Patient Confidentiality and Information Security Lecture Notes PDF

Summary

This presentation covers patient confidentiality practices and information security, highlighting the importance of protecting health information. The lecture notes explore the key aspects of a secure system and the ethical dimensions of handling health data.

Full Transcript

Patient confidentiality and information
security
 Objectives
At the end of this lecture students will be able to:
 Describe the actions required of organizations for protecting personal
health information.
 Identify activities of nurses to protect personal health information.
 Assess processes for securing electronic information in a computer
network.

 Identify various methods of user authentication and relate authentication to
security of a network.

 Explain methods to anticipate and prevent typical threats to network

security.
 Introduction
As more health information is recorded and

exchanged electronically to coordinate care,

monitor quality, measure outcomes, and report

public health threats, the risks to personal

privacy and patient safety would be heightened.


 Introduction
The American Nurses Association’s

(ANA’s) Code of Ethics for Nurses with

Interpretive Statements includes a

commitment to “promote, advocate for,

and strive to protect the health, safety,

and rights of the patient”
 Introduction
 The registered nurse is well indoctrinated on clinical
practice that respects personal privacy and that
protects confidential information and life-critical
information services

 Caregivers must trust that the technology and
information they need will be available when they are
needed at the point of care.

 They must trust that the information in a patient’s
EHR is accurate and complete and that it has not been
accidentally or intentionally corrupted, modified, or
destroyed
Introduction
Consumers must trust that their

caregivers will keep their most private
health information confidential and will
disclose and use it only to the extent
necessary and in ways that are legal,
ethical, and authorized consistent with
individuals’ personal expectations and
 The International Council of Nurses (ICN) Code of

Ethics for Nurses affirms that the nurse “holds in

confidence personal information” and “ensures that

use of technology…[is] compatible with the safety,

dignity, and rights of people
 Fulfilling these ethical obligations is the

individual responsibility of each nurse, who

must trust that the information technology

she relies upon will help and not harm

patients and will protect their private

information.
 Recording, storing, using, and exchanging

information electronically do indeed

introduce new risks.

As anyone who has used e-mail, very little

effort is required to instantaneously send

information to millions of people throughout
 We also know that “spyware,” “viruses,” and

“Trojan horses” skulk around the Internet and

insert themselves into our laptops, tablets,

and smartphones, eager to capture our

passwords, identities, and credit card

numbers
 These are the attributes of
trustworthy HIT
“Health information technology”

 As HIT assumes a greater role in the provision of care and in
healthcare decision-making, the nurse increasingly must
trust HIT to provide timely access to accurate and complete
health information and support for decision-making, while
assuring that individual privacy is continuously protected

 Private and confidential information will be protected

 Data will not be modified or destroyed other than as
authorized
 These are the attributes of
trustworthy HIT
“Health information technology”

 Legal and ethical obligations, as well as consumer
expectations, drive requirements for assurance that data
and applications will be available when they are needed;

 systems will be responsive and usable

 systems designed to perform health-critical functions will
do so safely
 Security and Privacy
1
Many people think of “security” and
“privacy” as synonymous.

2 These concepts are indeed related in that
security mechanisms can help protect personal
privacy by assuring that confidential personal
information is accessible only by authorized
individuals and entities
Privacy - the right of
individuals to be left alone
Definitions
and to be protected against
physical or psychological Security – the means to
invasion or the misuse of control access and protect
their property. It includes information from accidental
freedom from intrusion or or intentional disclosure to
invasion into one’s private unauthorized persons and
affairs, the right to maintain from alteration, destruction
control over certain or loss.
personal information, and
the freedom to act without System security – the result of
outside interference. all safeguards including hardware,
personnel policies, information
Confidentiality – the status accorded to practice policies, disaster
data or information indicating that it is preparedness, and oversight of
sensitive for some reason and therefore it these components. Security
needs to be protected against theft, protects both the system and the
disclosure or improper use, or both, and information contained within from
must be disseminated only to authorized authorized access from without
individuals or organizations with a need to and misuse from within.
know.
 1. Do not discuss patient information in public places
(hallways, elevators, cafeterias).

