confidentiality, privacy and security
TRANSCRIPT
![Page 1: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/1.jpg)
Confidentiality, Privacy and Security
![Page 2: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/2.jpg)
Privacy
• The desire of a person to control the disclosure of personal health information
![Page 3: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/3.jpg)
Confidentiality
• The ability of a person to control release of personal health information to a care provider or information custodian under an agreement that limits further release of that information
![Page 4: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/4.jpg)
Security
• Protection of privacy and confidentiality through policies, procedures and safeguards.
![Page 5: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/5.jpg)
Why do they matter?
• Ethically, privacy and confidentiality are considered to be rights (in our culture)
• Information revealed may result in harm to interests of the individual
• The provision of those rights tends to ensure that the information is accurate and complete
• Accurate and complete information from individuals benefits society in limiting spread of diseases to society (i.e. HIV)
![Page 6: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/6.jpg)
Why do they matter?
• The preservation of confidentiality assists research which in turn assists patients
![Page 7: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/7.jpg)
Users of health information
• Patient– Historical information for current and future care– Insurance claims
• MD’s – Patient’s medical needs– Documentation– Interface with other providers– Billing
![Page 8: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/8.jpg)
Users
• Health insurance company– Claims processing– Approve consultation requests
• Laboratory– Process specimens– Results reporting– Billing
![Page 9: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/9.jpg)
Users
• Pharmacy– Fill prescription– Billing
• Hospital– Care provision– Record of services– Billing– Vital statistics– Regulatory agencies
![Page 10: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/10.jpg)
Users
• State bureau– Birth statistics– Epidemiology
• Accrediting organization– Hospital review
• Employer– Request claims data– Review claims for $ reduction– Benefits package adjustments
![Page 11: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/11.jpg)
Users
• Life insurance companies– Process applications– Process claims– Risk assessment
• Medical information bureau– Fraud reduction for life insurance companies
• Managed care company– Process claims– Evaluate MD’s
![Page 12: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/12.jpg)
Users
• Lawyers– Adherence to standard of practice– Malpractice claims
• Researcher– Evaluate research program
![Page 13: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/13.jpg)
Security
• Availability• Accountability• Perimeter definition• Rule-limited access• Comprehensibility and control
![Page 14: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/14.jpg)
Privacy solutions
• Forbid the collection of data that might be misused
• Allow the collection of health information within a structure, but with rules and penalties for violation pertaining to collecting organizations
• Generate policies to which individualinformation handlers must adhere
![Page 15: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/15.jpg)
Security controls
• Management controls– Program management/risk management
• Operational controls– Operated by people
• Technical controls– Operated by the computer system
![Page 16: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/16.jpg)
Management controls
• Establishment of key security policies, i.e. policies pertaining to remote access– Program policy
• Definition, scope, roles and responsibilities of the computer security program
– Issue specific policy• Example: Y2K
– System specific policy• Who can access what functions where
![Page 17: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/17.jpg)
Core security policies
• Confidentiality• Email• System access• Virus protection• Internet/intranet use• Remote access• Software code of
ethics
• Backup and recovery• Security training and
awareness
![Page 18: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/18.jpg)
Biometrics
• The scientific discipline of measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics– Can be used to evaluate changes over time for
medical monitoring or diagnosis– Can be used for security
![Page 19: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/19.jpg)
Approaches to identification
• Token based simple security– House key, security card, transponder
• Knowledge based– SSN, password, PIN
• Two-factor– Card + PIN
Card PIN
ID Authentication
Access+
![Page 20: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/20.jpg)
Approaches to identification
• Authoritative IDAccessT
Authent-icationID Policy F
Audit
![Page 21: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/21.jpg)
Identification
• Certain and unambiguous– Deterministic
• Certain with small probability of error– Probabilistic
• Uncertain and ambiguous• Biometric schemes are probabilistic
![Page 22: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/22.jpg)
