Archive

Posts Tagged ‘Security’

$210 per compromised medical record

October 20th, 2009

 I was surprised to see the average cost of a data breach exceeded $210 per compromised record, creating an opportunity for computer crime rings to traffic in stolen medical records, according to a study sponsored by LogLogic.

 
The study shows patients may be surrendering their privacy as the $2.5 trillion medical industry pushes to accelerate the pace of digitizing health information records, prompted by federal stimulus funding.
 
 
According to the report the new HIPAA rules will help improving 
the protection of medial records. (see my post on new HIPAA rules)
 

 

General, Market ,

HIPAA and 21CFR11 overlaps

October 12th, 2009

Both HIPAA and 21 CFR Part 11 are concern with safeguarding Data. While 21CFR11 applies to Life Sciences Organizations (LSO), HIPAA applies to Healthcare Providers (HCP) and other "covered entities", such as insurance companies.

 
21 CFR Part 11 sets out the procedural and system requirements for controlling and auditing electronic records and signatures. It requires employing procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records.
 
Similarly HIPAA security rules are described as followed:
 
Physical Safeguards
Facility access controls
Work station use
Work station security
Device & Media controls
 
Technical Safeguards
Access control
Audit control
Integrity controls
Person or entity authentication
Transmission security
 
Administrative Safeguards
Security and access management
Secure incident handling
and implement policies and procedures to prevent, detect, contain and
correct security violations.
 
 
There are obvious requirement overlaps around
 
- Operational policies and SOPs 
- System and Record Access Control
- Audit trail
- Record keeping and retention
 
It just makes sense to start consolidating these requirements into one set. 
This has to happen sooner or later as we start sharing standardized medical records between healthcare providers and Pharmaceutical companies for Clinical Trials or Adverse Events reporting.
 
 

General, Technology , ,

The security and privacy of health data

September 28th, 2009
The security and privacy aspect of EHR is defined as part of PHI (Protected Health Information), and is based on HIPPA.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.
PHI is defined as any information concerning health status, provision of health care, or payment for health care that can be linked to an individual.
The EHR security and privacy has to cover anything from accuracy and disposal of information and hardware hosting such data to encryption for storage and exchange of data over the wire.
ON Sep. 16th the Federal panel approved EHR security, privacy standards.
The committee clarified requirements that EHR systems must meet so both vendors and healthcare providers could use a number of access controls in their electronic health record systems and practices by 2011.
The standards under discussion cover access control, authentication, authorization and transmission of health data.
According to the panel in 2013 EHRs would have to meet additional standards to further tighten security, including Health Level 7 Role-based Access Control (BRAC), Security Assertion Mark-up Language (SAML) and WS-Trust, the name of an OASIS standard to construct secure messages.
In addition HIPPA allow patients the right to review the content of their medical records and gives individuals the right to request correction of any inaccurate PHI.
For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.
PHI is an important part of EHR that concerns Patients and Physicians the most.
I will cover this topic in detail as the standards progress.

The security and privacy aspect of EHR is covered in context of PHI (Protected Health Information) and is based on HIPPA.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.

PHI is defined as any information concerning health status, provision of health care, or payment for health care that can be linked to an individual.

The EHR security and privacy has to cover anything from accuracy and disposal of information and hardware hosting such data to encryption for storage and exchange of data over the wire.

ON Sep. 16th the Federal panel approved EHR security, privacy standards.

The committee clarified requirements that EHR systems must meet so both vendors and healthcare providers could use a number of access controls in their electronic health record systems and practices by 2011.

The standards under discussion cover access control, authentication, authorization and transmission of health data.

According to the panel in 2013 EHRs would have to meet additional standards to further tighten security, including Health Level 7 Role-based Access Control (BRAC), Security Assertion Mark-up Language (SAML) and WS-Trust, the name of an OASIS standard to construct secure messages.

In addition HIPPA allow patients the right to review the content of their medical records and gives individuals the right to request correction of any inaccurate PHI.

For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.

PHI is an important part of EHR that concerns Patients and Physicians the most.

I will cover this topic in detail as the standards progress.

Technology

Health Level 7 Role Based Access Control (RBAC)

August 18th, 2009

Health Level 7 or HL7 is an international community of healthcare subject matter experts and information scientists collaborating to create standards for the exchange, management and integration of electronic healthcare information.

HL7 covers details about Roel Based access Control to Health data and clinical information on a “need-to-know” basis is as a key requirement
It also emphasizes on need to provide methods where access can be checked and authorised before access is granted
Another important element of RBAC is up-to-date and accurate directories of staff.

Among others HL7 covers details about Role Based Access Control to Health data and clinical information on a “need-to-know” basis as a key requirement.

It also emphasizes on need to provide methods where access can be checked and authorized before access is granted. Furthermore RBAC requires an up-to-date and accurate directories of staff.

Technology

Stimulus Package Includes Changes to HIPAA Rules

March 24th, 2009

 According to new legislation, physicians now will be required to track any disclosure of a patient’s medical information. Previous regulations allowed physicians to disclose patient information for the purpose of treatment, payment or health care operations, but they were not required to track when that information was disclosed. 

 
However, this should be easy to manage for physicians who use an electronic health record as hopefully EHR vendors will provide such a functionality out-of-the-box to track every time patient information is disclosed.
 
In addition, the legislation requires practices to post information about security breaches if a breach affects 10 or more patients and must notify all of their patients, a local media outlet, and the HHS secretary if the breach affects 500 or more patients.
 

General, Technology ,