SECURITY PRIVACY HEALTHCARE

Claims processing

- Involves a third-party payer for healthcare services - Pre-approval is often required (third-party payer must authorize doctor visit) - Without pre-approval, third-party payer can reduce amount of reimbursement they are responsible for - Third-party payer may even deny the claim (patient becomes fully responsible for paying entire bill).

Balancing Information Security and Access

- It is impossible to obtain perfect information security; it is a process, not a goal. -Security should be considered a balance between protection and availability. - To achieve balance, the level of security must allow reasonable access, yet protect against threats

Local Area Network (LAN)

- LAN: the backbone of any information technology architecture - Used when describing cabling and interconnections - Data is transferred across the LAN - Image - Text - Audio -Video Distinctive features - High speed, low error rate, private ownership, and small geographic area - Usually within the same physical organization and its network boundary

HDHP/SO

- Often referred to as a health savings account (HSA) - Patient pays a low premium and receives catastrophic coverage (major medical) - Patient pays a high deductible for all services received up to catastrophic coverage - Patients save funds before tax in a special account to pay any deductibles

HMO

- Patient pays HMO a fixed amount - Patient then eligible to receive care from providers aligned with the HMO - Services delivered at no additional cost to patient (exception: copay for prescriptions)

Medical Billing

- The process of submitting claims with health insurance companies in order to receive payment for services rendered by a healthcare provider . Electronic . Paper Clearinghouse: receives paper forms, converts them to digital files, and submits them to the various payers - Scrubbing: process by which clearinghouse ensures each bill adheres to each health plan's unique or proprietary data requirements

Financial components of healthcare

- Today's healthcare system uses - State-of-the-art technology §Highly trained professionals - Well-apportioned facilities - None of the aforementioned aspects can exist without -Payment -Reimbursement - Fair compensation

Health Level 7 (HL7)

- a protocol developed to enable different information systems to exchange data using a standard - Allows different healthcare organizations to transfer clinically significant information that typically would be unavailable because of the incompatibility of systems - HL7 EHR System Functional Model and Standard: a product that HL7 has published for all EHR manufacturers to help EHRs interconnect

Health information exchange(HIE)

- organization that facilitates the electronic sharing of healthcare information across multiple healthcare organizations - Delivers clinical data to clinicians at the point of care - Eliminates organizational/geographic boundaries - Includes patient demographic data, continuity of care documents, test results, etc.

Using a methodology

-Ensures a rigorous process with a clearly defined goal -Increases probability of success

A successful organization should have multiple layers of security in place to protect

-Operations -Physical infrastructure -People -Functions -Communications -Information

The scope of computer security grew from physical security to include

-Securing the data -Limiting random and unauthorized access to data -Involving personnel from multiple levels of the organization in information security

Patients

-Seek assistance with matters of health . Preventive . Interventional . Rehabilitative

Threat source

A category of objects, people, or other entities that represents the origin of danger to an asset

Subjects and objects of attack

A computer can be either the subject of an attack (i.e., an agent entity used to conduct the attack) or the object of an attack (i.e., the target entity)

Exposure

A condition or state of being exposed

Vulnerability

A potential weakness in an asset or its defensive control system(s)

Loss

A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use

information Security Project Team

A small functional team of people who are experienced in one or multiple facets of required technical and nontechnical areas: - Champion: A senior executive who promotes the project and ensures its support - Team leader: A project manager who understands project management, personnel management, and information security technical requirements - Security policy developers: Individuals who understand everything needed for developing and implementing successful policies - Risk assessment specialists: People who know and understand financial risk assessment and security methods to be used - Security professionals: Specialists in all aspects of information security from both technical and nontechnical standpoints - Systems administrators: Responsible for administering systems that house information - End users: Assist the team in focusing on the application of controls applied in ways that do not disrupt the essential business activities they seek to safeguard

What is a security?

A state of being secure and free from danger or harm; the actions taken to make someone or something secure.

