Table of Contents:

Privacy & Confidentiality

Doctors and Public Health are the guardians of public trust, and the primary users of confidential health information. So, it is our job to ensure confidentiality is maintained, if we want continued use of the data, and continued public trust.

• Not to create security experts, but

• to create familiarity with the topic, and

• to offer a reference for the future

Privacy [Slide1]

“The right of individuals to hold information about themselves in secret, free from the knowledge of others.” Individuals choose what is revealed about themselves.

Confidentiality [Slide2]

“The assurance that information about identifiable persons, the release of which would constitute an invasion of privacy for any individual, will not be disclosed without consent except as allowed by law.” Private information shall not be disclosed.

Security [Slide3]

“The mechanisms by which confidentiality policies are implemented in computer systems, including provisions for: access control, authentication, and availability.”  The ways in which private information is kept confidential.

US Culture Around Confidentiality and Privacy

Values

Cultural Norms [Slide4]

• Canada:  “Peace, Order, and Good Government”

• US: “Liberty and Justice for All”: Individuality, Privacy, Minimal Government Role

Risks

• Private Health Insurance: Stratified by risk factors; Priced to include risk; Government back-up system for poor"

• Mostly funded though employers: A sick employee can be very expensive, especially to a small company; Companies can’t discriminate (ADA)

Fair Information Practices [Slide5]

1. Relevance

All information collected should be necessary and relevant to public health or required by law.

• individuals entitled to privacy

• benefits of information should outweigh privacy concerns

• collection not overly burdensome, intrusive, or coercive

2. Integrity

The integrity of information should be protected.

• prevent loss, interception, misuse

• maintain accurate, complete, timely data

• no unauthorized alteration or destruction

3. Written Purpose

All information collected should be consistent with written public health purposes and/or required by law.

• databases must have written purpose(s)

• usage restricted to stated purpose(s)

• linkage of databases considered a new database

4. Need-to-Know Access

All confidential information should be accessible only on a need-to-know basis, both internally and externally.

• confidentiality agreements for all personnel

• access terminated when duties change

• no re-disclosure

• external release for research requires IRB approval

5. Correction

Individuals should have access to information about themselves and the ability to correct this information to the extent allowed by law.

• maintain public list of all databases

• name of database

• description of information included

• information sources (non-confidential): disputed data must be marked

6. Consent

Information must be collected with the consent of the individual except as required by law.

• informed consent: purpose of information collection; data protections in place; consequences of withholding information

• no consent if waived by law

Policies and Procedures

Fair Information Practices

• Relevance

• Integrity

• Written Purpose

• Need-to-Know Access

• Correction

• Consent

Data Release Restrictions

• Review requests for data for compliance with confidentiality policies

• De-identify data (?)

• Consider denominator (?)

Personnel Agreements[Slide6]

All personnel to sign confidentiality agreements periodically

• Definition of confidential information

• Need-to-know access only

• No re-disclosure

• If questions, ask supervisor

• Breach will result in disciplinary action

• Confidentiality must be maintained indefinitely

Special provisions for database/system administrators

• Information used only as needed for administration of computer system

• Access granted to others only in accordance with established policies and procedures

• Disciplinary action for violations may be termination on first offense

Legislation

• 1974 Privacy Act protected data: Medicare and Federal Child Insurance beneficiaries

• HIPPA: Privacy; Consent

Health Insurance Portability & Accountability Act (HIPAA) [Slide7]

• US Federal Law August 21, 1996

• Authorizes the Department of Health & Human Services to regulate 4 aspects of health information: Standards for administrative transactions and code sets; National Identifiers; Privacy; Security

Goal for Privacy Compliance

Restrict the use and disclosure of PHI to only those who need to know and then only the minimum information necessary OR Avoid the restriction by de-identifying the PHI

Privacy -- General Rule 1 [Slide8]
 

A covered entity may not use or disclose Protected Health Information (PHI) except:

• with individual consent, for treatment, payment or healthcare operations, or other purposes,

