Upload
orlando-gilmore
View
24
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Hipaa sECURITY. How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information. Gary Beatty President EC Integrity, Inc Vice-Chair ASC X12. Spring Conference April 4, 2008. Influencing the move to eHealthcare. - PowerPoint PPT Presentation
Citation preview
How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information
Spring ConferenceApril 4, 2008
Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12
Need to reduce the cost of health care Increase quality of health care Consumer driven health care Online health records
Payer support for community health records Transparency in health care Pay for performance programs Governmental
HR
PHR
EMR
PHI Hybrids
CCR
EHR
Health Records (AHIMA) The legal business record for a healthcare
organization. Individually identifiable information Any medium Collected, processed, stored, displayed
Health Records contain Diagnosis Medications Procedures Problems Clinical Notes Diagnostic Results Images Graphs Other items deemed necessary
Health Records Support continuity of care Planning patient care Provides planning information
Resource allocation Trend analysis Forecasting Workload management Justification for billing information
Electronic Medical Record (EMR) (HIMSS) An application environment composed of:
Clinical Data Repository (CDR) Clinical Decision Support (CDS) Controlled medical terminology Order entry Computerized provider order entry Pharmacy Clinical document applications
Enterprise support Inpatient and Outpatient Use to document, monitor and manage delivery of
health care Electronic Medical Record (EMR) (HIMSS)
The EMR is the legal record Owned by the Care Delivery Organization (CDO)
Electronic Health Record (EHR) (HIMSS) Longitutal electronic medical record across
encounters in any care delivery setting. Resource for clinicians
Secure Real-time Point-of-care Patient centric information source
Aids collection of data for other uses Billing Quality management Outcomes reporting Resource planning Public health disease surveillance Reporting
Electronic Health Record (EHR) (HIMSS) Includes:
Patient demographics Progress notes Problems Medications Vital signs Past medical history Immunizations Laboratory data Radiology reports
Electronic Health Record (EHR) (HIMSS) Automates / streamlines clinicians workflow Complete record of clinical encounter Supports other care-related activities
Evidence-based decision support Quality management Outcome reporting
Personal Health Record (PHR) Created by the individual Summarizes health and medical history Gathered from many sources Format of PHR
Paper Personal computer Internet based Portable storage
Continuity of Care Record (CCR) Patient Health Summary Standard
ASTM / MMS / HIMSS / AAFP / AAP co-development
Core health care components Sent from one provider to another Includes
Patient demographics Insurance information Diagnosis and problem Medications Allergies Care plan
Hybrid Health Record Both
Paper health records Electronic health records
Protected Health Information (PHI) Any health care information linked to a person
Health Status Provision of Health Care Payment of Health Care
Includes•Names•Geographic subdivision smaller than a state•Dates related to an individual•Phone Numbers•Fax Numbers•Email Addresses•SSN•Medical Record Numbers•Beneficiary Numbers•Account Numbers•Certificate/license numbers;
•Vehicle identifiers and serial numbers• license plate numbers
•Device identifiers and serial numbers •Web Universal Resource Locators (URLs)•Internet Protocol (IP) address numbers•Biometric identifiers
• Finger• voice prints
•Full face photographic images and any comparable images•Any other unique identifying number, characteristic, or code
Privacy Can anyone else read it?
Authentication How do I know who sent it?
Data Integrity Did it arrive exactly as sent?
Non-repudiation of receipt Can the receiver deny receipt? How do I know it got there?
How do I track these activities?
Internet / Intranet Wired Wireless
Wifi (802.11a, b, g, i, n) Bluetooth (Personal Area Network - PAN)
VoiP Dial-up Mobile Devices
Smart Phones Mobile Standards (GSM, GPRS, etc.)
PDA Tablet PC’s
Physical Media Magnetic, optical, flash (thumb drives), others
RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken) Secure Sockets Layer (SSL) WEP Wire Equivalent Privacy WPA WiFi Protected Access
WPA2 (based upon 802.11i) Data Encryption Standards (DES) Advanced Encryption Standards (AES)
Government strength encryption
Firewall machines IP address selection ID + Passwords Security techniques
Encryption Digital Signatures Data Integrity Verification Non-repudiation
Trading Partner Agreements (TPA)
PLAINTEXTDOCUMENT ENCRYPT DECRYPT PLAINTEXT
DOCUMENT
CYPHERTEXT
PROVIDER PAYER
PRIVATE KEY
n * (n-1) / 2 keys to manage 100 users would require 4950 keys Key size 128 bits Generally considered fast
Gary
Frank
Erin Dale
Alice
Karen
Julie
Mary
PLAINTEXTDOCUMENT ENCRYPT DECRYPT
PAYER’SPUBLIC KEY
PLAINTEXTDOCUMENT
CYPHERTEXT
PROVIDER PAYER
PAYER’SPRIVATE KEY
n key pairs needed for n partners key size (128, 768, 1024, 2048 bits) Generally considered slower What happens if you lose your key?
Gary
Frank
Erin Dale
Alice
Karen
Julie
Mary
Public Key DirectoryGary Mary EAlice Dale FFrank Karen GErin Julie H
A digitized signature is a scanned image A digital signature is a numeric value that
is created by performing a cryptographic transformation of the hash of the data using the “signer’s” private key.
Ö m25_ +¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7»q*++¤Gß_¿_°;·Ae¦_7¦?�ââ-á+H¶¥-÷90Y�å+£ú'¦Æ<§_8óX`p¡ìÉ_V+1^ª+ ¦�%Gary A. Beatty <[email protected]>
Part of the digital signature process A secure one way hashing algorithm used
to create a hash of the data
EHR
Provider BPUBLIC KEY
Encoded
PROVIDER APRIVATE KEY
Cypher Cypher Encoded EHR
PROVIDER APUBLIC KEY
Provider BPRIVATE KEY
Provider BPROVIDER A
AS1 – Applicability Statement 1 Email exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail
Extensions Uses SMTP (Simple Mail Transfer Protocol) Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed Email capability Electronic Transaction Digital Certificate
AS2 – Applicability Statement 2 HTTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail Extensions Uses HTTPS
Hypertext Transfer Protocol over Secure Socket Layer Allows for REAL TIME delivery Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed Web Server (static IP address) Electronic Transaction Digital Certificate
AS3 – Applicability Statement 3 FTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail
Extensions Uses FTP – File Transfer Protocol Allows for REAL TIME delivery Satisfies Security Requirements
Encryption Authentication Integrity Non-repudiation
What’s needed FTP Server Electronic Transaction Digital Certificate
Electronic Credit Card Establishes “Credentials” for electronic
transactions Issues by Credential Authority
Name Serial Number Expiration Dates Certificate Holder’s Public Key Digital Certificate of Certification Authority
Verified by Registration Authority X.509 Standards Registry of Digital Certificates
Access with HIPAA Identifiers
Spring ConferenceApril 4, 2008
Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12