Hipaa sECURITY - PowerPoint PPT Presentation

About This Presentation
Title:

Hipaa sECURITY

Description:

How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information Gary Beatty President – PowerPoint PPT presentation

Number of Views:157
Avg rating:3.0/5.0
Slides: 31
Provided by: GaryB109
Learn more at: https://hipaacow.org
Category:

less

Transcript and Presenter's Notes

Title: Hipaa sECURITY


1
Hipaa sECURITY
  • How not to get lost in the Big Ocean of Portable
    Electronic Health Records Riding the Wave of
    Digital Health Information

Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008
2
Influencing the move to eHealthcare
  • Need to reduce the cost of health care
  • Increase quality of health care
  • Consumer driven health care
  • Online health records
  • Payer support for community health records
  • Transparency in health care
  • Pay for performance programs
  • Governmental

3
Terminology
EMR
HR
EHR
PHR
CCR
Acronyms
Hybrids
PHI
4
Terminology
  • Health Records (AHIMA)
  • The legal business record for a healthcare
    organization.
  • Individually identifiable information
  • Any medium
  • Collected, processed, stored, displayed

5
Terminology
  • Health Records contain
  • Diagnosis
  • Medications
  • Procedures
  • Problems
  • Clinical Notes
  • Diagnostic Results
  • Images
  • Graphs
  • Other items deemed necessary

6
Terminology
  • Health Records
  • Support continuity of care
  • Planning patient care
  • Provides planning information
  • Resource allocation
  • Trend analysis
  • Forecasting
  • Workload management
  • Justification for billing information

7
Terminology
  • Electronic Medical Record (EMR) (HIMSS)
  • An application environment composed of
  • Clinical Data Repository (CDR)
  • Clinical Decision Support (CDS)
  • Controlled medical terminology
  • Order entry
  • Computerized provider order entry
  • Pharmacy
  • Clinical document applications
  • Enterprise support
  • Inpatient and Outpatient
  • Use to document, monitor and manage delivery of
    health care
  • Electronic Medical Record (EMR) (HIMSS)
  • The EMR is the legal record
  • Owned by the Care Delivery Organization (CDO)

8
Terminology
  • Electronic Health Record (EHR) (HIMSS)
  • Longitutal electronic medical record across
    encounters in any care delivery setting.
  • Resource for clinicians
  • Secure
  • Real-time
  • Point-of-care
  • Patient centric information source
  • Aids collection of data for other uses
  • Billing
  • Quality management
  • Outcomes reporting
  • Resource planning
  • Public health disease surveillance
  • Reporting

9
Terminology
  • Electronic Health Record (EHR) (HIMSS)
  • Includes
  • Patient demographics
  • Progress notes
  • Problems
  • Medications
  • Vital signs
  • Past medical history
  • Immunizations
  • Laboratory data
  • Radiology reports

10
Terminology
  • Electronic Health Record (EHR) (HIMSS)
  • Automates / streamlines clinicians workflow
  • Complete record of clinical encounter
  • Supports other care-related activities
  • Evidence-based decision support
  • Quality management
  • Outcome reporting

11
Terminology
  • Personal Health Record (PHR)
  • Created by the individual
  • Summarizes health and medical history
  • Gathered from many sources
  • Format of PHR
  • Paper
  • Personal computer
  • Internet based
  • Portable storage

12
Terminology
  • Continuity of Care Record (CCR)
  • Patient Health Summary Standard
  • ASTM / MMS / HIMSS / AAFP / AAP co-development
  • Core health care components
  • Sent from one provider to another
  • Includes
  • Patient demographics
  • Insurance information
  • Diagnosis and problem
  • Medications
  • Allergies
  • Care plan

13
Terminology
  • Hybrid Health Record
  • Both
  • Paper health records
  • Electronic health records

14
Terminology
  • Protected Health Information (PHI)
  • Any health care information linked to a person
  • Health Status
  • Provision of Health Care
  • Payment of Health Care
  • Includes
  • Names
  • Geographic subdivision smaller than a state
  • Dates related to an individual
  • Phone Numbers
  • Fax Numbers
  • Email Addresses
  • SSN
  • Medical Record Numbers
  • Beneficiary Numbers
  • Account Numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers
  • Finger
  • voice prints
  • Full face photographic images and any comparable
    images
  • Any other unique identifying number,
    characteristic, or code

15
Security Concerns
  • Privacy
  • Can anyone else read it?
  • Authentication
  • How do I know who sent it?
  • Data Integrity
  • Did it arrive exactly as sent?
  • Non-repudiation of receipt
  • Can the receiver deny receipt?
  • How do I know it got there?
  • How do I track these activities?