• without consent or authorization for governmental and other specified purposes

Protected Health Information

Protected health information (PHI) information relating to --

• an individual’s health status or condition

• furnishing health care services to an individual

• paying or administering health care benefits to an individual

Identifies an individual, or where there is reasonable basis to believe the information can be used to identify an individual

De-Identification [Slide9]

• Privacy rule does not apply to health information that has been de-identified

• Qualified person must determine that the risk of re-identification is minimal, or

• One may assert that PHI has been de-identified if a specified list of identifiers are removed

Protected Health Information

• The standards apply to the information rather than the record system in which the information is kept

• Includes information in any form -- electronic, paper, and oral

Essential Responsibilities

Privacy -- Controls for use/disclosure of PHI

• Notify patients of information practices

• Provide patient access to records

• Obtain consent or authorization

• Restrict and Log use or disclosure: minimum necessary information

• entity privacy policy & practices; patient restrictions; business associate contracts; other applicable statutes

• Provide management oversight and response to minimize threats and ameliorate breaches

Privacy -- General Rule 2 [Slide10]

A covered entity may not use or disclose Protected Health Information (PHI) except:

• with individual consent for treatment, payment or healthcare operations, or other purposes,

• without consent or authorization for governmental and other specified purposes

Consent for Treatment

Treatment includes:

• providing

• coordinating

• or making a referral for health care

Consent for Payment

Payment includes:

• Health plan activities to determine payment responsibilities and to make payments

• Provider activities to obtain reimbursement

Consent for Health Care Operations

• Peer review, education, accreditation, certification, licensing, and credentialing

• Quality assessments and improvement activities

More Operations…

• Population based activities for: improving health, reducing costs, developing protocols, case mgmt & care coordination, provider/patient outreach for treatment alternatives & available

• Business planning and development activities: cost mgt & planning analysis, formulary development & administration, developing payment methods and coverage benefit programs auditing & compliance activities, fundraising, marketing, Resolution of internal grievances, including disputes about provider quality of care from patients, Customer service, including statistical analyses for policy holders, or plan sponsors as long as the PHI itself is not disclosed without authorization

Consent Requirements

• Required at outset of care or enrollment

• Is a general consent and must be written in plain language

• Informs the patient of: the privacy practices; the patient’s right to request additional restrictions; the patient’s right to revoke consent for future actions

• Must be signed and dated

• Must be retained for 6 years

Privacy -- General Rule 3 [Slide11]

A covered entity may not use or disclose Protected Health Information (PHI) except:[Slide12]

• with individual consent  for treatment, payment or healthcare operations

• with individual authorization for other purposes

• without consent or authorization for governmental and other specified purposes

Public Health [Slide13]

One is permitted to disclose PHI

To a public health authority that is authorized by law to collect or receive the information for purposes:

• prevent or control disease

• reporting of disease, injury, vital stats

• public health surveillance, investigations or interventions, or

• to a foreign agency cooperating with a public health authority

• child abuse or neglect and to other authority authorized to receive such information

To an FDA official

• report adverse events relating to food or dietary suppl.

• Product defects or problems

• biological deviations

• to track products

• to enable product recalls, repairs & replacements

• to conduct post marketing surveillance for FDA compliance

To a person who may be at risk of contracting or spreading a communicable disease, provided the CE or PHA is authorized by law to make such contact

To an employer about a healthcare workforce member under certain restrictions: 

• for purposes of recording work-related illness, injuries or workplace surveillance

• if employer is required by law to record such information

• if CE notifies the individual of the employer disclosure

Research [Slide14]

IRB: Must follow the Common Rule and normal review procedures -- CFR

Privacy Board:

• Normal Review: must review at a regular meeting with a quorum with at least one Unaffiliated member present

• Expedited Review: may be used when research involves only minimal privacy risk to individuals; review must be performed by Board Chair or designees

Other Provisions

• Minimum necessary disclosure

• Patient Rights/Notice

• Enforcement

Patient Rights

Describe Rights to:

• Have notice of CE privacy practices

• Restrict disclosure

• Inspect and copy records

• Request correction or amendment

• Receiving an accounting of authorized disclosures

• Request alternative communication methods

• Submit a complaint about privacy practices

Required Notice

Notice:  “HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY”

