Handbook of Informatics for Nurses
and Healthcare Professionals
Sixth Edition
Chapter 13
Information Security and
Confidentiality
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Learning Objectives (1 of 5)
13.1 State the differences between privacy, confidentiality,
information privacy, information security, and information
consent.
13.2 Describe the processes required to attain security in
a computer network.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Learning Objectives (2 of 5)
13.3 Discuss the significance of security for information
integrity.
13.4 Recognize potential threats to system security and
information.
13.5 Analyze processes to prevent threats to network
security, and how to anticipate the threats.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Learning Objectives (3 of 5)
13.6 Discuss the responsibility that nurses have to protect
patient information and privacy.
13.7 Review best practices for secure authentication.
13.8 Identify proper disposal techniques for common
examples of confidential forms and communication seen in
healthcare settings.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Learning Objectives (4 of 5)
13.9 Appraise strategies to ensure that the use of
information technology protects the privacy and security of
patient information.
13.10 Describe privacy and confidentiality issues with
email and social media.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Learning Objectives (5 of 5)
13.11 Identify how the HIPAA security and privacy rules
protect personal health information (PHI).
13.12 Examine special considerations related to mobile
and wearable technology.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Privacy, Confidentiality, Security,
and Consent (1 of 3)
• Privacy = The right to determine what information is
collected or shared, how it is used, and the ability to
access collected personal information to review its
security and accuracy
• Confidentiality = A situation in which a relationship has
been established, and private information is shared but
not disclosed
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Privacy, Confidentiality, Security,
and Consent (2 of 3)
• Information-and-data privacy = The relationship
between data collection; information-technology; an
individual’s expectation of privacy; and the legal, ethical,
and political issues connected to these relationships
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Privacy, Confidentiality, Security,
and Consent (3 of 3)
• Information security recognizes that information has
value and requires protection.
• Information consent occurs when an individual
authorizes healthcare personnel to use and share his or
her information based on an informed understanding of
how this information will be shared and used for
treatment purposes.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (1 of 8)
• Information-system security = The continuous
protection of both data and information housed on a
computer system, and the system itself, from threats or
disruption
• Survivability = The ability of an information system to
continue its mission even in the presence of damage
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (2 of 8)
• Risk is the likelihood of a given threat-source exercising
a particular potential vulnerability, and the resulting
impact of that adverse event on an organization.
• New technologies introduce new threats.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (3 of 8)
• Internet of things (IoT) = Devices that have embedded
microchips, sensors, and actuators that use Internet
Protocol (IP) to share data with other machines or
software over communications networks
– Frequently insecure by design
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (4 of 8)
• Common threat sources
– The insider threat
– Social networking services
– Scareware
– Network and computer operating systems
– Malware attacks
– Ransomware
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (5 of 8)
• Common threat sources
– Smartphones
– Shadow IT
– Embedded computing
– Virtualization and cloud computing
– Wireless networks (WLANs)
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (6 of 8)
• Vulnerability = A flaw of weakness in system-security
procedures, design, implementation, or internal controls
that could be accidently triggered or intentionally used,
resulting in a security breach of a violation of the system’s
security policy
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (7 of 8)
• Viruses, worms, and malicious software are programs
that someone writes with the intent to steal information,
cause annoyance and mayhem, or conceal other
malicious activities.
• Phishing entails subterfuge in an attempt to steal
sensitive information via the Internet.
– Such as credit card numbers, passwords, or Social
Security numbers
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Information System Security (8 of 8)
• Spam = The use of electronic messaging systems to
send unsolicited bulk messages.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�System Vulnerability
• Even the most secure systems can become vulnerable to
internal or external threats.
• One way to reduce attacks is a penetration test.
– Simulates an attack from a malicious source
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Specific Threats to Information
Systems
• Cybercrime
– The ability to steal personal information stored on
computers
• Opportunists
• Hackers
• Computer or information specialists
• Unauthorized users
• Over-privileged users
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Sabotage
• Sabotage = The destruction of computer equipment or
data, or the disruption of normal system operation
• Any worker may commit sabotage.
• Deterred by:
– Positive work environment
– Well-defined institutional-ethics policy
– Intact security mechanisms
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Errors and Other Disasters (1 of 2)
• Errors may result from:
– Poor design
– System changes that permit users more access than
they require
– Failure to follow policies and procedures
– Poorly trained personnel
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Errors and Other Disasters (2 of 2)
• Errors may result from :
– Absence of policies and procedures
– Poorly written policies and procedures
– Incorrect user entries
– Manual backup procedures during disasters
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Poor Password Management
• Sharing passwords
• Posting log-on IDs and passwords on workstations
• Leaving logged-on devices unattended
• Compromised handheld electronic devices
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Compromised Devices (1 of 2)
• Corporate policies can be written to spell out appropriate
use and applications for mobile devices to access, store,
and transmit PHI.
• Recommended practices:
– Authentication measures
– Encryption
– Installation of software that enables remote wiping of
data or disability of devices
– No file sharing applications
– Installation of a firewall for network access
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Compromised Devices (2 of 2)
• Recommended practices :
– Up-to-date security software
– Physical control of the device
– Appropriate security when using public Wi-Fi
networks
– Deletion of all stored information before the device is
discarded or reused
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (1 of 11)
• The security of information and computer systems should
receive top priority.
