Healthcare computer application week 6
Introduction to Healthcare Information Technology
Chapter Seven
Basic Healthcare Information Security
1
Objectives
Define information security
List and describe the different elements of physical security
Explain how computer security can protect data
Describe different types of data backups
2
Introduction to Healthcare Information Technology
2
Healthcare IT: Challenges and Opportunities
The need for security is a significant aspect of life today
Personal physical security
Security of our information
Defending against information attacks
Particularly important in the healthcare industry
HIPAA provides for significant penalties for unauthorized disclosure of protected patient information
3
Introduction to Healthcare Information Technology
3
What Is Information Security?
Describes tasks of securing information that is in a digital format
Information security protection goals
Confidentiality
Only authorized parties can access information
Integrity
Ensures information is correct
Availability
Data is accessible to authorized users
4
Introduction to Healthcare Information Technology
4
What Is Information Security? (cont’d.)
Goals apply to devices that store, manipulate, and transmit the information
Information security is achieved through:
Products
People
Procedures
5
Introduction to Healthcare Information Technology
5
Figure 7-1 Information security components
© Cengage Learning 2013
Table 7-1 Information security layers
© Cengage Learning 2013
Physical Security
Involves securing devices so unauthorized users cannot access them
Physical access security includes:
Securing the environment, office hardware, and equipment
Regulating access
8
Introduction to Healthcare Information Technology
Environment
Securing the surrounding environment
First step in physical security
Achieved with security guards in the past
Security technology tools
Lighting and fencing
Video surveillance
Fire suppression equipment
Backup power generators
HVAC
9
Introduction to Healthcare Information Technology
Environment (cont’d.)
Security perimeter
Can include a barrier, such as fencing
Often consists of a fence together with other deterrents
Security lighting can be installed on:
Poles
Building exteriors
Canopies
Landscaping
10
Introduction to Healthcare Information Technology
Table 7-2 Fencing deterrents
© Cengage Learning 2013
Environment (cont’d.)
Video surveillance
Monitoring activity with a video camera
Closed circuit television (CCTV)
Using video cameras to transmit a signal to a specific set of receivers
Cameras may be fixed or allow movement
Used in banks, casinos, airports, and military installations
12
Introduction to Healthcare Information Technology
Environment (cont’d.)
Fire suppression
Fire represents a constant threat to people and property
Four required entities for fire to occur
Fuel
Oxygen
Heat
Chemical reaction
13
Introduction to Healthcare Information Technology
Figure 7-2 Fire triangle
© Cengage Learning 2013
Table 7-3 Fire types
© Cengage Learning 2013
Environment (cont’d.)
Types of stationary fire suppression systems
Water sprinkler systems
Dry chemical systems
Clean agent systems
Power generator
Backup generator to be used in event of power loss
Can be powered by diesel, natural gas, or propane
16
Introduction to Healthcare Information Technology
Environment (cont’d.)
Heating, ventilation, and air conditioning (HVAC)
Control and maintenance of temperature and humidity levels
Can reduce electrostatic discharge which can damage equipment
Data closets
Rooms that house computer systems and network equipment
Typically have special cooling requirements
17
Introduction to Healthcare Information Technology
Office Hardware
Privacy screen
Freestanding panel to divide a work area
Also refers to a cover over a computer monitor to create a narrow viewing angle
Residential hardware door lock types
Keyed entry locks
Privacy locks
Patio locks
Passage locks
All provide minimal security
18
Introduction to Healthcare Information Technology
Office Hardware (cont’d.)
Deadbolt locks
Often used in commercial buildings
Solid metal bar extends into door frame
More difficult to defeat than keyed entry locks
19
Figure 7-4 Deadbolt lock
© Cengage Learning 2013
Introduction to Healthcare Information Technology
Equipment
Network hardware should be located behind a locked door
Uninterruptible power supply (UPS)
Device that maintains power to the equipment in case of interruption in main power
Offline UPS (standby mode)
Can quickly begin supplying power when needed
Online UPS
Always running off its battery while the main power runs the battery charger
Not affected by dips or sags in voltage
20
Introduction to Healthcare Information Technology
Equipment (cont’d.)
UPS systems can communicate with network operating system on a server to ensure orderly shutdown occurs
Important to secure office imaging equipment
Attackers could access images in digital memory
21
Introduction to Healthcare Information Technology
Regulating Access
Disadvantages of using keys to access a secured area
Keys must be managed
Keys can be lost, stolen, or duplicated
Keys must be securely stored
Cipher lock system
Alternative to a key lock
Push-button code required to open the door
22
Introduction to Healthcare Information Technology
Regulating Access (cont’d.)
Types of physical tokens
ID badge containing bearer’s photograph
ID with barcode that is “swiped”
ID badge read by a proximity reader
RFID tags read by an RFID proximity reader
Electronic keyfob (automobile keyless entry)
Biometrics
Uses person’s unique physical characteristics to authenticate
Example: fingerprint scanner
23
Introduction to Healthcare Information Technology
Figure 7-5 Cipher lock
Figure 7-6 RFID tag
© Cengage Learning 2013
© Cengage Learning 2013
Regulating Access (cont’d.)