Exploit:

A technique used to compromise a system

Physical security

Addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse

Threat event

An occurrence of an event caused by a threat agent

Threat:

Any event or circumstance that has the potential to adversely affect operations and assets

Critical Characteristics of Information

Availability Accuracy Authenticity Confidentiality Integrity Utility Possession

Private payers: Indemnity insurance

Based on fee-for-service Patient receives healthcare service Patient pays for healthcare service at the point of care Patient submits claim to insurance company for reimbursement Maximum freedom of choice in physicians

Governance Frameworks

Configuration Control Board (CCB) •Also referred to as a configuration management board •Essential role in how an organization implements and manages its information technology asset •Local area network •End-point devices (including medical devices) •Various applications

ILM cycle

Creation: information must be available, reliable, and concise from the source ​Retention: policies are required to establish the length of time records are useful and after which outdated records are discarded Maintenance: records must be stored and protected with availability to providers Use: information is to be used in a manner consistent with the reasons it was collected Disposal: data is destroyed; most vulnerable to data breach 1 Overwriting: covering up old data with new data ​ 2 Degaussing: erasing the magnetic field of storage media 3 Physical destruction: paper or digital shredding or incineration

Waterfall model

Each phase begins with the results and information gained from the previous phase. In other words, each phase has results that flow into the next phase.

Availability

Enables users who need to access information to do so without interference or obstruction and in the required format

payers

Entities paying the bill (Government Health insurers) - Uninsured Self-pay Indigent care

MULTICS

First operating system was created with security integrated into core functions

Accuracy

Free from mistake or error and having the value that end user expects

Informationlife-cycle management

Information has a life cycle that must be managed to ensure confidentiality, integrity, and availability

Managed care

Mechanism to control cost, improve quality, and increase access - Key feature: integration of healthcare provision and payment within one organization

Information system:

The entire set of hardware, software, data, people, procedures, and networks that enables the use of information resources within an organization

Asset

The organizational resource that is being protected

Risk

The probability of an unwanted occurrence, such as an adverse event or loss

Information security

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology

Authenticity

The quality or state of being genuine or original, rather than reproduction or fabrication

Integrity

The quality or state of being whole, complete, and uncorrupted

Possession

The quality or state of having ownership or control of some object or item

Threat agent:

The specific instance or a component of a threat

Stakeholders

Those with interest in healthcare organization who can impact the health care organization

Security professionals must review the origins of this field to understand its impact on our understanding of information security today

True

Integrating the healthcare enterprise (HIE)

an international organization that provides a standards framework Focuses on how organizations implement EHR function standards Publishes standard implementation specifications called profiles Example: Laboratory Technical Framework (LAB TF)

Larry Roberts

developed the ARPANET from its inception.

providers

healthcare institution that provides services to patients - hospitals - specialized clinics - home healthcare

Enterprise information security

is a critical business capability that needs to be aligned with corporate expectations and culture that provides the leadership and insight to identify risks and implement effective controls

Systems development life cycle (SDLC)

methodology for the design and implementation of an information system

Integrated delivery system

multiple providers (inpatients and outpatient) organized into a coordinated system of clinics and hospitals

with RAND Report R-609

paper that started the study of computer security and identified the role of management and policy issues in it

Outpatient (ambulatory care)

patients not formally admitted to a healthcare facility §Exception: patients can be placed in an observation status up to 48 hours

Inpatient

patients typically remaining in a healthcare facility more than 24 hours after admissio

Digital imaging and communications in medicine(DICOM)

promotes interoperability of medical imaging equipment by specifying protocols required for transferring digital images across a network A device used to capture images can be manufactured by any vendor that complies with DICOM

Fundamental problems with ARPANET

security were identified -No safety procedures for dial-up connections to ARPANET -Nonexistent user identification and authorization to system

Utility

the quality or state of having value for some purpose or end.

