Professional Documents
Culture Documents
2
Principles of Ethics
3
Respect for Persons
4
Beneficence
5
Justice
6
Privacy, Security, and Confidentiality
• Definitions
• Concerns
o Privacy
o Security
• Tools for protecting health information
• Health Insurance Portability and Accountability Act (HIPAA)
o Privacy rule
o Security rule
o Enhancements in Health Information Technology for Economic and
Clinical Health Act legislation
o Implications
7
Definitions
• Privacy
o The right to be left alone
• Confidentiality
o Sharing or disseminating data only to those with a “need to know”
• Security
o Mechanisms to ensure the safety of data and systems in which the
data reside
8
Definitions
9
Concerns about Privacy
10
Digital Health and Privacy, Security,
and Confidentiality
Privacy
Confidentiality Security
11
Personal Privacy versus the Common Good
12
Patient Information Disclosures
• Healthcare cybersecurity attacks over the past five years have increased 125 percent as the
industry has become an easy target; PHI is 50 times more valuable than financial information
on the black market (Kutscher, 2016).
• In Portland, Oregon, thieves broke into a car with back-up disks and tapes containing records of
365,000 patients (Rojas-Burke, 2006).
• Several episodes from Virginia, including a laptop with data of more than 1 million veterans,
were recovered without apparent access (Lee & Goldfarb, 2006).
• A hack of Indianapolis-based payer Anthem’s information technology (IT) systems exposed the
personal data of approximately 80 million customers (Perma, 2015).
• Improper disclosure of research participants’ PHI resulted in a $3.9 million HIPAA settlement
(U.S. Department of Health and Human Services [HHS], 2016b).
• A hospital paid hackers $17,000 to unlock electronic health records frozen in a “ransomware”
attack (Conn, 2016).
13
Patient Information Disclosures
o 2015 top 10 data breaches accounted for just more than111 million
records; the top 6 breaches affected at least 1 million individuals.
14
Breaches Adversely Impact Organizations
15
Challenges from Proliferation of Technologies
and Applications
• USB (“thumb”) drives run programs when plugged into a USB port;
they can be modified to extract data from computer (Wright & Sittig,
2007a, 2007b).
• Personal health records, other systems, may lack encryption and can
be easily compromised.
• Ten percent of hard drives sold by a second-hand retailer in Canada
had remnants of PHI (El Emam, Neri, & Jonker, 2007).
• Peer-to-peer file sharing—0.5 percent of all U.S. IP addresses have
PHI (El Emam et al., 2010).
• Digital photocopiers store all copies made (Keteyian, 2010); scanners
may also store copies.
Restrict physical access where possible and always encrypt!
17
Healthcare Organizations Are Not
Well Prepared for Security
• Security budgets are not keeping pace with complex IT environments and the growing
risk of attacks (HIMSS, 2015).
• The growing sophistication of attacks and the number of threats make it hard to keep
up.
• There is a need for innovative, advanced security tools and in-depth approaches to
address threats and vulnerabilities (HIMSS, 2015).
• There is not enough highly skilled, security expertise (Ponemon Institute, 2015).
• Paper security breaches remain an issue (Ponemon Institute, 2015).
• Data leakage is a primary threat.
o Identity and access management is a top priority.
18
What is the role of your government?
19
European Union General Data Protection
Regulation
20
GDPR Data Definitions Regardless of
Nationality or EU Residence
“The GDPR also requires compliance from non-EU organizations that offer goods or services to EU residents
or monitor the behavior of EU residents.”
Source: Brief: You Need An Action Plan For The GDPR; Forrester Research; October 2016
21
GDPR Basics
22
What do other governments do?