Probabilistic
• False acceptance rate (type I error)– Percentage of unauthorized attempts that will be
accepted– Also relevant for medical studies
• False rejection rate (type II error)– Percentage of authorized attempts that will be rejected– Also relevant for medical studies
• Equal error rate– Intersection of the lowest FAR and FRR
![Page 23: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/23.jpg)
Biometric ID
• Acquire the biometric ID– How do you ensure that you got the right guy
• Localize the attribute– Eliminate noise– Develop a template (reduced data set)
• Check for duplicates
![Page 24: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/24.jpg)
Biometric applications
• Identification– Search the database to find out who the
unknown is– Check entire file
• Authentication– Verify that the person is who he says he is– Check his file and match
![Page 25: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/25.jpg)
Biometric identifiers
• Should be universal attribute• Consistent – shouldn’t change over time• Unique• Permanent• Inimitable (voice can be separated from the
individual)• Collectible – easy to gather the attribute• Tamper resistant• (Cheaply) comparable - template
![Page 26: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/26.jpg)
Biometric technologies
• Fingerprint– Automated fingerprint ID systems (law
enforcement)– Fingerprint recognition – derives template form
features for ID– Validating temp and /or pulse– Optical vs. solid state (capacitance)– Low FAR and FRR
![Page 27: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/27.jpg)
Fingerprint
![Page 28: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/28.jpg)
Hand geometry
• Dimensions of fingers and location of joints unique
• Low FAR FRR
![Page 29: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/29.jpg)
Retinal scan
• Very reliable• More expensive than hand or fingerprint• Extremely low FAR FRR
![Page 30: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/30.jpg)
Retinal scan
![Page 31: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/31.jpg)
Voice recognition
• Automatic speaker verification (ASV) vs. automatic speaker identification (ASI)– ASV = authentication in a two-factor scheme– ASI = who is speaker– Feature extraction and matching– Problems with disease/aging etc.
![Page 32: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/32.jpg)
Iris scanning
• Less invasive than retinal scanning• Technically challenging balancing optics,
ambient light etc.• Can be verified (live subject) by iris
response to light
![Page 33: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/33.jpg)
Face recognition/thermography
• Facial architecture and heat signature• Relatively high FAR/FRR• Useful in two factor scenarios
![Page 34: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/34.jpg)
Hand vein
• Infrared scanning of the architecture of the hand vessels
![Page 35: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/35.jpg)
Signature
• Architecture of the signature• Dynamics of the signature (pressure and
velocity)
![Page 36: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/36.jpg)
![Page 37: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/37.jpg)
Biometric identification issues
• Privacy, anonymity• Legal issues not defined
![Page 38: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/38.jpg)
Security: availability
• Ensures that accurate, up-to-date information is available when needed at appropriate places
![Page 39: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/39.jpg)
Security: accountability
• Ensures that users are responsible for their access to and use of information based on a documented need and right to know
![Page 40: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/40.jpg)
Security: perimeter definition
• Allows the system to control the boundaries of trusted access to an information system both physically and logically
![Page 41: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/41.jpg)
Security: rule-limited access
• Enables access for personnel to only that information essential to the performance of their jobs and limits the real or perceived temptation to access information beyond a legitimate need
![Page 42: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/42.jpg)
Security: comprehensibility and control
• Ensures that record owners, data stewards and patients can understand and have effective control over appropriate aspects of information confidentiality and access
![Page 43: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/43.jpg)
Availability
• Backups with local and off-site copies of the data
• Secure housing and power sources for CPU even during disasters (when system availability may be crucial)
• Virus protection
![Page 44: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/44.jpg)
Accountability
• Audit trails and warnings• User
– Authentication – unique ID process– Authorization – to perform set of actions, i.e.
access only their own patients
![Page 45: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/45.jpg)
Perimeter definition
• System knows users and how they are using the system– Define the boundaries of the system (i.e. within
the firewall) Princeton-Penn-HUP– How do you permit/monitor off-site access– Modems?
