|
|||||
|
Security, Privacy and Confidentiality
Doctors and Public Health are the guardians of public trust,
and the primary users of confidential health information. So, it is our job
to ensure confidentiality is maintained, if we want continued use of the
data, and continued public trust. Not
to create security experts, but to
create familiarity with the topic, and to
offer a reference for the future
Privacy
[Slide1]
“The right of individuals to hold information about
themselves in secret, free from the knowledge of others.” Individuals choose
what is revealed about themselves.
Confidentiality
[Slide2]
“The assurance that information about identifiable persons,
the release of which would constitute an invasion of privacy for any
individual, will not be disclosed without consent except as allowed by law.”
Private information shall not be disclosed.
Security
[Slide3]
“The mechanisms by which confidentiality policies are
implemented in computer systems, including provisions for: access control,
authentication, and availability.” The ways in which private information is
kept confidential.
US Culture Around
Confidentiality and Privacy
Values Cultural
Norms
[Slide4] Canada:
“Peace, Order, and Good Government” US:
“Liberty and Justice for
All”: Individuality, Privacy, Minimal Government Role
Risks
Private Health Insurance: Stratified by risk factors; Priced to include
risk; Government back-up system for poor"
Mostly funded though
employers: A sick employee can be very expensive, especially to a small
company; Companies can’t discriminate (ADA)
Fair Information Practices
[Slide5]
1. Relevance All
information collected should be necessary and relevant to public health or
required by law.
individuals entitled to
privacy
benefits of information
should outweigh privacy concerns
collection not overly
burdensome, intrusive, or coercive
2. Integrity
The integrity of
information should be protected.
prevent loss,
interception, misuse
maintain accurate,
complete, timely data
no unauthorized
alteration or destruction
3. Written
Purpose All
information collected should be consistent with written public health
purposes and/or required by law.
databases must have
written purpose(s)
usage restricted to
stated purpose(s)
linkage of databases
considered a new database
4. Need-to-Know
Access All
confidential information should be accessible only on a need-to-know basis,
both internally and externally.
confidentiality
agreements for all personnel
access terminated when
duties change
no re-disclosure
external release for
research requires IRB approval
5. Correction
Individuals should have access to information about themselves and the
ability to correct this information to the extent allowed by law.
maintain public list of
all databases
name of database
description of
information included
information sources
(non-confidential): disputed data must be marked
6.
Consent
Information must be collected with the consent of the individual except as
required by law. informed consent: purpose of information collection; data
protections in place; consequences of withholding information no
consent if waived by law
Policies and Procedures
Fair Information Practices
Relevance
Integrity
Written Purpose
Need-to-Know Access
Correction
Consent
Data Release
Restrictions
Review requests for data
for compliance with confidentiality policies
De-identify data (?)
Consider denominator (?)
Personnel Agreements[Slide6] All personnel to sign confidentiality agreements periodically
Definition of confidential information
Need-to-know access only No
re-disclosure If
questions, ask supervisor
Breach will result in disciplinary action
Confidentiality must be maintained indefinitely Special provisions for database/system administrators Information used only as needed for administration of
computer system Access granted to others only in accordance with established
policies and procedures Disciplinary action for violations may be termination on
first offense
Legislation 1974
Privacy Act protected data: Medicare and Federal Child Insurance
beneficiaries
HIPPA: Privacy; Consent
Health Insurance
Portability & Accountability Act (HIPAA)
[Slide7] US
Federal Law August 21, 1996
Authorizes the Department of Health & Human Services to regulate 4 aspects
of health information: Standards for administrative transactions and code
sets; National Identifiers; Privacy; Security
Goal for Privacy Compliance
Restrict the use and
disclosure of PHI to only those who need to know and then only the minimum
information necessary OR Avoid the restriction by de-identifying the PHI
Privacy -- General Rule 1
[Slide8] A
covered entity may not use or disclose Protected Health Information (PHI)
except: with
individual consent, for treatment, payment or healthcare operations, or
other purposes,
without consent or authorization for governmental and other specified
purposes
Protected Health
Information
Protected health information (PHI) information relating to -- an
individual’s health status or condition
furnishing health care services to an individual
paying or administering health care benefits to an individual
Identifies an individual, or where there is reasonable basis to believe the
information can be used to identify an individual
De-Identification
[Slide9]
Privacy rule does not apply to health information that has been
de-identified
Qualified person must determine that the risk of re-identification is
minimal, or One
may assert that PHI has been de-identified if a specified list of