23
Related Issues for Medical Privacy
• Who “owns” medical information?
o Complex; varies from state to state (
http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-
50-state-comparison
)
o May have economic value, which should be shared back to the patient (Hall &
Shulman, 2009; Rodwin, 2009)
• “Compelled” disclosures (Rothstein & Talbott, 2006)
o We are often compelled to disclose information for nonclinical care reasons
24
Health Information Rights
• Declaration of Health Data Rights
o Right to our own health data
o Right to know the source of each health data element
o Right to take possession of a complete copy of our individual health data,
without delay, at minimal or no cost; if data exist in computable form, they
must be made available in that form
o Right to share our health data with others as we see fit
o Read:
https://sites.tufts.edu/prep/2009/07/07/declaration-of-health-data-rights
• American Health Information Management Association (AHIMA) Health
Information Bill of Rights (2009)
o http://bok.ahima.org/PdfView?oid=107674
o Slightly more detailed but with similar provisions
25
Are “de-identified” data more secure?
Not Necessarily
26
How Governor Weld Was Identified
Ethnicity
Name
Visit date Zip
Address
Diagnosis Date of
Date registered
Procedure birth
Party affiliation
Medication Gender
Date last voted
Charge
28
Flow of Information in Healthcare:
Many Points to “Leak”
29
Security for Paper Records Is a Significant
Problem
30
Potential Consequences of Poor Security
31
Medical Identity Theft
32
Tools for Protecting Health Information
33
Threats to Security
• Insider
o Accidental disclosure
o Curiosity
o Malicious/subornation
• Outsider
o Organized crime
o Hacktivists
o Cyber thieves
34
Technologies to Secure Information
• Deterrents • Obstacles
o Alerts o Authentication
o Audit trails o Authorization
• System management precautions o Integrity management
o Software management o Digital signatures
o Analysis of vulnerability o Encryption
o Firewalls
o Rights management
35
Encryption
36
Standards for Encryption and Related
Functions
• Advanced Encryption Standard (AES): NIST-designated standard for encryption and decryption
(Daemen & Rijmen, 2002)
• Transport Layer Security (TLS) and predecessor, Secure Sockets Layer (SSL): Cryptographic
protocols that provide security for communications over all points on networks (Rescorla, 2001)
• Internet Protocol Security (IPsec): Protocol for securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a data stream
o Part of IPv6 but also added as standalone on top of IPv4
• Secure Hash Algorithm (SHA): Protocols that ensure integrity of transmitted information and
documents (NIST, 2002)
o Security flaws have been identified in SHA-1, so SHA-2 family of protocols has been
developed
• For more:
o Secure Hash Algorithm https://en.wikipedia.org/wiki/Secure_Hash_Algorithm
o NIST’s Cryptographic Toolkit http://csrc.nist.gov/groups/ST/toolkit/index.html
37
For the Record Best Practices
(Committee on Maintaining Privacy and Security, 1997)
• Organizational • Technical
o Information and security governance o Authentication of users
o Confidentiality and security policies o Audit trails
and committees o Physical security and disaster
o Education and training programs recovery
o Sanctions o Protection of remote access points
o Patient access to audit trails and external communications
o Management dashboards o Software discipline
38
Authentication and Passwords
39
Some Challenges with Passwords
40
Health Information Security Is Probably
a Trade-off
41
Privacy, Security, Confidentiality
Summary
42
Privacy, Security, and Confidentiality
Summary
• There are many points where information can “leak” out of the
system.
• Many technologies are available for protecting security.
• Encryption is necessary but not sufficient.
• Paper-based information has its own security problems.
43
Privacy, Security, and Confidentiality
References
Acluvideos. (2009). Scary Pizza [Video file] Retrieved from https://youtu.be/33CIVjvYyEk
Acquisti, A., & Gross, R. (2009). Predicting Social Security numbers from public data. Proceedings
of the National Academy of Sciences, 106, 10975–10980.
Allan, A. (2005). Password aging can burden an already-weak authentication method. Stamford, CT:
Gartner.
American College of Physicians. (2011). Health information technology & privacy: Position paper.
Philadelphia, PA: American College of Physicians. Retrieved from
http://www.acponline.org/advocacy/where_we_stand/policy/hit_privacy.pdf
American Health Information Management Association. (n.d.). AHIMA consumer health information
bill of rights. Retrieved from http://bok.ahima.org/PdfView?oid=107674
American Health Information Management Association. (2003). Flow of patient health information
inside and outside the healthcare industry. Retrieved from
http://library.ahima.org/PdfView?oid=22958
Bowe, R. (2013). Identity crisis: Organizations are implementing medical identity theft teams to
combat rising incidents. Journal of AHIMA, 84(1), 38–42.
