Security and Privacy

ARPANET

later became the Internet

Larry Roberts

developed the ARPANET from its inception; founder of the ARPANET

MULTICS

first operating system that had security integrated into its core functions

physical security

addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse

information security

the protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing or transmission, via the application of policy, education, training and awareness, and technology

access

a subject or object’s ability to use, manipulate, modify, or affect another subject or object

asset

the organizational resource that is being protected

two types of assets

logical and physical

logical asset

website, software information, data

physical asset

person, computer system, hardware

attack

an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it; can be active or passive, intentional or unintentional, the direct or indirectt

type of attack

a hacker remotely compromises a server in order to acquire information

exploit

a technique used to compromise a system

subject and objects of an attack

a computer is the subject when it is used to attack another computer

authenticity

the quality or state of being genuine or original, rather than a reproduction or fabrication

information system

the entire set of hardware, software, data, people, procedures, and networks that enables the use of information resources within an organization

systems development life cycle (SDLC)

a methodology for the design and implementation of an information system

waterfall model

each phase begins with the results and information gained from the previous phase. Each phase has results that flow into the next phase

chief information security officer (CISO)

primarily responsible for assessment, management, and implementation of IS in the organization

systems administrators

responsible for administering systems that house information

inpatient

patient stay in healthcare facility more than 24 hours

outpatient/ambulatory care

patients not formally admitted to a healthcare facility

exception of outpatient

patients can be placed on observation status for up to 48 hours

payers

aka third party payers

types of payers

uninsured, self-pay, indigent care

providers

healthcare institution that providers services to patients or a person who’s an hcp

types of providers

hospitals, specialized clinics, home healthcare

integrated delivery system

multiple providers (inpatient and outpatient) organize into a coordinated system of clinics and hospitals

stakeholders

those with an interest in a healthcare organization who can impact the healthcare organization

private payers: indemnity insurance

based on fee-for-service
patient gets seen, pays for visit at the point of care, and submits claim to insurance company for reimbursement

fully insured plans

employer buys insurance from insurance company; insurance company gets financial risk based on what’s paid out vs collected premiums

self-funded plans

employer operates (funds) its own health plan, employer has more risk if more claims need to be paid than expected

managed care: HMO

patient pays a fixed amount, patient can get care from this plan’s providers for free except copay for prescriptions

managed care: PPO

fee-for-service; patient has more choices, higher deductibles, higher coinsurance payments; if patients chooses this plan’s provider —> discounted care; patient chooses provider not in this plan—> service is not covered as much

managed care: POS

HMOs + PPOs
patient chooses in-network primary care physician (PCP)
patient can choose out of plan provider —> care is covered more if PCP refers the new provider

managed care: HDHP/SO

aka health savings account (HSA)
patient pays low premium and gets catastrophic coverage (major medical)

high deductible for all visits up to catastrophic coverage; patient saves $ before tax in a special account to pay any deductibles

Medicaid

each US state allocates money gotten from the federal gov; provides medical assistance to the nonelderly, low income, disabled<

Medicare

funded & administered by the fed gov
for people 65+ and those younger than 65 but with long-term disabilities; no qualifications related to income

claims processing

involves a third-party payer for healthcare services; pre-approval is required (third-party payer must authorize doctor visit)

medical billing

the process of submitting claims with health insurance companies in order to receive payment for services rendered by a healthcare provider

medical devices

any item that a provider use to diagnose prevent, monitor, or treat

local area network (LAN)

the backbone of any information technology architecture; describes the cabling and interconnections; various data is transferred across this

EHR

an individual patient’s medical record in digital format
patient demographics, medical history, progress reports & provider notes, lab test results, procedure and test appointments, radiology images, prescribed and administered medications

personal health record (PHR)

not the same thing as an EHR, helps patients with remembering medical history, allows patient to have timely and accurate information

clinical workflows

describes processes and actions used to deliver care; describes how data moves through an information system, by whom, to whom, when, and how often

coding

the transformation of clinical workflow from any type of description in narrative or words into numerical data sets/codes that are used for documenting disease description, injuries, symptoms

Health Level 7 (HL7)

a protocol developed to enable different information systems to exchange data using a standard

HL7 function

allows different healthcare organization to send clinical information that wouldn’t normally be available because systems weren’t compatible

DICOM

promotes interoperability of medical imaging equipment by specifying protocols required for transferring digital images across a network

information life-cycle

create, retain, maintain, use, dispose

creation

information must be available, reliable, and concise from the source

retention

policies are required to establish the length of time records are useful and after which outdated records are discards

maintainence

records must be stored and protected with availability to providers

use

information is to be used in a manner consistent with the reasons it was collected

disposal

data is destroyed, most vulnerable to data breach

overwriting

covering up old data with new data

degaussing

erasing the magnetic field of storage media

physical destruction

paper or digital shredding or incineration

defining a legal medical record

no such standard exists, an individual’s organization is required to define the contents for itself

integrating healthcare enterprise

focuses on how organizations implement EHR standards; does NOT develop new/additional standards but supports the use of existing standards

administering third parties: data sharing agreement

describes access and expectation for a third party to use patient info for a healthcare organization; includes the time that the data sharing will happen, what the third party can access, how the data will be used and disposed of

main goal: to protect the healthcare organization

identifiable info

name, ID number, SSN, IP address, phone number, vehicle registration number, car title number, DOB, race, religion, weight,

who owns health information?

no one, not even patients

legal rights of patients

to access their health info, to learn about disclosures of their health information (how it’s used and disclosed)

tort law

civil acts done to a patient
invasion of privacy is included here

malpractice

negligence by a healthcare provider; does not involve information security

joint commission regulators

accredits healthcare organizations on standards of practice
some areas of reimbursement are linked to being accredited by this

policies

clear, simple statements of how an organization conducts business and healthcare operations

aka directives, regulations, plans

policy elements

supplemented, dated, visible, supported by managed, consistent

supplemented/dated

generally not re-issued
supplemented with improvements or additional parameters → a new version

visible (policy)

have to be available to the organization

supported by management (policy)

violations of policies have consequences, supported via overt action, can’t be ignored

consistent (policy)

shouldn’t conflict laws/directives, shouldn’t make employees violate laws

procedures

how a policy will be put into action
called Standard Operating Procedures (SOPs)

release of information

use & disclosure, minimum necessary rules, patient rights, organizational controls and safeguards, organizational controls and safeguards, right to revoke or opt out

use and disclosure

how info is shared, who it’s shared with, and when patient consent is needed

minimum necessary rules

efforts to disclose only what is needed

patient rights

inform about rights concerning their information and how it’s released to other entities

organizational controls and safeguards

security of PHI during business and clinical workflow interruptions

right to revoke or opt out

allow patient to change their mind about who can access their information

notice of privacy practices

the healthcare organization is legally obligated to protect patient information

user agreement

acknowledge understanding and willingness to comply with training, policy, or other regulatory requirements

user agreement includes

access to PHI intended only for authorized users and legitimate purposes
users allow the system to monitor their use
users must protect and not share access credentials
training must be done before accessing the system

incident reporting policy

specifies and addresses actions to be taken when data loss has happened

sanction policy

disciplines employees who violate procedures for handling PHI

governance: configuration control board

helps organizations implement and manage information technology like LAN and software

information asset

body of information (data) is managed by a single entity so it can be protected and utilized effectively and efficiently like PHI

data incident response team (governance frameworks)

prepares for and deals with incidents; should access before data loss

institutional review board (governance)

formal committee that approves, monitors, reviewing biomedical and behavioral research involving humans
main goal: to protect human subjects from physical & psychological harm