• Describe using examples uses and disclosures involved with treatment, payment, health care operations

• Describe other uses and disclosures with sufficient detail to put patient on notice of what may be disclosed

• Provided to patient in a number of ways

• Posted in facility and copies available for patients

• Posted on website

• Mailed or emailed at first appointment for service

Privacy Enforcement [Slide15]

HHS Office of Civil Rights (OCR) Discretionary enforcement based on

• Harm done

• Willingness to achieve compliance

• Delay enforcement to permit compliance where violation is due to reasonable cause

Security  

Data at risk when:

• On any computer

• On your desktop computer

• On a server

• Traveling between them:

• Web

• Email

• File Transfer

• Authentication

• Content Encryption

Introduction to Networking

What is a network?

Collection of Computers    But…   How do they communicate?

Types of Networks

• Batch: “once a day” connections, intermittent; Eg., UUCP

• Private: Leased lines, dedicated wires

• the Internet: TCP/IP, Public interconnection of many networks

Simple Network

• Can use “internet protocols”

• Does not need to be interconnected

• So, not “using the Internet”, but…

• Using “an Internet connection”

• Synonymous with “TCP/IP”

ISO/OSI (7 layer) Model

• International Standards Organization

• Open Systems Interconnect Model

• Internet Explorer

• TCP

• IP

• Ethernet

• Copper Wires

TCP/IP

TCP (Transport Control Protocol):

• Higher level

• Handles connections between machines

• Opens channel, groups data into packets, makes sure they arrive, etc.

IP (Internet Protocol):

• Lower level

• Routing between networks

• Packet transmission details

IP Addresses:

Domain Name Service

• www.washington.edu => some IP address

Present - IPv4

4 number addressing:

• 128.95.10.1

• Shortage of addresses (4.3 billion)

• Complex routing tables

• NAT destroys routing information

New – IPv6

• 3.4x1038 addresses

• (256(?) per m2  of earth surface)

• Allows end to end connection with complete routing information

TCP/UDP

IP:

• Internet Protocol

• Low Level

TCP:

• Transport Control Protocol

• Makes sure data arrives

• Proper order of data maintained

• Web pages, file transfers, email, etc.

UDP:

• User Datagram Protocol

• Simple, fast

• No guaranteed order, or even delivery

• Video, audio, etc.

Ports Ports

• For each connection, TCP or UDP

• Numbered 1-64K

• Many assigned to specific protocols

• 80 – Web  (http)

• 443 – Secure Web (https)

• 21 – FTP  file transfer, 23 – Telnet, 22 – SSH

• 110 – POP3 email, 25 – SMTP email sending

TCP/IP Network Security

Two Major Categories:

• Traffic regulation

• methods which regulate what packets may transit the network

• Transit security

• methods used to secure data as it transits a network

Traffic Regulation

• Routers

• Network address translation

• Port Filtering

• Firewalls

• Application Proxy

• Host based Firewalls

Routers

• Network Address Translation

• Several computers share a single IP

• “Hides” the specific computer’s address

• Port Forwarding

• Ports may be routed to specific machines

• Port Filtering

• May block incoming and outgoing

Firewalls

• Application Proxy

• Know about the protocol for a specific service

• Inspect data to ensure it “fits” the pattern

• Delivers data if service is allowed

• Packet Inspection Firewalls

• State

• Incoming packet must match outgoing request

• Session

• Network activity permitted until connection ended

• May record any or all activity

Host-based Firewalls [Slide16]

• Security by the end user

• Typically just port filtering and logging?

• Function on Host Computer

• ZoneAlarm – Free - http://www.zonelabs.com

• MacAfee Firewall

• Symantec/Norton

• BlackICE Defender

Transit Security

• Secure data as it travels network

• Virtual Private Networks (VPN)

• An encrypted “tunnel”

• Low level (IP)

• Packet Level Encryption

• Transport level (TCP)

Virtual Private Networks

• Connects two networks

• Over a public channel

• Typically encrypted

• Can “tunnel” or “encapsulate” TCP/IP

• Or, PPP, SLIP (dialup)

• Support many protocols

• Makes the networks appear to be in the same place (similar IP addresses).