California Health Care Foundation (CHCF). (2005). National consumer health privacy survey 2005.
Oakland, CA: CHCF. Retrieved from http://www.chcf.org/topics/view.cfm?itemID=115694
44
Privacy, Security, and Confidentiality
References
Cassa, C., Schmidt, B., Kohane, I., & Mandl, K. (2008). My sister's keeper?: Genomic research
and the identifiability of siblings. BMC Medical Genomics, 1(1), 32. Retrieved from
http://www.biomedcentral.com/1755-8794/1/32
Cohn, S. (2006). Privacy and confidentiality in the nationwide health information network.
Retrieved from
http://www.ncvhs.hhs.gov/recommendations-reports-presentations/june-22-2006-letter-to-the-secr
etary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-informati
on-network/
Cohn, S. (2008). Individual control of sensitive health information accessible via the Nationwide
Health Information Network for purposes of treatment. Retrieved from
http://www.ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf
Committee on Maintaining Privacy and Security in Health Care Applications of the National
Information Infrastructure. (1997). For the record: Protecting electronic health information.
Washington, DC: National Academies Press. Retrieved from
http://www.nap.edu/catalog/5595/for-the-record-protecting-electronic-health-information
Conn, J. (2016, February 17). Hospital pays hackers $17,000 to unlock EHRs frozen in
“ransomware” attack. Modern Healthcare. Retrieved from
http://www.modernhealthcare.com/article/20160217/NEWS/160219920
Daemen, J., & Rijmen, V. (2002). The design of Rijndael: AES—The advanced encryption
standard. Berlin, Germany: Springer-Verlag.
45
Privacy, Security, and Confidentiality
References
Department of Health, Education, and Welfare. (1979). The belmont report: Ethical guidelines for the
protection of human subjects of research. Washington, DC: Department of Health, Education, and Welfare.
Retrieved from:
https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/read-the-belmont-report/index.html
Detmer, D. (2010). Activating a full architectural model: Improving health through robust population health
records. Journal of the American Medical Informatics Association, 17, 367–369.
El Emam, K., Neri, E., & Jonker, E. (2007). An evaluation of personal health information remnants in
second-hand personal computer disk drives. Journal of Medical Internet Research, 9(3), e24.
El Emam, K., Neri, E., Jonker, E., Sokolova, M., Peyton, L., Neisa, A., & Scassa, T. (2010). The inadvertent
disclosure of personal health information through peer-to-peer file sharing programs. Journal of the
American Medical Informatics Association, 17, 148–158.
European Commission. (2016, February 29). European Commission unveils EU-U.S. privacy shield.
Retrieved from http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm
European Commission. (2016, March 23). Protection of personal data. Retrieved from
http://ec.europa.eu/justice/data-protection/index_en.htm
Gostin, L., & Hodge, J. (2002). Personal privacy and common goods: A framework for balancing under the
national health information privacy rule. Minnesota Law Review, 86, 1439–1479. Retrieved from
http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1086&context=facpub
46
Privacy, Security, and Confidentiality
References
Hall, M., & Schulman, K. (2009). Ownership of medical information. JAMA, 301, 1282–1284.
HealthIT.gov. (2013). Federal-state healthcare coordination: Health information security and
privacy collaboration (HISPC). Retrieved from
https://www.healthit.gov/policy-researchers-implementers/health-information-security-privacy-col
laboration-hispc
HealthIT.gov. (2016). Your health information rights. Retrieved from
https://www.healthit.gov/patients-families/your-health-information-rights
Healthcare Information and Management Systems Society (HIMSS). (2015). 2015 HIMSS security
survey. Chicago, IL: HIMSS. Retrieved from http://www.himss.org/2015-cybersecurity-survey
(full report limited to members only; executive summary available free to download).
Herzig, T. (Ed.). (2010). Information security in healthcare—Managing risk. Chicago, IL:
Healthcare Information Management Systems Society.