2. Keep user names and password secure. Do not share a user
name or password; do not use another person’s password.

3. Log off when leaving a computer; do not leave a computer
Confidentiality open for another person to access.

Practices for 4. Attend educational sessions on updates to confidentiality
policies.

Nurses 5. Do not take or use pictures of patients without permission.

6. Never share patient information with those without a need to
know. Only provide information to caregivers involved in care of
the patient or to administrative personnel authorized to receive
such
information.

7. Do not allow observations of care by others not involved in
the care of the patient (such as a student) without the patient’s
permission.

8. Never post information or pictures of a patient on social
media, even if the name of the patient is not used
 Dispose of records containing patient
information according to policy, such as
shredding.

10. Avoid unnecessary printing of protected
health information (PHI).

Confidentiality 11. Never transfer PHI to an outside entity
unless authorized to do so. Transfer
Practices for according to policy.
Nurses
12. Never access records without
authorization. This includes your own record
or records of family
members.

13. Follow security requirements for
accessing PHI remotely.

14. Report any breaches of privacy
immediately.
 Healthcare privacy
principles
There is a Nationwide Privacy and Security

Framework for Electronic Exchange of
Individually Identifiable Health Information
that identified eight principles intended to
guide the actions of all people and entities
that participate in networked, electronic
exchange of individually identifiable health
information.
These principles, essentially articulate
:the “rights” of individuals to
Openness

Transparency

 Fairness

Choice in the collection and use of their

health information
The Nationwide Privacy and
Security Framework
1. Individual access Individuals should be provided
with simple and timely means to access and
obtain their individually identifiable health
information in a readable form and format.
2. Correction Individuals should be provided a
timely means to dispute the accuracy or integrity
of their individually identifiable health
information.
3. Openness and transparency Policies,
procedures, and technologies that directly affect
individuals and their individually identifiable
health information should be open and
transparent.
the Nationwide Privacy and
Security Framework
4. Individual choice Individuals should be provided a
reasonable opportunity and capability to make informed
decisions about the collection, use, and disclosure of their
individually identifiable health information.

5. Collection and use Individually identifiable health information
should be collected, used, and/or disclosed only to the extent
necessary to accomplish a specified purpose(s) and never to
discriminate inappropriately.

6. Data quality and integrity People and entities should take
reasonable steps to ensure that individually identifiable health
information is complete, accurate, and up-to-date to the extent
necessary for intended purposes and that it has not been
altered or destroyed in an unauthorized manner.
The Nationwide Privacy and
Security Framework
7. Safeguards Individually identifiable health
information should be protected with
reasonable administrative, technical, and
physical safeguards to ensure its
confidentiality, integrity, and availability and
to prevent unauthorized or inappropriate
access, use, or disclosure.
8. Accountability These principles should be
implemented through appropriate monitoring
and other means, and methods should be in
place to report non adherence and breaches.
Fair Use of Information and Sharing

11 2 3 4

Avoid
The same downloading Health care
Copyright laws copyright laws illegally from the organizations
in the world of that cover Internet and do should ensure
technology are physical books, not use that users are
artwork, and information from well aware of
notoriously other creative the Internet and compliant
misunderstood material are still without with copyright. applicable in the permission to do and fair use
digital world. so or citing principles.
the reference
appropriately
Securing Network
Information
The linking of computers together and to the

outside creates the possibility of a breach of

network security, and exposes the information

to unauthorized use.
Securing Network
Information
“Shoulder surfing” or watching over

someone’s back as they are working, is still a

major way that confidentiality is

compromised.

Another way organizations protect the

availability of their networks is to institute an
Securing Network
Information
Employees need to have confidence that the

information they are reading is in fact true.

