Lecture10_Privacy, Confidentiality, and Security (1).pdf

Full Transcript

Health Informatics:
Challenges and Issues
(Privacy, Confidentiality, and Security)

Dr. Anas Al-Domi
Dr. Laila Akhu-Zaheya

https://youtu.be/9n7tpyZjcDA
 Electronic health records (EHR) provides HCP with
continuous access to patient information, knowledge
resources, and decision support.
Personal health records (PHR) provides patients with
continuous access to their own information,
knowledge resources, and care providers.
 Some Benefits of Fully Integrated EHR
To Clinician To Patient To Researcher
Availability of information Knowledge of who has Time savings in obtaining
when and where it is needed access to their data data

Decision support Individualized treatment Large databanks yielding
anywhere the computer- more valid and precise
Organization of information based patient record is research
specific to the discipline so available
that it can be easily located
Ability to check the
Ease of order entry accuracy of their record

Elimination of multiple One location for all
entries of the same data healthcare data

Evidence-based healthcare
 Health Care Should Be...
Safe
Effective
Patient-centered
Timely
Efficient
Equitable
IOM, Crossing the Quality Chasm, 2001
 Concerns About Healthcare Data
1. Protection of Healthcare Data
A- Privacy

b- Confidentiality

c- Security
 Definitions
Privacy—the right and desire of a person to
restrict the use and disclosure of personal health
information
Security—the collection of policies, procedures,
and safeguards that help maintain the
confidentiality, integrity, and availability of
personal health information
Confidentiality—the controlled release of
personal health data to a care provider under an
agreement that limits the extent and conditions
under which this information may be used or
further released
 Privacy
Patient hesitant to share their health history
when they know that it will be entered into a
record for anyone with access to read
Protecting patient privacy is an important
professional responsibility
Patient privacy not considered when
interviewing a patient (i.e., Placement of
computers)
 Confidentiality
Anyone with a white coat and a name badge could pick
up a record and read it

When records are computerized, if one gains entrance to
the system, it is easy to access many records

The first line of protection is to defend against
unauthorized access or entrance to the system. This is
achieved with a login process that authenticates that the
person using the system is permitted access.
 Confidentiality
The most secure method of authentication is
biometrics, or the use of physiological
characteristics such as fingerprints, iris scan, or a
voice print
The second secure method is the use of a card
accompanied by a password
The lest secure system is the use of ID and
password
 Confidentiality
Unfortunately, most systems today rely on a user
ID and a password for authentication.
 Users exchange passwords?
 passwords are left written down by the computer
 common words are used (first initial and last name)
 Password should not be shared and should be difficult to guess (e.g.
“Sec9uR7ity”)
 Policies on how often to change passwords (changing frequently vs. not
changing frequently)
 Close access to users as they leave their positions

Confidentiality of computerized records start with
the users (protect their account)
 Confidentiality
Automatic log-out (time interval is too short vs.
too long)
How healthcare data are transmitted? What
policies does the third party agency have for
protecting data? Method of encryption is
necessary in this case. Encryption involves
translating the data into a code that requires a
password by the recipient to decrypt it.
 Confidentiality
Most breaches of confidentiality come from
inside.
Written polices regarding the confidentiality of
information (e.g. policy on termination of employment
in case of invasion of confidentiality)
Training on this topic is important
Sign a confidentiality agreement
 Security
Data security have three aspects:
1) Ensuring the accuracy of the data
2) Protection data from unauthorized eyes inside
and outside the agency
3) Internal and external damage of data
 Security
Three approaches to protecting data
usage integrity are suggested:
1. Hardware approach
2. Software approach
3. Organizational or operations approach
 Hardware security
Hardware security features include hardware
identification, isolation features, and access
control.
Specific protection could include physical
barriers such as special doors, locks on
individual machines, and control over the use
of communication links to the system.
 Software security
Authentication refers to the methods by
which a system verifies the identity of a user
Commercial programs exist to aid this process.
Auditing system may be used to record and
review a user’s interaction with the system.
Audit records can then be used to identify
unauthorized attempts at access and patterns
of access (abuse of information access).
 Organizational or operations
security
Secure processing during data input, processing,
storage, and output.
which individuals or categories of workers should have
access to what information in a hospital information
system?
Portable computers and bedside terminals are liable to
theft and may allow the patient or visitors unauthorized
access to the system
Code of ethics
 Organizational or operations security
Computer viruses are a major threat to the
security and integrity of data storage.
Another threat is the ability of users to copy data
files onto personal computers to work at home.
development and dissemination of policies,
procedures, and practices related to PCS of
patient information
 Common security measures
Network compartments, e.g., intranet &
firewall
Encrypted communication
Audit system
Password-protected authentication
Security key, e.g., MToken
Electronic name card
 System Availability
A system must be available in the right place at
the right time.
Overloading may slow down a system’s response,
and other serious problems
All computer users live in fear of their system
becoming unusable because of failure of the
machine or its power supply
backup of patient data on a regular basis to
ensure that no information is lost if a system
problem occurs
 Legislation and Standards
enacted policies to control and regulate the
creation and use of large databases
establishment of standards and codes of ethics
within the data processing and medical record
management communities
Example: HIPAA (Health Insurance Portability &
Accountability Act)
 HIPAA
Health Insurance Portability & Accountability Act
Components:
1) Security Rule:
– Defines a uniform level of protection for electronic
data pertaining to an individual patient
– Involves policies, procedures, and safeguards to
ensures the confidentiality, integrity, and availability
of PHI
– Protects against any reasonably anticipated threats or
hazards to the security of PH
 HIPPA
2) Privacy Rule
Creates standards to protect individuals’ medical
records and other personal health information by
setting boundaries on the use and disclosure of
PHI
Provides a uniform and simplified minimum
standard for the privacy of individually identifiable
health information
Gives patients more control over their health
information
Provides patients with recourse in the event of
HIPAA violations.
 HIPPA / Violation penalties
Fines up to $250,000 or imprisonment up to
10 years or both for knowing misuse of
individually identifiable health information
 Nursing Responsibilities
nurses must be vigilant in protecting patient privacy and
confidentiality.
Authentication roles
When entering data, we need to ensure that the
information is accurate.
When developing policies regarding privacy,
confidentiality, and a system’s security, the patient must
be the prime concern
 Nursing Responsibilities
Informing the public when implementing a new
hospital information system is important
When using information for research, a consent
is absolutely essential
The system must be reviewed at regular
intervals, and audits must be performed
follow “code of ethics”
Education of all personnel in the area of patient
privacy and confidentiality is imperative.
Other Challenges for using EHR during
patient visits
Loss of eye contact with patients
Computers being too slow
Inability to type quickly enough
Feeling that using the computer in front of the
patient is rude
Preferring to write long prose notes
Computers “timing out”
 Summary
Collection of personal data should be limited.
Data should be relevant to the proposed usage, accurate,
and complete
Data should not be disclosed, made available, or used for
purposes other than those specified without the consent
of the subject or unless authorized by law.
Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized
access, destruction, use, or disclosure of data.
 Summary
A general policy of openness should exist about
developments, practices, and policies with
respect to personal data.

A data controller should be accountable for
patient information
 Thank you!
Questions and Discussion