Types of fingerprint scanners
Static
User places entire finger on scanner window
Dynamic
User slides finger across reader
Disadvantages to standard biometrics
Cost
Not 100% accurate
25
Introduction to Healthcare Information Technology
Computer Security
Providing security for data stored on a computer
Critical function for a healthcare IT professional
Aspects of computer security
Password security
Computer permissions
Defending against common security risks
26
Introduction to Healthcare Information Technology
Passwords
Secret combination of letters, numbers, and characters that only the user should know
Most common type of authentication today
Offer weak protection
Password weaknesses
Relies on human memory
Long and complex passwords difficult to recall
Users must recall passwords for many different accounts
27
Introduction to Healthcare Information Technology
Passwords (cont’d.)
Password defenses
Creating and managing strong passwords
Creating strong passwords
Most passwords consist of a root word and a suffix or prefix
Guidelines for creating strong passwords
Do not use dictionary or phonetic words
Do not use personal information
Do not repeat characters or use sequences
Use long passwords (12 characters or more)
28
Introduction to Healthcare Information Technology
Passwords (cont’d.)
Another way to make passwords stronger
Use non-keyboard characters
Create by holding down ALT key and simultaneously pressing a number on the numeric keypad
Good password management
Change passwords frequently
Do not reuse old passwords
Never write a password down
29
Introduction to Healthcare Information Technology
Figure 7-8 Windows character map
© Cengage Learning 2013
Passwords (cont’d.)
Good password management (cont’d.)
Have a unique password for each account
Set up a temporary password for the case when another user needs to access your account
Do not allow a computer to automatically sign in or store password so that a login is unnecessary
Do not enter passwords on public computers
Never share a password with another person
31
Introduction to Healthcare Information Technology
Passwords (cont’d.)
Password supplements
Autocomplete passwords used in modern browsers
Stored encrypted in the Microsoft Windows registry
Password management applications
Digital equivalent of a written sticky note
32
Introduction to Healthcare Information Technology
Table 7-4 Password management applications
© Cengage Learning 2013
Permissions
Identification
Example: delivery person ID badge
Authentication
Process of checking the identification
Authorization
Granting permission to take action
34
Introduction to Healthcare Information Technology
Permissions (cont’d.)
One type of computer access control
Objects (such as files) given an owner
Access control list defines who is allowed to access the object
Types of access permissions
Read, write, modify, full control, read and execute
Least privilege
Allocate minimum amount of privileges needed to perform the job
35
Introduction to Healthcare Information Technology
Figure 7-9 Windows permissions
© Cengage Learning 2013
Common Security Risks
Malware
Software that enters a computer system without the user’s knowledge or consent
Performs an unwanted or harmful action
Types of malware
Viruses
Worms
Spyware
37
Introduction to Healthcare Information Technology
Common Security Risks (cont’d.)
Virus
Computer code that reproduces itself on the same computer
Worm
Malicious program designed to take advantage of a vulnerability in an application or operating system
Uses a network to send copies of itself to other network devices
Spyware
Software that gathers information on users without consent
38
Introduction to Healthcare Information Technology
Table 7-5 Technologies used by spyware
© Cengage Learning 2013
Common Security Risks (cont’d.)
Social engineering
Means of gathering information for an attack by relying on weaknesses of individuals
Clever manipulation of human nature to persuade the victim to provide information or take actions
Phishing
Sending a deceptive e-mail that claims to be from a legitimate enterprise
Attempts to trick user into surrendering private information
40
Introduction to Healthcare Information Technology
Common Security Risks (cont’d.)
Key defense against fishing
Provide security awareness and training to users
Spamming
Unsolicited e-mail
Used for advertising or distributing malware
Profit for spammers can be substantial
E-mail spam filters attempt to block spam before it reaches the host
41
Introduction to Healthcare Information Technology
Data Backups
Copying digital information to different medium
Stored separately so it can be used in event of a disaster
Disaster recovery plan answers five basic questions:
What information should be backed up?
How often should it be backed up?
What media should be used?
Where should the backup be stored?
What hardware or software should be used?
42
Introduction to Healthcare Information Technology
Data Backups (cont’d.)
Archive bit
Used to flag which files need to be backed up
Types of backups
Full or daily backup
Differential backup
Incremental backup
Backups should be stored at a separate location
Reduces risk of backup being destroyed in a disaster
43
Introduction to Healthcare Information Technology
Figure 7-11 Archive bit
© Cengage Learning 2013
Table 7-6 Types of data backups
© Cengage Learning 2013
Summary
Information security creates a defense to ward off attacks designed to steal information
Three types of protections
Confidentiality
Integrity
Availability
Securing the devices themselves is an important aspect of information security
Backup generators can be used to provide power in the event of power loss
46
Introduction to Healthcare Information Technology
46
Summary (cont’d.)
Sensitive information should be placed in a room secured by a deadbolt lock
Various types of ID badges can be used to control access to a secured area
Biometrics uses human physical characteristics to provide authentication
Passwords provide a weak degree of protection
Malware is unwanted software that is often harmful
Types of data backups include full, differential, and incremental
47
Introduction to Healthcare Information Technology
47