Organizations need clear policies to clarify

how data is inputted, who has the
authorization to change such data and to
track how and when data are in fact changed.
Authentication of Users

Authentication - Processes to serve to
identify (authenticate) or prove who is.accessing the system

Authentication of employees is also used
by organizations in their security.policies

Policies typically include the
enforcement of changing passwords.every thirty or sixty days

The authentication is something the.user has such as an ID card
Key Features of a Secure System and
”Network: “Authentication
 Means of verifying the correct identity and/or group
membership of individual or other entities
 Methods for authentication:
 Username.

 Known only by the user (e.g., password).

 Held only by the user (e.g., digital signature, secure

ID).
 Attributable only to the user (e.g., finger print, retinal

scan).
Examples of
Authentication
 Key Features of a Secure System and
Network: Authorization and Access Control

Access control lists for predefined users

 Reading

 Writing

 Modifications

 Deletion of data

 Deletion of programs
Authentication of Users
Devices are available that recognize thumb

prints, retina patterns or facial patterns.

Depending on the level of security needed,

organizations will commonly use a
combination of these types of authentication.
Threats to Security
One way to address this physical security risk

is to limit the authorization to ‘write’ files to a
device.

Organizations are also ‘turning’ off the

CD/DVD burners and USB ports on company
desktops.
Threats to Security
The most common threats a corporate

network faces from the outside world are
hackers, malicious code (spyware, viruses,
worms, Trojan horses)

Spyware is normally controlled by limiting

functions of the browser used to surf the
Internet.
Threats to Security
Spyware that does steal user IDs and passwords
contains malicious code that is normally hidden
in a seemingly innocent file download.

Another huge threat to corporate security is
social engineering, or the manipulation of a
relationship based on one’s position in an
organization.
Threats to Security
There is also software available to track and

thus monitor employee activity.

Depending on the number of employees,

organizations may also employ a full-time
electronic auditor who does nothing but
monitor activity logs.
Security Tools
There are a wide range of tools available to
an organization to protect the organizational
network and information.
These tools can be either a software solution
such as antivirus software or a hardware tool
such as a proxy server.
Proxy server - Hardware security tool to help
protect the organization against security
breaches.
Security Tools
E-mail scanning software and antivirus

software should never be turned off and
updates should be run weekly, and ideally,
daily.

Software is also available to scan instant

messages and to automatically delete spam e-
mail.
Security Tools
Firewalls are another common tool used by

organizations to protect their corporate
networks when they are attached to the
Internet.

Firewalls are basically electronic security

guards at the gate of the corporate network.
 Offsite Use of Portable
Devices
1. If a device is lost or stolen, the agency must have clear procedures in
place to help ensure that sensitive data does not get released or
misused.

2. The VPN ensures that all data transmitted 05
via this gateway is
encrypted.

3. Some agencies have developed a virtual private network (VPN) to
which users must log in to reach the network.

4. Off-site uses of portable devices such as laptops, PDAs, home
computing systems, smartphones, and portable data storage devices
can help streamline health care delivery.
 International Privacy and
Confidentiality Standards

Limit the use and release of personal health information
01

Give patients new rights to access their medical records and to
know who else has accessed them
02

Restrict most disclosure of health information to the
minimum needed for the intended purpose
03

EstablishI hope
new requirements for access to records by
and I believe that this Template will your Time, Money and Reputation. Get a modern
researchers andPresentation
PowerPoint othersthat is beautifully designed.
04
04
 Key Features of a Secure System
and Network: Accountability
Ensures that the actions of any entity can be
traced during the movement of data from its
source to its recipient.
Audit trails
Identification of the user
Data source
Whose information
Date and time
Nature of the activity
Reference
Mcgonigle D, Mastrian K, Nursing informatics and
the foundation of knowledge, (2018) fourth edition
Chapter 12 (pages 563-593)
Any
?questions