HHS 503 Ch.10.pdf

Full Transcript

Health Information Management Technology: An Applied Approach, Sixth Edition Chapter 10: Data Security ahima.org ahima.org © 2020 AHIMA Security Practice or means by which privacy is preserved and protected ahima.org © 2020 AHIMA Data Security Measures and tools to safeguard data, and the information systems on which they reside, from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST) ahima.org © 2020 AHIMA Elements of a Security Program Data security concepts: Protecting the privacy of data Safeguarding access Ensuring the integrity of data Data should be complete, accurate, consistent, and up-to-date Ensuring the availability of data Can depend on system to perform as expected, without error, and to provide information when and where needed Backup policies and procedures ahima.org © 2020 AHIMA Data Security Threats TEST Threats can be internal (from within an organization) or external (from outside an organization) Potential threats to data security are caused by two main sources: Threats caused by people – #1 Threat Threats caused by environmental and hardware or software factors ahima.org © 2020 AHIMA Threats Caused by People Threats from insiders who make unintentional mistakes Threats from insiders who abuse their access privileges to information Threats from insiders who access information or computer systems for spite or profit Threats from intruders who attempt to access information or steal physical resources Threats from vengeful employees or outsiders who mount attacks on the organization’s information system ahima.org © 2020 AHIMA Social Engineering The manipulation of individuals (or targets) to freely disclose personal information about themselves and/or account credentials to unauthorized individuals (hackers). The hackers pose typically as someone or something that the target is familiar with or knows to gain access to information that would otherwise be private and secure. ahima.org © 2020 AHIMA Social Engineering (continued) Phishing Most common type of social engineering Accomplished through email The hackers will send a target what appears to be a legitimate email correspondence from a legitimate company or organization Target clicks a link within the email ahima.org © 2020 AHIMA Social Engineering (continued) Spear phishing Baiting Tailgating ahima.org © 2020 AHIMA Threats Caused by Environmental and Hardware or Software Factors Natural disasters Utility, hardware, and software failures Electrical outages and power surges Hardware or software malfunction Malicious software applications (malware) ahima.org © 2020 AHIMA Types of Malware Phishing Computer virus Computer worm Trojan horse Spyware Backdoor program Rootkit Ransomware ahima.org © 2020 AHIMA Strategy for Minimizing Security Threats Chief Security Officer (CSO) Advisory or policy-making group (such as an information security committee) Executive-level managers Health information management director or designee Chief information officer (CIO) Information technology system directors Network engineers Representatives from clinical departments ahima.org © 2020 AHIMA Strategy for Minimizing Security Threats HIPAA Security Rule Security incident ahima.org © 2020 AHIMA Components of a Security Program A good security program should include: Employee awareness Risk management program Access safeguards Physical and administrative safeguards Software application safeguards Network safeguards Disaster planning and recovery Data quality control processes ahima.org © 2020 AHIMA Triad of Information Security Confidentiality Integrity Availability ahima.org © 2020 AHIMA Security Program: Employee Awareness Train employees to recognize, respond, and report New employee education Policies and procedures Including mobile devices, emails, faxes, social media Annual signed confidentiality agreements Periodic and ongoing security reminders ahima.org © 2020 AHIMA Security Program: Risk Management Program Risk analysis Identify all security threats Estimate how likely it is that risk may occur (likelihood determination) Eliminate the impact of an untoward event (impact analysis) Determine the value of information assets ahima.org © 2020 AHIMA Security Program: Risk Management Program Incident detection Monitor information systems for abnormalities Incident response plan Watch and warn Repair and report Pursue and prosecute ahima.org © 2020 AHIMA Security Program: Access Safeguards Identify which employees should have access to what data Role-based access (RBAC) User-based access (UBAC) Context-based access control (CBAC) Access controls that restrict access when necessary but allow access to complete job tasks Develop procedures and methods for identification, authentication, and authorization of users ahima.org © 2020 AHIMA Security Program: Access Safeguards —Access Control Mechanisms Identification: establish user IDs and or numbers Authentication: verify the user Password or PIN (something you know) Strong password Smart card or token (something you have) Biometrics (something you are) Retinal, fingerprint, voice prints, and palm print Two-factor authentication (combination of these) Single sign-on Authorization: permission given to an individual CAPTCHA ahima.org © 2020 AHIMA Security Program: Physical Safeguards Physical safeguards: Protection from physical damage (environmental hazard, theft) Secure and structurally