identifiers are removed
Protected Health
Information
The standards apply to the information rather than the
record system in which the information is kept
Includes information in any form -- electronic, paper, and
oral
Essential Responsibilities
Privacy -- Controls for use/disclosure of PHI
Notify patients of information practices
Provide patient access to records
Obtain consent or authorization
Restrict and Log use or disclosure: minimum necessary
information
entity privacy policy & practices; patient restrictions;
business associate contracts; other applicable statutes
Provide management oversight and response to minimize threats
and ameliorate breaches
Privacy -- General Rule 2
[Slide10] A
covered entity may not use or disclose Protected Health Information (PHI)
except: with
individual consent for treatment, payment or healthcare operations, or
other purposes,
without consent or authorization for governmental and other specified
purposes
Consent for Treatment
Treatment includes:
providing
coordinating or
making a referral for health care
Consent for Payment
Payment includes:
Health plan activities to determine payment responsibilities and to make
payments
Provider activities to obtain reimbursement
Consent for Health Care
Operations Peer
review, education, accreditation, certification, licensing, and
credentialing
Quality assessments and improvement activities
More Operations…
Population based
activities for: improving health, reducing costs, developing protocols,
case mgmt & care coordination, provider/patient outreach for treatment
alternatives & available
Business planning and development activities: cost mgt &
planning analysis, formulary development & administration, developing
payment methods and coverage benefit programs auditing & compliance
activities, fundraising, marketing, Resolution of internal grievances,
including disputes about provider quality of care from patients, Customer
service, including statistical analyses for policy holders, or plan
sponsors as long as the PHI itself is not disclosed without authorization
Consent Requirements
Required at outset of care or enrollment Is a
general consent and must be written in plain language
Informs the patient of:
the privacy practices; the patient’s right to request additional
restrictions; the patient’s right to revoke consent for future actions Must
be signed and dated
Privacy -- General Rule 3
[Slide11] A
covered entity may not use or disclose Protected Health Information (PHI)
except:[Slide12]
with individual consent for treatment, payment or healthcare
operations
with individual authorization for other purposes
without consent or
authorization for
governmental and other specified purposes
Public Health
[Slide13]
One is permitted to
disclose PHI To
a public
health authority that is authorized by law to collect or receive the
information for purposes:
prevent or control disease
reporting of disease, injury, vital stats
public health surveillance, investigations or interventions, or to a
foreign agency cooperating with a public health authority
child abuse or neglect and to other authority authorized to receive such
information To
an FDA official
report adverse events relating to food or dietary suppl.
Product defects or problems
biological deviations to
track products to
enable product recalls, repairs & replacements to
conduct post marketing surveillance for FDA compliance
To a person who may be at risk of contracting or spreading a
communicable disease, provided the CE or PHA is authorized by law to make
such contact
To an employer
about a healthcare workforce member under certain restrictions: for
purposes of recording work-related illness, injuries or workplace
surveillance if
employer is required by law to record such information if
CE notifies the individual of the employer disclosure
Research
[Slide14]
IRB:
Must follow the
Common Rule and normal review procedures -- CFR
Privacy Board:
Normal Review: must
review at a regular meeting with a quorum with at least one Unaffiliated
member present
Expedited Review: may be
used when research involves only minimal privacy risk to individuals;
review must be performed by Board Chair or designees
Other Provisions
Minimum necessary disclosure
Patient Rights/Notice
Patient Rights
Describe Rights to: Have
notice of CE privacy practices
Restrict disclosure
Inspect and copy records
Request correction or amendment
Receiving an accounting of authorized disclosures
Request alternative communication methods
Submit a complaint about privacy practices
Required Notice
Notice: “HOW MEDICAL
INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY”
Describe using examples uses and disclosures involved with
treatment, payment, health care operations
Describe other uses and disclosures with sufficient detail to
put patient on notice of what may be disclosed
Provided to patient in a number of ways
Posted in facility and copies available for patients
Posted on website
Mailed or emailed at first appointment for service
Privacy Enforcement
[Slide15] HHS
Office of Civil Rights (OCR) Discretionary enforcement based on
Harm done
Willingness to achieve compliance
Delay enforcement to permit compliance where violation is due
to reasonable cause Data
at risk when: On
any computer On
your desktop computer On a
server
Traveling between them:
Web
Email
File Transfer
Authentication
Content Encryption
Introduction to Networking
What is a network?
Collection of Computers But… How do they
communicate?
