Hipaa sECURITY
-
Upload
orlando-gilmore -
Category
Documents
-
view
24 -
download
0
description
Transcript of Hipaa sECURITY
![Page 1: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/1.jpg)
How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information
Spring ConferenceApril 4, 2008
Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12
![Page 2: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/2.jpg)
Need to reduce the cost of health care Increase quality of health care Consumer driven health care Online health records
Payer support for community health records Transparency in health care Pay for performance programs Governmental
![Page 3: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/3.jpg)
HR
PHR
EMR
PHI Hybrids
CCR
EHR
![Page 4: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/4.jpg)
Health Records (AHIMA) The legal business record for a healthcare
organization. Individually identifiable information Any medium Collected, processed, stored, displayed
![Page 5: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/5.jpg)
Health Records contain Diagnosis Medications Procedures Problems Clinical Notes Diagnostic Results Images Graphs Other items deemed necessary
![Page 6: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/6.jpg)
Health Records Support continuity of care Planning patient care Provides planning information
Resource allocation Trend analysis Forecasting Workload management Justification for billing information
![Page 7: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/7.jpg)
Electronic Medical Record (EMR) (HIMSS) An application environment composed of:
Clinical Data Repository (CDR) Clinical Decision Support (CDS) Controlled medical terminology Order entry Computerized provider order entry Pharmacy Clinical document applications
Enterprise support Inpatient and Outpatient Use to document, monitor and manage delivery of
health care Electronic Medical Record (EMR) (HIMSS)
The EMR is the legal record Owned by the Care Delivery Organization (CDO)
![Page 8: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/8.jpg)
Electronic Health Record (EHR) (HIMSS) Longitutal electronic medical record across
encounters in any care delivery setting. Resource for clinicians
Secure Real-time Point-of-care Patient centric information source
Aids collection of data for other uses Billing Quality management Outcomes reporting Resource planning Public health disease surveillance Reporting
![Page 9: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/9.jpg)
Electronic Health Record (EHR) (HIMSS) Includes:
Patient demographics Progress notes Problems Medications Vital signs Past medical history Immunizations Laboratory data Radiology reports
![Page 10: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/10.jpg)
Electronic Health Record (EHR) (HIMSS) Automates / streamlines clinicians workflow Complete record of clinical encounter Supports other care-related activities
Evidence-based decision support Quality management Outcome reporting
![Page 11: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/11.jpg)
Personal Health Record (PHR) Created by the individual Summarizes health and medical history Gathered from many sources Format of PHR
Paper Personal computer Internet based Portable storage
![Page 12: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/12.jpg)
Continuity of Care Record (CCR) Patient Health Summary Standard
ASTM / MMS / HIMSS / AAFP / AAP co-development
Core health care components Sent from one provider to another Includes
Patient demographics Insurance information Diagnosis and problem Medications Allergies Care plan
![Page 13: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/13.jpg)
Hybrid Health Record Both
Paper health records Electronic health records
![Page 14: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/14.jpg)
Protected Health Information (PHI) Any health care information linked to a person
Health Status Provision of Health Care Payment of Health Care
Includes•Names•Geographic subdivision smaller than a state•Dates related to an individual•Phone Numbers•Fax Numbers•Email Addresses•SSN•Medical Record Numbers•Beneficiary Numbers•Account Numbers•Certificate/license numbers;
•Vehicle identifiers and serial numbers• license plate numbers
•Device identifiers and serial numbers •Web Universal Resource Locators (URLs)•Internet Protocol (IP) address numbers•Biometric identifiers
• Finger• voice prints
•Full face photographic images and any comparable images•Any other unique identifying number, characteristic, or code
![Page 15: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/15.jpg)
Privacy Can anyone else read it?
Authentication How do I know who sent it?
Data Integrity Did it arrive exactly as sent?
Non-repudiation of receipt Can the receiver deny receipt? How do I know it got there?
How do I track these activities?