sound locations Physical separation and barriers UPS Back-up and recovery Automatic logout ahima.org © 2020 AHIMA Security Program: Administrative Safeguards Administrative safeguards: Policies and procedures that address management of computer resources Information Technology Asset Disposition (ITAD) ahima.org © 2020 AHIMA Security Program: Software Application Safeguards Application safeguard Application control Authentication Edit checks Audit trails ahima.org © 2020 AHIMA Security Program: Network Safeguards Firewalls Cryptographic technologies Encryption (private key or public key) Digital signatures Digital certificates Web security protocols Intrusion detection systems ahima.org © 2020 AHIMA Security Program: Disaster Planning and Recovery Disaster planning Contingency plan: set of procedures to follow when responding to emergencies Based on information gathered during risk assessment and analysis ahima.org © 2020 AHIMA Identify minimum allowable time for system disruption Identify alternatives for system continuation Evaluate cost and feasibility of each alternative Develop procedures required to active the plan Security Program: Disaster Planning and Recovery Disaster recovery Disaster recovery plan addresses resources, actions, tasks, and data necessary to restore critical services as soon as possible and to manage business recovery processes Business continuity plan How to continue operations during computer system shutdown Emergency mode of operations Processes and controls to follow until operations are fully restored ahima.org © 2020 AHIMA Security Program: Data Quality Control Processes Availability: data are easily obtainable Consistency: data do not change Definition: clear meaning for every data element ahima.org © 2020 AHIMA HIPAA Security Provisions Health Insurance Portability and Accountability Act of 1996 Security compliance responsibility of Office for Civil Rights (OCR) HITECH improves enforcement of privacy and security rules ahima.org © 2020 AHIMA HIPAA Security Provisions: General Rules Security program must document confidentiality, integrity and availability of all ePHI Protect ePHI against reasonably anticipated threats or hazards to its security or integrity Protect ePHI against reasonable or anticipated uses or disclosures not permitted under the HIPAA Privacy Rule Ensure workforce compliance with HIPAA Security Rule ahima.org © 2020 AHIMA HIPAA Security Provisions: General Rules Security Rule is: Flexible—security measures may be adopted that are appropriate and reasonable for the organization Scalable—accommodates organizations of any size Technology neutral—specific technologies are not prescribed ahima.org © 2020 AHIMA HIPAA Security Provisions: General Rules Security Rule applies to: Covered entities Business associates Hybrid entities Other related entities ahima.org © 2020 AHIMA HIPAA Security Provisions: General Rules Implementation specifications: Required Addressable (not optional)—covered entity must conduct risk assessment and evaluate whether the specification is appropriate as written If not, must document why not Must implement equivalent alternative method if reasonable and appropriate ahima.org © 2020 AHIMA HIPAA Security Provisions: 5 Categories Provisions 1. 2. 3. 4. 5. ahima.org © 2020 AHIMA Administrative safeguards Physical safeguards Technical safeguards Organizational requirements and policies Policies and documentation requirements HIPAA Security Rule: Administrative Safeguards Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation Business associate contracts ahima.org © 2020 AHIMA HIPAA Security Rule: Physical Safeguards Facility access controls Workstation use Workstation security Device and media controls ahima.org © 2020 AHIMA HIPAA Security Rule: Technical Safeguards Access control Audit controls Integrity Person or entity authentication Transmission security ahima.org © 2020 AHIMA HIPAA Security Rule: Organizational Requirements Business associate or other contracts Group health plan requirements ahima.org © 2020 AHIMA HIPAA Security Rule: Policies and Procedures and Documentation Requirements Policies and procedures Retention Documentation Retention ahima.org © 2020 AHIMA American Recovery and Reinvestment Act and HITECH Changes Business associates must comply with most of the same rules as covered entities (increase in potential BA liability) Breach notification requirements for breaches of unsecured ePHI ePHI that has not been made unusable, unreadable, or indecipherable to unauthorized persons Encryption secures ePHI Affects data at rest, in motion, in use, and disposed ahima.org © 2020 AHIMA Forensics Security committee or designated individuals must review Access logs at specified intervals Audit trails based on trigger events Failed logins ahima.org © 2020 AHIMA Trigger Events Monitoring can be based on events or situations as follows Last name of employee matches that or accessed record VIP records Records of those involved in high-profile events Records with little or no activity for 120 days Other employees’ records Records of minors Access of those treated for sensitive diagnoses Records of those for which the viewing employee did not treat Spousal records Records of terminated employees Portions of records not consistent with viewing employees’ job role ahima.org © 2020 AHIMA HIM Roles CSO Audits Risk assessments Other ahima.org © 2020 AHIMA