• Both logical and physical restrictions are used.
• Automatic sign-off = Mechanism that logs a user off the
system after a specified period of inactivity on his or her
computer
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (2 of 11)
• Physical security
– Includes placement of computers, file servers,
routers, switches, and computers in restricted areas
– A challenge for remote access
▪Remote access = The ability to use the health
enterprise’s information system from outside
locations, such as a physician’s office or home
– Users of free wireless connections in public places
should employ appropriate precautions.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (3 of 11)
• Authentication = The process of determining whether
someone is who he or she professes to be
• Authentication methods
– Username and password
– Smart care
– Retinal scan and other biometric measures
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (4 of 11)
• Authentication methods
– Voice recognition
– Fingerprints
– Digital certificates
– Public or private keys for encryption
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (5 of 11)
• ID management is a broad administrative area dealing
with identifying individuals in a system and controlling
their access to resources within that system by
associating user rights and restrictions with an
established identity.
• Passwords = Secret alphanumeric sequences, words, or
phrases that a user enters into the computer
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (6 of 11)
• Public key infrastructure (PKI) = A set of procedures
that use hardware, software, people, and policies to
create, manage, distribute, use, store, and revoke digital
certificates
– Involves certificate authority (CA), which is
sometimes called trusted third party (TTP)
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (7 of 11)
• Biometrics
– Fingerprints
– Voice
– Iris pattern
– Retinal scan
– Hand geometry
– Face recognition
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (8 of 11)
• Biometrics
– Ear pattern
– Smell
– Blood vessels in the palm
– Gait recognition
– Keystroke cadence
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (9 of 11)
• Firewall = A component of a computer system or network
designed to block unauthorized access while permitting
authorized communications
• Application security
– Employs security-testing techniques to look for
vulnerabilities or security holes in applications
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (10 of 11)
• Antivirus software = A set of computer programs that
can locate and eradicate malware, including computer
viruses, worms, and Trojan horses
• Spyware = A data-collection mechanism that installs itself
without the user’s permission
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Security Mechanisms (11 of 11)
• Ransomware = A type of malware that hijacks user files,
encrypts them, and then demands a ransom or payment
for the decryption key
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Administrative and Personnel Issues
(1 of 2)
• Healthcare administrators must develop a plan, policies,
implementation structure, user-access levels, and an
adequate budget.
• Upper-level management
– Must have security-awareness training
– Set a positive example for all stakeholders
– Work with IT personnel to establish centralized
security functions
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Administrative and Personnel Issues
(2 of 2)
• Computer forensics = Collection of electronic evidence
for purposes of formal litigation and simple internal
investigations
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Levels of Access (1 of 2)
• Access limitations
• User authentication
• Personnel issues
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Levels of Access (2 of 2)
• System security management
– Monitoring
– Maintenance
– Operations
– Traffic management
– Supervision
– Risk management
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Audit Trails
• Audit trails record activity, both by system and
application process and by user activity, of systems and
applications.
• Can assist in detecting:
– Security violations
– Performance problems
– Flaws in applications
• Poorly audited systems invite fraud and abuse.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Handling and Disposal of
Confidential Information
• Computer printouts
• E-mail, social media, and the Internet
• Web-based applications for healthcare
• Electronic storage
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Special Considerations with Mobile
Computing
• Mobile devices are used widely in healthcare-providers’
practices.
– Level of use continues to rise
• Staff who use mobile devices should work with the
information-services department to help secure those
devices from unauthorized view.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Wearable Technology (1 of 2)
• Wearable technology = Technology worn on the body
that uses sensors to connect to the person, while making
use of a web connection to connect wirelessly to a device
of the user’s choice, like a smartphone
• Examples: FitBit, smart watches, smart shoes and
clothes, and smart glasses
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Wearable Technology (2 of 2)
• Security concern for wearable technology is that data is
sent from one device and received at another.
• Security protocols must ensure confidentiality.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Implanted Devices (1 of 2)
• Implanted medical devices = Devices that are surgically
implanted to:
– Treat a medical condition
– Monitor the internal state, or improve the functioning,
of a particular body part
– Provide a patient with a capability not previously
possessed
• Early devices had no security provisions.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Implanted Devices (2 of 2)
• Direct attacks against an IMD can have serious,
sometimes fatal, consequences for the patient.
• Manufacturers, encouraged by the FDA, need to give the
patient and healthcare providers the ability to
authenticate to the device in real time, while devising
improved protocols to prevent unauthorized access.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Wireless Radio Frequency Bedside
Devices
• Some devices at the bedside use radio frequency (RF)
to connect one device to another.
– Example is a mobile workstation that uses a Bluetooth
device to connect the scanner to the computer.
• The most up-to-date wireless encryption should be used
in all devices.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Future Directions
• The need for informatics nurse specialists (INSs) will
continue to grow.
– Security can be considered a consideration with each
of the functional areas of nursing informatics practice.
• New technologies must be combined with existing
measures and ongoing vigilance to ensure that health
information is secure.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
�Copyright
This work is protected by United States copyright laws and is
provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials.
Copyright © 2019, 2013, 2009 Pearson Education, Inc. All Rights Reserved
