Homework help security

Health Care Security Regulations

The Federal Health Insurance Portability and Accountability Act (HIPAA) contains a privacy rule and a security rule, both of which specify how to deal with personal health information (PHI). The security rule, which covers electronic PHI specifically, was ratified in 2003 and defines what type of health information is protected; to whom the rule pertains; the nature of safeguards that are recommended; and procedures, enforcement, and penalties. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act refined the HIPAA security rule as part of the American Recovery and Reinvestment Act (ARRA) (Oppel, 2010). Several important changes include significantly higher penalties for HIPAA violations; expanded enforcement capabilities; mandatory policies regarding security breach reporting; and the extended applicability of the rule to "business associates," i.e., third parties that use or that provide services with PHI from a covered entity, which involves the creation, collection, maintenance, or electronic transmission of identifiable health information. This health information must be reasonably protected against threats or accidental misuse; risks must be assessed; and safeguards must be put in place and their effectiveness periodically reassessed.

As part of health data management, these federal policies have to be considered when dealing with databases and information systems in the health care domain. This lecture will cover the different aspects of data security by defining concepts, identifying risks, and providing outlines of best-practice solutions.

Security Concepts

1.      Physical Security

Physical security covers the procedures and measures that help prevent the literal physical loss or theft of sensitive information. Information and information system components, e.g., servers, backup archives, manuals, and other related printed materials, must be safeguarded by securing their location via access control mechanisms. Access control mechanisms can range from locks on server racks and data storage rooms, all the way to biometric access devices and a separate data center facility. While computers are often secured to a desk or mobile workstation by a corded lock, it does not take much effort to open the computer case and physically remove a hard drive containing sensitive information. Aside from physically securing buildings, rooms, and devices, health care entities must also set usage policies and guidelines for acceptable safeguards and procedures related to computing resources, laptops, and mobile devices, such as: Do not remove mobile devices from the workplace; do not leave a laptop in the car in plain sight; do not leave machines unattended without locking the screen; and do not use portable USB drives in the workplace. Lastly, network security is probably one of the most critical security concepts. Practically all computing devices are connected to some sort of network to communicate with other devices in order to retrieve or store collected data. The most stringent physical access controls are meaningless when a computer is connected to a network and can be accessed remotely. It is therefore of highest importance to secure networked computing devices by configuring firewalls, restricting intranet and Internet access, establishing white lists of trusted IP addresses, and regulating wireless access points. Such tasks are usually performed by a dedicated IT support professional with a deep understanding of these concepts and knowledge of the latest best practice guidelines. It is also important to keep sensitive devices up to date with the latest stable upgrades and patches that address various security vulnerabilities.

2.      Redundancy

It is crucial to develop a robust backup plan to allow for recovery of data in the event of loss or data corruption. Backups of large live systems can incur temporary performance degradation, but the interference can be minimized during off-peak hours or with an incremental backup strategy. While copies of recent backups should be available for retrieval in short notice in case they need to be restored to keep a system running, it is essential practice to maintain a backup archive of mission-critical or high-valued data at an offsite location. Modern Database Management Systems (DBMS), especially costly enterprise-level systems, allow for internal managed replication mechanisms in addition to traditional backup tools. These replication features allow multiple copies of the database to be managed concurrently, with one primary copy and one or more redundant mirror copies. In the event of a primary database failure or for scheduled maintenance, the secondary mirror can be activated to act as the new primary database until the original one is available again. When these replication mechanisms are triggered automatically during an unplanned event, we call this a failover mechanism, because minimal to no downtime is incurred during the automatic switchover to the redundant system. A similar redundancy and failover mechanism is available for physical storage media. RAID stands for Redundant Array of Independent Disks, and a RAID array of hard disk drives can be configured to replicate data across multiple drives with error detection algorithms so that no data is lost or downtime incurred during a hard drive failure.

3.      Logical Security

A Health Data Manager or Database Administrator (DBA) is responsible for developing security protocols for the actual health data collected and contained in a health information system or database. Logical security measures include access control to the database system in the form of user accounts with associated passwords and assigned privileges. Databases can support multiple password-controlled users and access can be configured at the table or column level with rights to create, read, write, or delete data.

a.      Granting Privileges

Syntax:

GRANT <privileges> ON <table name> TO <user name>;

Example:

GRANT select, update, delete ON Provider TO HospitalAdmin;

b.      Revoking Privileges

Syntax:

REVOKE <privileges> ON <table name> FROM <user name>;

c.       Example:

REVOKE delete ON Provider FROM HospitalAdmin;

Database access privileges are a powerful way of ensuring relevant user groups have access to the data and actions necessary to fulfill their job duties. The DBA can, for example, grant 'select' privileges for a subset of tables to a database user to allow a dashboard component to only retrieve that specific information from the database.

Another powerful database feature is the concept of views. Once configured, views function similar to tables in that they are comprised of rows containing data in different columns. A view is the result of a database query that can be accessed, manipulated, and further queried like a regular database table. A DBA can define a view that contains aggregate information from selected columns from one or more tables, and then grant restricted access privileges for that view to a specific user without exposing the underlying data as it is stored in the database.

Lastly, data encryption can be necessary to protect sensitive information. Databases often have special features or functions to store the contents of a column as an encrypted field. For example, encrypted credit card information can be retrieved with a password, or it can be encrypted so that it only can be used to compare against. In the event of a data breach or loss, the encrypted values would be meaningless to an unauthorized user. This is similar to full hard drive encryption as part of a physical security measure for computing devices.

4.      Auditing

Auditing mechanisms, such as audit logs used to identify which user accessed what resource and at what time, have always been an important tool to uncover unauthorized access, such as in the case of news reports on leaked celebrity or athlete health information from hospital personnel not immediately part of the care team. With the recent expansion of the HIPAA security rule and the stringent breach notification requirements and the associated civil and criminal penalties, audit reports and other intrusion detection mechanisms are becoming ever more critical to ensure compliance.

Conclusion

Data security in health care is both critical and multi-faceted. Data can be breached and secured at many different levels, both intentionally or by accident. A diligent security professional will implement safeguards at every level, keep up with current policies and best practices, and implement sensible usage procedures and guidelines for the users involved in the immediate and associated work environment.

ASSIGNMENT

Find two examples of data/security breaches that resulted in theft/loss/exposure of confidential data, preferably health care related data. Describe the incidents and explain what could have been done to prevent or mitigate them.

NEED REFERENCE