Hodge, J., Gostin, L., & Jacobson, P. (1999). Legal issues concerning electronic health
information: Privacy, quality, and liability. JAMA, 282, 1466–1471.
47
Privacy, Security, and Confidentiality
References
Joint NEMA/COCIR/JIRA Security and Privacy Committee. (2004). Break glass procedure:
Granting emergency access to critical ePHI systems. Retrieved from
http://hipaa.yale.edu/security/break-glass-procedure-granting-emergency-access-critical-ephi-syst
ems
Keteyian, A. (2010, April 15). Digital photocopiers loaded with secrets. CBS News. Retrieved
from http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml
Kutscher, B. (2016, March 3). Healthcare underspends on cybersecurity as attacks accelerate.
Modern Healthcare. Retrieved from
http://www.modernhealthcare.com/article/20160303/NEWS/ 160309922/healthcare-underspends-
on-cybersecurity-as-attacks-accelerate
Lee, C., & Goldfarb, Z. (2006, June 30). Stolen VA laptop and hard drive recovered. The
Washington Post, p. A01. Retrieved from
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html
Lumley, T., & Rice, K. (2010). Potential for revealing individual-level information in genome-
wide association studies. JAMA, 303, 859–860.
Malin, B., & Sweeney, L. (2005). How (not) to protect genomic data privacy in a distributed
network: Using trail re-identification to evaluate and design anonymity protection systems.
Journal of Biomedical Informatics, 37, 179–192.
48
Privacy, Security, and Confidentiality
References
McGuire, A., & Gibbs, R. (2006). No longer de-identified. Science, 312, 370–371.
Milken Institute School of Public Health. (2012). Who owns medical records: 50 state comparison.
Retrieved from
http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state-comparis
on
McNabb, J., & Rhodes, H. B. (2014). Combating the privacy crime that can KILL. Journal of
AHIMA, 85(4), 26–29.
Munro, D. (2015, Dec. 31). Data breaches in healthcare totaled over 112 million records in 2015.
Forbes, Pharma & Healthcare. Retrieved from
http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-mil
lion-records-in-2015/#356bb7337fd5
National Academies Press. (1997). For the record protecting electronic health information.
Retrieved from https://www.nap.edu/read/5595/chapter/2#4
National Institute for Standards and Technology (NIST). (2015). Secure hash standard.
Gaithersburg, MD: NIST. Retrieved from
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
National Institute of Standards and Technology. (2014). Cryptographic toolkit. Retrieved from
http://csrc.nist.gov/groups/ST/toolkit
49
Privacy, Security, and Confidentiality
References
National Institute of Standards and Technology (NIST). (2014). Framework for improving critical
infrastructure cybersecurity. Gaithersburg, MD: NIST. Retrieved from
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
Office of the National Coordinator for Health Information Technology (ONC) & Office for Civil
Rights. (2015). Guide to privacy and security of electronic health information. Washington, DC:
ONC. Retrieved from
https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Orcutt, M. (2015, Dec. 23). 2015 could be the year of the hospital hack. MIT Technology Review.
Retrieved from
https://www.technologyreview.com/s/533631/2015-could-be-the-year-of-the-hospital-hack
Pabrai, A. (2008, January 23). The single sign-on solution. H&HN’s Most Wired Magazine.
Patient Privacy Rights Foundation. (n.d.). Patient privacy rights. Retrieved from
https://patientprivacyrights.org
Perma, G. (2015, Feb. 5). Anthem hit by large data breach. Healthcare Informatics. Retrieved from
http://www.healthcare-informatics.com/news-item/anthem-hit-large-data-brach
50
Privacy, Security, and Confidentiality
References
Ponemon Institute. (2015). Fifth annual benchmark study on privacy and security
of healthcare data. Retrieved from https://www2.idexpertscorp.com/fifth-annual ponemon
-study-on-privacy-security-incidents-of-healthcare-data
Pritts, J., & Connor, K. (2007). The implementation of e-consent mechanisms in three countries: Canada,
England, and the Netherlands. Washington, DC: Substance Abuse and Mental Health Services
Administration. Retrieved from http://ihcrp.georgetown.edu/pdfs/prittse-consent.pdf
Privacy Rights Clearinghouse. (2005). Chronology of data breaches. Retrieved from
http://www.privacyrights.org/data-breach
Privacy Rights Clearinghouse. (2014). Fact sheet 8c: The HIPAA privacy rule: Patients’ rights. Retrieved
from https://www.privacyrights.org/content/hipaa-privacy-rule-patients-rights
Rescorla, E. (2001). SSL and TLS: Designing and building secure systems. Boston, MA: Addison Wesley.
