ClipPart I

This article is divided in three parts and each part would take the subject further to a new level. I would not cover what is security, as this subject in itself would be separate and detailed.

Background

It started in back 1975 when the privacy act of 1974 was introduced as a “code of fair information practices that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. However, this was not successful as it was vaguely worded and was subjected to many observations/changes. There were other acts like Computer security Act in 1987, EU data protection directive 1995.

As the information moved from paper to digital/electronics and information started to transmit from one place to another, a new threat, of patients‘ privacy and processes, emerged. In view of these emerging threats and the overarching goal of providing cost-effective healthcare services to all citizens, several important federal regulations were enacted, including the Privacy and Security Rules under HIPAA (1996). The goal of HIPAA was to reform the health insurance market and simplify healthcare administrative processes, while strengthening the privacy and security of health information. The HIPAA security regulations fell into a broad set of categories of patient privacy and health information security, placing requirements on healthcare providers, health plans, healthcare clearinghouses and insurance companies, collectively referenced as healthcare organizations or “covered entities.” HIPAA took years to go, from draft to final rule, with the final Security Rule being effective in February 2003.

HIPAA was enacted to reform health insurance practices as a step towards moving to a nationwide electronic health records system and standardizing information transactions.

Need for Security 

Information security is a concept that has never been more important to healthcare than it is TODAY. Technology continues to change at rapid rate with consumer devices leading the way. As healthcare moves from traditional brick and mortar infrastructure to health information exchanges, home healthcare, accountable-care organizations, and mobility access to information at all times, information security became a central concern.

Assets can be anything, from data, software, source code, physical assets like infrastructure equipment’s etc., and the most important, people and their information. We can certainly secure systems but information security must always balance security and the value of asset and usability of system. Finding this balance can be a daunting task and so we will need to look at threats to our assets and ask questions like:

  • Do we understand how our systems can be exploited?
  • Do we monitor system for attacks?
  • Do we authenticate our passwords?
  • Can other scan our systems from internet or anywhere?
  • Do we provide safe environment in which a patient is treated?

If we answer these some questions, we will no doubt discover a gap between our current state of security and the desired security and initiate the right steps to mitigate the risks.

Summary of Breach of Data by Device Type – Sept 2009 to December 31, 2012

Device Type

Number of Incidents

% of Total Incidents

Number of Patients

% of Patients

Laptop

123

23.4%

2,240,259

10%

Portable Devices

73

13.9%

1,540,070

7%

Desktop Computer

74

14.1%

2,323,094

11%

Hard Drives

1

0.2%

1,023,209

5%

Paper Records

124

23.6%

718,622

3%

Network Servers

59

11.2%

2,480,378

12%

E-mail

11

2.1%

242,684

1%

Electronic Medical Record

8

1.5%

1,826,057

9%

Backup Tapes/CDs

7

1.3%

6,291,655

29%

Mailings/Postcards

1

0.2%

3,400

0%

Other

44

8.4%

2,722,077

13%

Source: HHS Breach Statistics Website.

Figure: 1-1

 reasons-breach

Information Security Defined

If I have to define it then it is – protecting information and its systems from unauthorized access, use disclosure, modification and destruction. Information security is concerned with 3 things –confidentiality, integrity, and availability of data – regardless of form, electronics or paper.

  • Confidentiality – the property that electronic health information is not made available or disclosed to unauthorized persons or processes. It is a necessary component of privacy and relates to protection of data from unauthorized users.
  • Integrity – the property that electronic health information have not been altered or destroyed in an unauthorized manner. This is critical where data provides the foundation of decisions. Failure can lead to loss of life, financial impacts and poor outcomes.
  • Availability – the property that electronic health information is accessible and useable upon demand by an authorized person.

Regulations (USA)

Information security has become the most important component of running a healthcare organization. Operating a public or private sector healthcare facility in the United States comes with mandatory data security measures.  The measures are intended to protect wide-range of information and data from accidental loss, misuse, or intentional breach. Following are some of these measures:

  • Health Insurance Portability and Accountability Act (HIPAA) – HIPAA was the first national health privacy law to provide standards on how healthcare providers, employers, clearing houses or insurance providers collect and share healthcare related information. It grants the individual the right to their health records. There is much to it but it can be covered in some other sessions.
  • Federal Information Security Management Act (FISMA) – is a legislation that was created to set data security expectations for all federal and state departments as we as entities acting on their behalf , it provides the security frame work in which agency is expected to safeguard  government operations , information and assets it creates or stores or accesses.
  • Health information Technology for Economics and Clinical Health Act (HITECH) – Organization, agencies found flaws in HIPAA and many of its regulation were ineffective. So HITECH was designed in response to all open concerns. In the compliance arena it is often referred to as HIPPA – HITECH.

There are many other standards and policies on security side like ISO 27000, PCI (Payment Card Industry), DSS (Data Security Standards) etc. which are applicable in healthcare but started first as private sector standards.

I will stop here and take this discussion further by digging more into healthcare threats and the changing trends and changing security policies. Healthcare is moving from a closed protected knit to slowly open/shared culture where patient information is shared seamlessly across various blocks.

(Continue Reading Part II)