VPN Encryption Methods

• PPTP Point to Point Tunneling Protocol

• Microsoft Implementation

• Less reliable password encryption

• L2TP Layer 2 Tunneling Protocol

• Better transmission speed

• Combined with IPSec – IP level security

• SSH

• Packet level encryption that also tunnels PPP

Packet Level Encryption

• Encrypted authentication

• Encrypted application level protocols

• telnet, http, pop, ftp, etc.

• Programs must be changed (but minimally)

• Presents authenticated, encrypted application protocol to programs

VPN Benefits/Costs vs. Packet Level

+ Easy access to all network services

+ No change to applications

- Increased hardware costs

- Increased network load

- Once hacker is in, they have all local network access, not restricted by application

Network Security

• Data traveling between computers

• Email [Slide17]

• Web Access & Login [Slide18]

• File transfer [Slide19]

• Authentication [Slide20]

• Content Encryption [Slide21]

Computer Security

• On any computer

• Physical Security

• Data Security

• Desktop Computers

• Servers

General Security Issues

• Physical Security

• Who has access to the Desktops and Servers?

• Don’t put the Server in a vacant office!

• (put it behind a locked door!)

• Data security

• Can the data be changed?

• Do you know who changed it and when (audit trail)?

• Is there any chance it can be deleted forever?

Security on a Desktop Computer

• Cookies

• Viruses, Worms

• Email (macro)

• File

• Boot

• Network

• Trojan Horses, Trap Doors

• Bots, Spyware

Cookies

• Files placed on your disk by a web page

• Can only be read by the site that put them there

• Expire after some period of time

• Used to maintain session information or information on user between sessions

• Have a bad reputation, poorly understood

• Should be pretty harmless

• But, bug in IE 4,5 (not 5.5) lets other web pages read them!

• Patch available from MS

  http://www.microsoft.com/technet/security/bulletin/ms00-033.asp

Viruses

• Program that makes copies of itself by “infecting” (changing) software in another program

• Used loosely to include Worms and Trojan Horses

• A subtype of “Malicious Logic” or “Malware”

Worms

• A program that spreads copies of itself through a network.

• Does not need to change another program to make copies of itself, though it needs somehow to trick the host into running it.

Trojan Horses

• Free programs or email attachments (remember .vbs) which create “back doors” to allow anyone to control your system

• Listen on obscure TCP/IP ports

• Detected by virus checking programs when executable code downloaded

• Detected by ZoneAlarm when data sent outwards, or traffic seen on odd port

Macro Viruses

• Email attachments, other Office Programs

• Outlook (for instance) runs when attachment opened.

• Virus creates email, attaches itself, and mails to address list

• Eg., Melissa

• Don’t open attachments from people you don’t know!

• http://www.tutorialfind.com/send.asp?af=6&id=1547

File Viruses

• Infect executable (program) files.

• Execute when those programs are run

Boot Viruses

• Saved in system part of disk

• Master Boot Record

• Disk Boot Sector

Network Viruses

• Use Network Features (eg., MS Networking) to spread

• Many viruses are combinations

• Many are polymorphic

• Some have minimal effect, some are very destructive.

Bots, Spyware

• Sort of a non-destructive Trojan Horse

• Reports back on user activity

• Examples

• RealPlayer

• Netscape

• NetZip

• “Opt-out” http://grc.com/files/optout.exe

Security on a Server

• Intrusion

• Page defacement

• Denial of Service

• Information Theft

• Login/password

• Credit card information

• Software source code

CERT

• Computer Emergency Response Team

• Advisory email list at www.cert.org

• CERT advisory.rtf

Security Pearls 

• Back up key files

• Use encryption on sensitive data

• Use good passwords

• Minimal services

• Run everything with minimal permissions

• Network security requires expertise on staff

4 Risks to Patient Data

• Confidentiality

• Must keep the data from being exposed

• Integrity

• Audit log to ensure data not changed

• Safety

• Systems to ensure data not lost

• Availability

• Data must be available to improve health care