LEGAL AND ETHICAL CONSIDERATIONS IN NURSING INFORMATICSInformation Security and Confidentiality

Learning OutcomesLearning Outcomes

1. Differentiate between privacy, confidentiality, information privacy, and information security.

2. Discuss how information system security affects privacy, confidentiality, and security.

3. Identify potential threats to system security and information.

Learning OutcomesLearning Outcomes

4. Discuss security measures designed to protect information.

5. Compare and contrast available methods of authentication in terms of levels of security, costs, and ease of use.

6. Distinguish between appropriate and inappropriate password selection and processing.

Learning OutcomesLearning Outcomes

7. Identify common examples of confidential forms and communication seen in healthcare settings and identify proper disposal techniques for each.

8. Discuss the impact that Internet technology has on the security of health-related information.

SecuritySecurity

Information security and confidentiality of personal information represent major concerns in today’s society amidst growing reports of stolen and compromised information.

ConfidentialityConfidentiality

In the USA, the protection of healthcare information is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the Joint Commission requirements.

PrivacyPrivacy

A state of mind, freedom from intrusion, or control over the exposure of self or of personal information

Significance of PrivacySignificance of Privacy

Key concept to understanding significance of information security and privacy

Includes right to determine what information is collected, how it is used, and the ability to review collected information for accuracy and security

International movement to protect privacy

ConfidentialityConfidentiality

A situation in which a relationship has been established and private information is shared with the expectation that it will not be re-disclosed

Key to client treatment

Information/Data PrivacyInformation/Data Privacy

The right to choose the conditions and extent to which information and beliefs are shared and the right to ensure accuracy of information collected

Information SecurityInformation Security

…the protection of information against threats to its integrity, inadvertent disclosure, or availability determines the survivability of a system

Information System SecurityInformation System Security

Ongoing protection of both information housed on the system and the system itself from threats or disruption

Primary goals

Protection of client confidentiality Protection of information integrity Ready availability of information when needed

Security PlanningSecurity Planning

Saves time and money

Guards against: Downtime Breeches in confidentiality Loss of consumer confidence Cybercrime Liability Lost productivity

Helps ensure compliance with regulatory body/laws

Steps to SecuritySteps to Security

Assessment of risks and assets

An organizational plan

A “culture” of security

The establishment and enforcement of policies

Threats to System Security Threats to System Security and Informationand Information Thieves

Hackers and crackers

Denial of service attacks

Terrorists

Viruses, worms

Flooding sites

Power fluctuations

Revenge attacks

Threats to System Security Threats to System Security and Informationand Information Pirated Web sites

Poor password management

Compromised device

Fires and natural disasters

Human error

Unauthorized insider access

Security Measures Security Measures

• Firewalls– barrier created from software and hardware

• Antivirus and spyware detection

• User sign-on and passwords or other means of identity management

• Access on a need-to-know basis- level of access

• Automatic sign-off

• Physical restrictions to system access

Identity ManagementIdentity Management

Area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity

AuthenticationAuthentication

Process of determining whether someone is who he or she professes to be

Methods: access codes logon passwords digital certificates public or private keys used for encryption and

biometric measures

PasswordPassword

Collection of alphanumeric characters that the user types into the computer

May be required after the entry of an access code or user name

Assigned after successful system training

Inexpensive but not the most effective means of authentication

Password Selection and Password Selection and HandlingHandling

Do: Choose passwords that

are 8-12 characters long.

Avoid obvious passwords.

Keep your password private- ie, do not share.

Change password frequently.

Do not: Post or write down

passwords.

Leave computers or applications running when not in use.

Re-use the same password for different systems.

Use the “browser save” feature.

BiometricsBiometrics

Identification based on a unique biological trait, such as: a fingerprint voice or iris pattern retinal scan hand geometry face recognition ear pattern smell blood vessels in the palm gait recognition

Antivirus SoftwareAntivirus Software

Computer programs that can locate and eradicate viruses and other malicious programs from scanned memory sticks, storage devices, individual computers, and networks

Spyware Detection SoftwareSpyware Detection Software

Spyware a type of software that installs itself without

the user’s permission, collects passwords, PIN numbers, and account numbers and sends them to another party

Spyware Detection Software Detects and eliminates spyware

Proper Handling and Disposal Proper Handling and Disposal

Acceptable uses

Audit trails to monitor access

Encourage review for accuracy

Establish controls for information use after hours and off site

Shred or use locked receptacles for the disposal of items containing personal health information

The Impact of the InternetThe Impact of the Internet

Introduces new threats E-mail and instant messages may carry

personal health information that can be intercepted

Unapproved use of messages or Web sites can introduce malicious programs

Web sites used for personal health information may be inappropriately accessed

Implications for Mobile Implications for Mobile ComputingComputing Devices are easily stolen.

Devices should require authentication and encryption to safeguard information security.

Devices should never be left where information may be seen by unauthorized viewers.

Verify wireless networks before use.

Implications for Mobile Implications for Mobile ComputingComputing

Responsibility for information and information system security is shared

Reference

Hebda, T. & Czar, P. (2013). Handbook of informatics for nurses and health care professionals (5th ed.). Upper Saddle River, New Jersey: Pearson.