Rindfleisch, T. (1997). Privacy, information technology, and healthcare. Communications of the ACM, 40(8), 93–
100.
Rodwin, M. (2009). The case for public ownership of patient data. JAMA, 302, 86–88.
Rojas-Burke, J. (2006). Providence critics push for safer records. The Oregonian.
Rothfeder, J. (1992). Privacy for sale: How computerization has made everyone’ s private life an open secret.
New York, NY: Simon & Schuster.
51
Privacy, Security, and Confidentiality
References
Rothstein, M., & Talbott, M. (2006). Compelled disclosure of health information: Protecting against the
greatest potential threat to privacy. JAMA, 295, 2882–2885.
Sequoia Project. (2016). Data use and reciprocal support agreement (DURSA). Retrieved from
http://sequoiaproject.org/ehealth-exchange/onboarding/dursa
Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data: The Datafly System.
Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51–55.
Sweeney, L. (2002). k-Anonymity: A model for protecting privacy. International Journal on
Uncertainty, Fuzziness, and Knowledge-based Systems, 10(5), 557–570.
TEDx Talks. (2104). Designing technology to restore privacy: Deborah C. Peel, MD at
TEDxTraverseCity [Video file]. Retrieved from https://www.youtube.com/watch?v=f1JPjLCxPFQ
The SANS Institute. (2016). About (SANS). Retrieved from https://www.sans.org/about
Tufts University School of Medicine. (2009). Declaration of health data rights. Retrieved from
https://sites.tufts.edu/prep/2009/07/07/declaration-of-health-data-rights
U.S. Department of Health and Human Services. (2016a). Breaches affecting 500 or more
individuals. Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
52
Privacy, Security, and Confidentiality
References
U.S. Department of Health and Human Services. (2016b). Improper disclosure of research
participants’ protected health information results in $3.9 million HIPAA settlement. Retrieved from
http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-heal
th-information-results-in-hipaa-settlement.html#
Wagner, R., Allan, A., & Heiser, J. (2005). Eight security practices offer more value than password
aging. Stamford, CT: Gartner.
White House Office of the Press Secretary. (2015). Fact sheet: President Obama’s precision medicine
initiative. Retrieved from
https://www.whitehouse.gov/the-press-office/2015/01/30/fact-sheet-president-obama-s-precision-med
icine-initiative
Wikipedia. (2016). Secure hash algorithm. Retrieved from
https://en.wikipedia.org/wiki/Secure_Hash_Algorithm
Wright, A., & Sittig, D. (2007a). Encryption characteristics of two USB-based personal health record
devices. Journal of the American Medical Informatics Association, 14, 397-399.
Wright, A., & Sittig, D. (2007b). Security threat posed by USB-based personal health records. Annals
of Internal Medicine, 146, 314–315.
53
Privacy, Security, and Confidentiality
References
Charts, Tables, Figures
Figure Adapted from Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data: The Datafly System.
Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51–55.
Chart. Flow of information in health care (Rindfleisch, 1997).
Chart. Health information security is a trade-off (CC BY-NC-SA 3.0, 2012).
54
This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by
Bellevue College under Award Number 90WT0002.
This presentation was produced with the support of the United States Agency for
International Development (USAID) under the terms of MEASURE Evaluation
cooperative agreement AID-OAA-L-14-00004. MEASURE Evaluation is
implemented by the Carolina Population Center, University of North Carolina at
Chapel Hill in partnership with ICF International; John Snow, Inc.; Management
Sciences for Health; Palladium; and Tulane University. Views expressed are not
necessarily those of USAID or the United States government.
www.measureevaluation.org