100. Rothfeder, J. (1992). Privacy for sale: How computerization has made everyone s private life an open secret. New York: Simon & Schuster. The SANS Institute. (2016). About (SANS). Retrieved from https://www.sans.org/about Wagner, R., Allan, A., & Heiser, J. (2005). Eight security practices offer more value than password aging. Stamford, CT: Gartner. Wikipedia. (2016). Secure hash algorithm. Retrieved from https://en.wikipedia.org/wiki/Secure_Hash_Algorithm Charts, Tables, Figures 9.2 Chart. Flow of information in health care (Rindfleisch, 1997). 9.3 Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012). 23

The Culture of Health Care Privacy, Confidentiality, and Security Lecture b This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. 24