Confidentiality

the quality or state of preventing disclosure or exposure to unauthorized individuals or systems

ARPANET

what we now know as the Internet

Coding

§transformation of clinical workflow from any type of description in narrative or words into numerical data sets/codes that are used for documenting disease description, injuries, symptoms, etc. - Examples ICD SNOMED CT LOING

Control, safeguard, or countermeasure

•: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization

Information Asset

•A body of information that is managed as a single entity so it can be protected and utilized effectively and efficiently •Includes information such as •Protected Health Information (PHI) •Personally identifiable information (PII) •Payment data •Proprietary business plans or financial data

Data Incident Response Team

•A security control required by various standards and policies such as HIPAA •Prepares for and addresses incidents across an organization •Should exist prior to data loss •Headed by the chief information security officer

Access

•A subject or object's ability to use, manipulate, modify, or affect another subject or object

User Agreements

•Acknowledge understanding and willingness to comply with training, policy, or other regulatory requirements •Usually contains following •Access to PHI is intended only for authorized users and legitimate purposes. All other access is prohibited. •Users consent to monitoring and auditing of their use. •Users will protect and not share their access credentials. •Specific actions concerning user behavior •Downloading PHI •Transporting media from the healthcare organization •Training required prior to accessing the system must be completed

Attack

•An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it; can be active or passive, intentional or unintentional, and direct or indirect

Policies: Visible

•Available to the organization •Often via a web portal or intranet

senior Management

•Chief information officer (CIO)‏ -Senior technology officer -Primarily responsible for advising the senior executives on strategic planning •Chief information security officer (CISO)‏ - - Has primary responsibility for assessment, management, and implementation of IS in the organization -Usually reports directly to the CIO

Policies

•Clear, simple statements of how an organization conducts business and healthcare operations •Used interchangeably with 'policy' -Directives -Regulations - Plans •Must be dated •Require following identifiable elements -Supplemented -Visible -Supported by management -Consistent

PPO

•Fee-for-service health plan •More choices for the patient •Higher deductibles and coinsurance payments •Providers aligned with the PPO •Patient chooses participating provider: discounted cost of medical care •Patient chooses non-participating provider: service covered at a lesser rate

Institutional Review Board (IRB)

•Formal committee that approves, monitors, and reviews biomedical and behavioral research involving humans •Primary purpose: to protect human subjects from physical or psychological harm •Guiding principles •Respect for people •Beneficence •Justice

Policies: Supplemented

•Generally not re-issued •Instead, supplemented with improvements or additional parameters using a process of versioning

Privacy Principles

•Management •Notice •Choice •Consent •Collection •Use •Retention •Disposal •Access •Disclosure to third parties •Security for privacy •Quality •Monitoring •Enforcement

Policies: Consistent

•Most have an origin in public law or government directive •Should not conflict or guide employees to violate these laws/directives

Regulators: Joint Commission

•Most notable regulator •Accredits healthcare organizations regarding standards of practice •Considered mandatory to demonstrate a healthcare organization's commitment to quality and compliance with performance standards •Some areas of reimbursement are linked to having Joint Commission accreditation

Policies: Supported by Management

•Must be supported by management via overt action •Cannot be circumvented or ignored with expectations for hospital staff to comply

Procedures

•Referred to as Standard Operating Procedures (SOPs) •Describe how each policy is put into action •Written instructions •Illustrated flowcharts •Checklists •Should supplement and not replace policies •SOP steps should reference the governing policy •Used interchangeably with 'SOP' •Protocols •Algorithms •Instructions •Tasks

IRB Guiding Principles

•Respect for people •People should be treated as autonomous agents (individuals) •Those with diminished autonomy must be protected •Beneficence: the well-being of study participants should be protected by •Adhering to "do no harm" •Maximizing benefits while minimizing potential damages •Justice: participants should have equal opportunity to be selected

Regulators: Government

•Serves as a 3rd party regulator •Federal government: acts as the primary payer through Medicare •Local government •Approves the addition of new facilities or the offering of new services via "certificate of need" •Partners with healthcare organizations for community health needs assessment

Notice of Privacy Practices

•Similar to 'Release of Information' •States that the healthcare organization is obligated by law to protect the information •New patients usually receive a copy •Must be displayed in the organization for patients to view