16
Modes of Communication
  • Internet / Intranet
  • Wired
  • Wireless
  • Wifi (802.11a, b, g, i, n)
  • Bluetooth (Personal Area Network - PAN)
  • VoiP
  • Dial-up
  • Mobile Devices
  • Smart Phones
  • Mobile Standards (GSM, GPRS, etc.)
  • PDA
  • Tablet PCs
  • Physical Media
  • Magnetic, optical, flash (thumb drives), others

17
Wireless Security
  • RC4 (ARC4 /ARCFOUR) Stream Cypher (easily
    broken)
  • Secure Sockets Layer (SSL)
  • WEP Wire Equivalent Privacy
  • WPA WiFi Protected Access
  • WPA2 (based upon 802.11i)
  • Data Encryption Standards (DES)
  • Advanced Encryption Standards (AES)
  • Government strength encryption

18
Internet Security
  • Firewall machines
  • IP address selection
  • ID Passwords
  • Security techniques
  • Encryption
  • Digital Signatures
  • Data Integrity Verification
  • Non-repudiation
  • Trading Partner Agreements (TPA)

19
Symmetric Key(Private)
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PRIVATE KEY
20
Symmetric Key(Private)
  • n (n-1) / 2 keys to manage
  • 100 users would require 4950 keys
  • Key size 128 bits
  • Generally considered fast

Gary
Alice
Julie
Karen
Frank
Erin
Dale
Mary
21
Asymmetric Keys (Public/Private)PKI
CYPHERTEXT
ENCRYPT
DECRYPT
PLAINTEXT DOCUMENT
PLAINTEXT DOCUMENT
PROVIDER
PAYER
PAYERS PUBLIC KEY
PAYERS PRIVATE KEY
22
Asymmetric Keys (Public/Private)
  • n key pairs needed for n partners
  • key size (128, 768, 1024, 2048 bits)
  • Generally considered slower
  • What happens if you lose your key?

Gary
Alice
Julie
Public Key Directory
Karen
Frank
Gary Mary E Alice Dale F Frank
Karen G Erin Julie H
Erin
Dale
Mary
23
AuthenticationDigitized vs. Digital Signature
  • A digitized signature is a scanned image
  • A digital signature is a numeric value that is
    created by performing a cryptographic
    transformation of the hash of the data using the
    signers private key.

Ö m25_ __ò_5wA___enruƒ\ƒ½PÑ7qGß__
Ae_7?ââ-áH-90Y åú'Ælt_8óXpìÉ_V1ª
Gary A. Beatty ltgaryb_at_eci.comgt
24
Data Integrity
  • Part of the digital signature process
  • A secure one way hashing algorithm used to create
    a hash of the data

Provider B
PROVIDER A
Encoded
Cypher
Cypher
Encoded
EHR
EHR
PROVIDER A PRIVATE KEY
PROVIDER A PUBLIC KEY
Provider B PRIVATE KEY
Provider B PUBLIC KEY
25
Applicability Statement StandardsEDIINT
Workgroup of IETF
  • AS1 Applicability Statement 1
  • Email exchange of electronic transactions
  • S/MIME Secure Multi-Purpose Internet Mail
    Extensions
  • Uses SMTP (Simple Mail Transfer Protocol)
  • Satisfies Security Requirements
  • Encryption
  • Authentication
  • Integrity
  • Non-repudiation
  • Whats needed
  • Email capability
  • Electronic Transaction
  • Digital Certificate

26
Applicability Statement StandardsEDIINT
Workgroup of IETF
  • AS2 Applicability Statement 2
  • HTTP exchange of electronic transactions
  • S/MIME Secure Multi-Purpose Internet Mail
    Extensions
  • Uses HTTPS
  • Hypertext Transfer Protocol over Secure Socket
    Layer
  • Allows for REAL TIME delivery
  • Satisfies Security Requirements
  • Encryption
  • Authentication
  • Integrity
  • Non-repudiation
  • Whats needed
  • Web Server (static IP address)
  • Electronic Transaction
  • Digital Certificate

27
Applicability Statement StandardsEDIINT
Workgroup of IETF
  • AS3 Applicability Statement 3
  • FTP exchange of electronic transactions
  • S/MIME Secure Multi-Purpose Internet Mail
    Extensions
  • Uses FTP File Transfer Protocol
  • Allows for REAL TIME delivery
  • Satisfies Security Requirements
  • Encryption
  • Authentication
  • Integrity
  • Non-repudiation
  • Whats needed
  • FTP Server
  • Electronic Transaction
  • Digital Certificate

28
Digital Certificates
  • Electronic Credit Card
  • Establishes Credentials for electronic
    transactions
  • Issues by Credential Authority
  • Name
  • Serial Number
  • Expiration Dates
  • Certificate Holders Public Key
  • Digital Certificate of Certification Authority
  • Verified by Registration Authority
  • X.509 Standards
  • Registry of Digital Certificates
  • Access with HIPAA Identifiers

29
Security Weak Links
  • We can secure transmission of data!
  • Weakest link usually when data is
  • AT REST!
  • Paper
  • On the screen
  • Waste baskets
  • Physical Security
  • Building access
  • Data Center access
  • Electronic Security
  • Screen Savers
  • Auto Logoff

30
Thank you
Gary Beatty President EC Integrity,
Inc Vice-Chair ASC X12
Spring Conference April 4, 2008
Write a Comment
User Comments (0)
About PowerShow.com