![Page 16: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/16.jpg)
Internet / Intranet Wired Wireless
Wifi (802.11a, b, g, i, n) Bluetooth (Personal Area Network - PAN)
VoiP Dial-up Mobile Devices
Smart Phones Mobile Standards (GSM, GPRS, etc.)
PDA Tablet PC’s
Physical Media Magnetic, optical, flash (thumb drives), others
![Page 17: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/17.jpg)
RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken) Secure Sockets Layer (SSL) WEP Wire Equivalent Privacy WPA WiFi Protected Access
WPA2 (based upon 802.11i) Data Encryption Standards (DES) Advanced Encryption Standards (AES)
Government strength encryption
![Page 18: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/18.jpg)
Firewall machines IP address selection ID + Passwords Security techniques
Encryption Digital Signatures Data Integrity Verification Non-repudiation
Trading Partner Agreements (TPA)
![Page 19: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/19.jpg)
PLAINTEXTDOCUMENT ENCRYPT DECRYPT PLAINTEXT
DOCUMENT
CYPHERTEXT
PROVIDER PAYER
PRIVATE KEY
![Page 20: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/20.jpg)
n * (n-1) / 2 keys to manage 100 users would require 4950 keys Key size 128 bits Generally considered fast
Gary
Frank
Erin Dale
Alice
Karen
Julie
Mary
![Page 21: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/21.jpg)
PLAINTEXTDOCUMENT ENCRYPT DECRYPT
PAYER’SPUBLIC KEY
PLAINTEXTDOCUMENT
CYPHERTEXT
PROVIDER PAYER
PAYER’SPRIVATE KEY
![Page 22: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/22.jpg)
n key pairs needed for n partners key size (128, 768, 1024, 2048 bits) Generally considered slower What happens if you lose your key?
Gary
Frank
Erin Dale
Alice
Karen
Julie
Mary
Public Key DirectoryGary Mary EAlice Dale FFrank Karen GErin Julie H
![Page 23: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/23.jpg)
A digitized signature is a scanned image A digital signature is a numeric value that
is created by performing a cryptographic transformation of the hash of the data using the “signer’s” private key.
Ö m25_ +¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7»q*++¤Gß_¿_°;·Ae¦_7¦?�ââ-á+H¶¥-÷90Y�å+£ú'¦Æ<§_8óX`p¡ìÉ_V+1^ª+ ¦�%Gary A. Beatty <[email protected]>
![Page 24: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/24.jpg)
Part of the digital signature process A secure one way hashing algorithm used
to create a hash of the data
EHR
Provider BPUBLIC KEY
Encoded
PROVIDER APRIVATE KEY
Cypher Cypher Encoded EHR
PROVIDER APUBLIC KEY
Provider BPRIVATE KEY
Provider BPROVIDER A
![Page 25: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/25.jpg)
AS1 – Applicability Statement 1 Email exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail
Extensions Uses SMTP (Simple Mail Transfer Protocol) Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed Email capability Electronic Transaction Digital Certificate
![Page 26: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/26.jpg)
AS2 – Applicability Statement 2 HTTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail Extensions Uses HTTPS
Hypertext Transfer Protocol over Secure Socket Layer Allows for REAL TIME delivery Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed Web Server (static IP address) Electronic Transaction Digital Certificate
![Page 27: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/27.jpg)
AS3 – Applicability Statement 3 FTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail
Extensions Uses FTP – File Transfer Protocol Allows for REAL TIME delivery Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed FTP Server Electronic Transaction Digital Certificate
![Page 28: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/28.jpg)
Electronic Credit Card Establishes “Credentials” for electronic
transactions Issues by Credential Authority
Name Serial Number Expiration Dates Certificate Holder’s Public Key Digital Certificate of Certification Authority
Verified by Registration Authority X.509 Standards Registry of Digital Certificates
Access with HIPAA Identifiers
![Page 29: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/29.jpg)
![Page 30: Hipaa sECURITY](https://reader031.fdocuments.net/reader031/viewer/2022012922/568137d1550346895d9f6fab/html5/thumbnails/30.jpg)
Spring ConferenceApril 4, 2008
Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12