Incident Reporting Policy

•Specifies and addresses actions to be taken when data loss has occurred •Rationale: to minimally disrupt patient care or business processes •Positive outcome: a healthcare organization improves its information protection based on lessons learned

Protection profile or security posture:

•The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset

Sanction Policy

•To discipline employees who violate procedures for handling PHI •Should contain two components •Type of offense •Type of sanction or punishment

Regulators: Tort Law and Malpractice

•Tort law •Comprised of civil (versus criminal) acts committed against a patient •​Negligence •Intentional torts •Infliction of mental distress •Invasion of privacy is covered under intentional tort •Malpractice •A special area of tort law that is based upon negligence or carelessness by a healthcare provider •Typically does not involve information security

Release of Information

•Use and disclosure •How information is normally shared, with whom, and when specific patient consent is needed •Minimum necessary rules •Efforts to disclose only what is needed •Patient Rights •Inform about rights concerning their information and how it is released to other entities •Organizational controls and safeguards •Contingency and risk management information concerning security of PHI during business and clinical workflow interruptions •Right to revoke or opt out •Allow the patient to change their mind

Advanced Research Projects Agency (ARPA)

•to examine the feasibility of redundant networked communications.

Private payers: employer-based insurance

- A relatively 'recent' development (i.e. post World War II) -Approximately 55% of individuals have coverage through employer-based plans -Fully insured plans vs. self-funded plans

Electronic health record(EHR)

- An individual patient's medical record in digital format - Integrates with clinical information systems and patient registration systems - Patient demographics - ​Medical history such as medicine and allergy lists - ​Progress reports and provider notes §​Laboratory test results - Procedure and test appointments - ​Radiology images - Prescribed and administered medications

Information technology network

- An information technology network consists of - Computing equipment - Medical devices - Office automation computers - Cabling - Machines used to route and monitor §Software (ex: operating systems) - Information technologies: connected to each other to share data

Technology: medical devices

- Any item that a provider uses to diagnose, prevent, monitor, or treat - Hardware, software, or applications - Networked or stand-alone - Similar requirements and vulnerabilities to computers from an information security perspective - Examples: X-ray machine, magnetic resonance imaging (MRI), artificial heart, blood pressure monitor

Personal health record

- Assists patient with remembering medical history - Allows patient to have timely and accurate information (ex: test results - Can be integrated with at-home patient-monitoring devices (ex: wireless weight scales, blood pressure monitors) that transmit via smartphone applications

Terminology and data

- Clinical workflow - Describes processes and actions clinicians use to deliver healthcare - Describes how data moves through an information system...by whom, to whom, when, and how often - Clinical workflow through HI systems improves health outcomes, reduces medication errors, and results in cost savings - Examples include actions taken to - Register a patient - Document patient information gathered during an appointment - Develop a treatment plan - Prescribe follow-up tests and medications - Schedule future appointments - Process bills or claims

POS

- Combines elements of HMOs and PPOs §Patient designates in-network primary care physician (PCP) - Patient may choose a provider outside the plan; service covered at a greater rate if referred by PCP - Plan costs generally fall between those of HMOs and PPOs

Medicaid

- Each U.S. state allocates money received from the federal government - Provides medical assistance to primarily the nonelderly, poor, and disabled - Pregnant women -Children and babies -People with disabilities - The elderly poor (in some cases)

Self-funded plans

- Employer operates (funds) its own health plan - Employer at increased risk if more claims than expected must be paid

Fully insured plans

- Employer purchases insurance from insurance company - Insurance company bears financial risk based on what is paid out vs. the collected premiums

Medicare

- Funded and administered by the federal government - Provides insurance coverage for individuals age 65+ or those who are younger than 65 but have long-term disabilities - No qualification related to income

Four main types Managed care

- Health maintenance organization (HMO) - Preferred provider organization (PPO) - Point-of-service (POS) -High-deductible health plan with savings option (HDHP/SO)