• Tools– Cryptographic authentication
![Page 46: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/46.jpg)
Perimeter definition
• Public key-private key– Encryption
• Privacy and confidentiality– Digital signatures
• Prescription signature– Content validation
• Message hasn’t been messed with– Nonrepudiation
• “I didn’t say that”
![Page 47: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/47.jpg)
Role limited access
• Spheres of access– Patient list: patients one has a role in the care of– Content specific: billing clerk/billing info– Relevant data: researcher on heart disease
shouldn’t be able to learn about HIV status
![Page 48: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/48.jpg)
Taxonomy of organizational threats
• Motive– Health records have economic value to insurers,
employers, journalists, enemy states etc.– Curiosity about the health status of friends,
romantic interests, coworkers or celebrities– Clandestine observation of employees (GE)– Desire to gain advantage in contentious
situations (divorce)
![Page 49: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/49.jpg)
Resources
• Attackers may range from– Individuals– Small group (e.g. law firm)– Large group (e.g. insurer, employer)– Intelligence agency– Organized crime
![Page 50: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/50.jpg)
Initial access
• Site access• System authorization• Data authorization
Site
Data
System
Billing clerk
Worker
MD, RNComputer vendor
![Page 51: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/51.jpg)
Technical capability
• Aspiring attacker (limited skills)– Research target– Masquerade as an employee– Guess password– Dumpster diving– Become temporary employee
![Page 52: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/52.jpg)
Technical capability
• Script runner– Acquire software from web-sites for automated
attacks• Accomplished attacker
– Able to use scripted or unscripted (ad-hoc) attacks
![Page 53: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/53.jpg)
Levels of threat
• Threat 1– Insiders who make “innocent” mistakes and
cause accidental disclosure– Elevator discussion, info left on screen, chart
left in hallway etc.• Threat 2
– Insiders who abuse their privileges
![Page 54: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/54.jpg)
Threat
• Threat 3– Insiders who access information
inappropriately for spite or profit– London Times reported that anyone’s electronic
record could be obtained for $300• Threat 4
– Unauthorized physical intruder– Fake labcoat
![Page 55: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/55.jpg)
Threats
• Threat 5– Vengeful employees or outsiders bent on
destruction or degradation, e.g. deletion, system damage, DOS attacks
– Latent problem
![Page 56: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/56.jpg)
Countering threats
• Deterrence– Create sanctions– Depends on identification of bad actors
• Imposition of obstacles– Firewalls– Access controls– Costs, decreased efficiency, impediments to
appropriate access
![Page 57: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/57.jpg)
Countermeasures
Authentication, access and cryptoTechnical breakinNNY5
Physical security and access control
Unauthorized physical intrusionYNY4
Authentication and auditing
Unauthorized for spite of moneyN/ANY3
Authentication and auditing
Improper use of access privilegesN/AYY2
Org and technical measuresMistakeYYY1
CounterThreatSiteDataSystemType
![Page 58: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/58.jpg)
Counter threat 1
• Behavioral code• Screen savers, automated logout• ? Patient pseudonyms
![Page 59: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/59.jpg)
Counter threat 2
• Deterrence• Sanctions• Audit• Encryption (user must obtain access keys)
![Page 60: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/60.jpg)
Counter threat 3
• Audit trails• Sanctions appropriate to crime
![Page 61: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/61.jpg)
Counter threat 4
• Deterrence• Strong technical measures (surveillance
tapes)• Strong identification and authentication
measures
![Page 62: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/62.jpg)
Counter threat 5
• Obstacles• Firewalls
![Page 63: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/63.jpg)
Issues with countermeasures
• Internet interface• Legal and national jurisdiction• Best balance is relatively free internal
environment with strong boundaries– Requires strong ID/auth
![Page 64: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/64.jpg)
Recommendations
• Individual user ID and authentication– Automated logout – Password discipline
• Access controls– Role limited– Role definitions
• Cardiologist vs. MD
• Audit trails
![Page 65: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/65.jpg)
Recommendations
• Physical security and disaster recovery– Location of terminals– Handling of paper printouts
• Remote access points– VPN’s– Encrypted passwords– Dial-ins
![Page 66: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/66.jpg)
Recommendations
• External communications– Encrypt all patient related data over publicly
available networks• Software discipline
– Virus checking programs• System assessment
– Run scripted attacks against one’s own system
![Page 67: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/67.jpg)
Recommendations
• Develop security and confidentiality policies– Publish– Committees– ISO’s– Sanctions
• Patient access to audit logs– Who saw my record and why
![Page 68: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/68.jpg)
Future recommendations
• Strong authentication– Token based authentication (two factor)
• Enterprise wide authentication– One-time login to authorized systems
• Access validation– Masking
• Expanded audit trails• Electronic signatures
![Page 69: Confidentiality, Privacy and Security](https://reader031.vdocuments.net/reader031/viewer/2022012915/61c4f507428dd305261e84f9/html5/thumbnails/69.jpg)
Universal patient identifier
• Methodology should have an explicit framework specifying linkages that violate patient privacy
• Facilitate the identification of parties that make improper linkages
• Unidirectional – should facilitate helpful linkages of health records but prevents identification of patient from health records or the identifier