Published on February 18, 2014
Health Information Systems and Network Security A Framework for Securing HIT Infrastructure
Security Goals 1. Protect PHI by empowering individuals to control access to their own healthcare information. 2. Allow only fully authenticated and authorized individuals access to data. 3. Preserve integrity of network data. 4. Hold users and organizations accountable for network actions. 5. Hold each node in a network accountable for the security of the data in its custody. 6. Enable the formation of larger scale networks by securely linking together health information networks (HINs). (NHIN Project/HIPAA/Markle Common Framework for Private and Secure HIE)
Security Framework (Kailar, Rajashekar 2007)
Environmental Assumptions ID Assumption Justification A1 Intermediary Legally binding agreements A2 Providers Legally binding agreements, and doctor/patient relationships A3 Data Repositories Legally binding agreements
Security Requirements ID Security Requirements R1 Only authorized and authenticated systems shall be targets of network queries R2 Only authorized and authenticated users shall request data over the network R3 Data integrity shall be preserved within all nodes and over the network R4 Data confidentiality shall be protected over the network R5 All access to healthcare data shall be traceable to an individual or organization R6 Where applicable patient shall specify access to PHI (rules enforced on all nodes) R7 Requests originating in another trust domain shall be authenticated and authorized R8 Data and system integrity shall be preserved at each node in the network
Security Mechanisms ID Security Mechanism Mapping M1 User identity management R2, R4 M2 User authentication R2, R4, R6 M3 User authorization R5 M4 Auditing R5 M5 Anonymization R4 M6 Secure messaging R1, R2, R3, R4 M7 Consent management R6 M8 Inter-domain security R7 M9 System availability and integrity protection R8
Security Threats and Countermeasures ID Security Mechanism Countermeasure Mapping T1 Unauthorized user/system produces data Identification/authentication M1, M2 T2 Unauthorized user/system consumes data Identification/authentication/access control M1, M2, M5, M6, M7, M8 T3 Data integrity compromised at Network, OS, application, and database controls at each node M1, M2, M9 T4 Data integrity compromised over network Integrity protection (MD5, hash, checksum) M6, A1 T5 Data confidentiality compromised over network Encryption over network (SSL) M6, M7, A1 T6 Information compromised by valid user Audit, organization binding, responsibility M4, A1, A2, A3 T7 Virus, spyware Anti-virus, firewall, intrusion detection system (IDS) M6, M9 T8 Denial of service IDS, firewall, application M6 T9 Identity spoofing Client certificate based auth. (two-way SSL) M1, M6 consumer/producer/intermediary level (consumer/producer/intermediary)
Calcification Inhibitors in CKD and Dialysis Patients
The Security Framework for Information Technology. Most of the damage to Information Technology (IT) security ... security framework and/or IT security ...
National Privacy & Security Framework; ... Coordinator for Health Information Technology ... of the Nationwide Health Information Network ...
... of health information technology ... health information through a network. ... Health Information (Privacy and Security Framework ...
Connected Health Framework ... you optimize information and communication technology ... solutions for health information networks ranging ...
... on how to choose an IT security framework. ... Network Security; Government IT security; ... in health care information technology.
An effort to create a common security framework for the health care ... and an information security ... From new technology projects to ...
A Health Information Technology Framework For The ... The Certification Commission for Health Information Technology ... strong privacy and security ...
Health information technology ... The Privacy and Security Toolkit implements the principles in The Nationwide Privacy and Security Framework for ...
Concepts and Definitions. Health information technology (HIT) is “the application of information processing involving both computer hardware and software ...
Health information technology (health ... security.12 These network ... security framework for the e‑health