Types of Networks
Batch: “once a day” connections, intermittent; Eg., UUCP
Private: Leased lines, dedicated wires
the Internet: TCP/IP, Public interconnection of many networks
Simple Network Can
use “internet protocols” Does
not need to be interconnected So,
not “using the Internet”, but…
Using “an Internet connection”
Synonymous with “TCP/IP”
ISO/OSI (7 layer) Model
International Standards Organization Open
Systems Interconnect Model
Internet Explorer TCP IP
Ethernet
Copper Wires
TCP/IP TCP
(Transport Control Protocol):
Higher level
Handles connections between machines
Opens channel, groups data into packets, makes sure they arrive, etc. IP
(Internet Protocol):
Lower level
Routing between networks
Packet transmission details
IP Addresses: Domain
Name Service
www.washington.edu => some IP address
Present - IPv4 4
number addressing:
128.95.10.1
Shortage of addresses (4.3 billion)
Complex routing tables
NAT destroys routing information New
– IPv6
3.4x1038 addresses
(256(?) per m2 of earth surface)
Allows end to end connection with complete routing
information
TCP/UDP IP:
Internet Protocol Low
Level
TCP:
Transport Control Protocol
Makes sure data arrives
Proper order of data maintained Web
pages, file transfers, email, etc. UDP:
User
Datagram Protocol
Simple, fast No
guaranteed order, or even delivery
Video,
audio, etc.
Ports Ports For
each connection, TCP or UDP
Numbered 1-64K Many
assigned to specific protocols
80 – Web (http)
443 – Secure Web (https)
21 – FTP file transfer, 23 – Telnet, 22 – SSH
110 – POP3 email, 25 – SMTP email sending
TCP/IP Network Security Two
Major Categories:
Traffic regulation
methods which regulate what packets may transit the network
Transit security
methods used to secure data as it transits a network
Traffic Regulation
Routers
Network address translation
Port Filtering
Firewalls
Application Proxy Host
based Firewalls
Routers
Network Address
Translation
Several computers share a single IP
“Hides” the specific computer’s address
Port Forwarding
Ports may be routed to specific machines
Port Filtering
May block incoming and outgoing
Firewalls
Application Proxy
Know about the protocol for a specific service
Inspect data to ensure it “fits” the pattern
Delivers data if service is allowed
Packet Inspection Firewalls
State
Incoming packet must match outgoing request
Session
Network activity permitted until connection ended
May record any or all activity
Host-based Firewalls
[Slide16]
Security by the end user
Typically just port filtering and logging?
Function on Host Computer
ZoneAlarm – Free -
http://www.zonelabs.com
MacAfee Firewall
Symantec/Norton
BlackICE Defender
Transit Security
Secure data as it travels network
Virtual Private Networks (VPN)
An encrypted “tunnel”
Low level (IP)
Packet Level Encryption
Transport level (TCP)
Virtual Private Networks
Connects two networks
Over a public channel
Typically encrypted Can
“tunnel” or “encapsulate” TCP/IP
Or, PPP, SLIP (dialup)
Support many protocols
Makes the networks appear to be in the same place (similar IP
addresses).
VPN Encryption Methods PPTP
Point to Point Tunneling Protocol
Microsoft Implementation
Less reliable password encryption L2TP
Layer 2 Tunneling Protocol
Better transmission speed
Combined with IPSec – IP level security SSH
Packet level encryption that also tunnels PPP
Packet Level Encryption
Encrypted authentication
Encrypted application level protocols
telnet, http, pop, ftp, etc.
Programs must be changed (but minimally)
Presents authenticated, encrypted application protocol to programs
VPN Benefits/Costs vs.
Packet Level
+ Easy access to all
network services
+ No change to applications
- Increased hardware costs
- Increased network load
- Once hacker is in, they
have all local network access, not restricted by application
Network Security Data
traveling between computers
Email
[Slide17]
Web Access & Login
[Slide18]
File transfer
[Slide19]
Authentication
[Slide20]
Content Encryption
[Slide21]
Computer Security On
any computer
Physical Security
Data Security
Desktop Computers
Servers
General Security Issues
Physical Security
Who has access to the Desktops and Servers?
Don’t put the Server in a vacant office!
(put it behind a locked door!) Data
security
Can the data be changed?
Do you know who changed it and when (audit trail)?
Is there any chance it can be deleted forever?
Security on a Desktop
Computer
Cookies
Viruses,
Worms
Email (macro)
File
Boot
Network
Trojan Horses, Trap Doors
Bots, Spyware
Cookies
Files placed on your disk by a web page Can
only be read by the site that put them there
Expire after some period of time Used
to maintain session information or information on user between sessions Have
a bad reputation, poorly understood
Should be pretty harmless But,
bug in IE 4,5 (not 5.5) lets other web pages read them!
Patch available from MS Viruses
Worms
Trojan Horses
Macro Viruses
File Viruses
Boot Viruses
Network Viruses
Bots, Spyware
Security on a Server
CERT
Security Pearls
4 Risks to Patient Data
|
This project is a joint effort of the
University of
Washington School of Public Health and Community Medicine |
|||||
Revised: | Contact Us |