Information Technology Reference
In-Depth Information
health officials without specific patient consent. What are the over-riding societal
needs in this regard?
Security:
Privacy is about what persons or entities have legitimate access to PHI.
Security is about preventing unauthorized access. It's a highly technical topic so we
will only discuss it at a high level here.
Data breaches most often come about because an employee with legitimate access
either cooperates with someone who wants unauthorized access or innocently does
something that provides such access. A recent incident in a metro Atlanta hospital
caused it to turn away patients for a few days because of “malware” (a virus or other
software program designed to disrupt computers or steal data) infecting its comput-
ers and data network. It is likely that an employee introduced the malware by bring-
ing an infected USB flash drive (USB memory stick) to work. Once present in a
networked computer system, malware can spread rapidly and can damage data files
or even transmit sensitive information to computers outside that network, making
such information available to the creators of the malware. Most commonly the target
of the creators is information that can be converted into money, such as credit card
information or information that could be used to create fraudulent healthcare claims.
A well-publicized incident of this type occurred in Florida where an employee of the
Cleveland Clinic sold PHI for 1,100 patients to her cousin who owned a medical
claims processing business and used the data to generate millions of dollars in fraud-
ulent claims. [
13
] A different but also high profile incident involved curious hospital
employees looking at the records of a number of celebrities. [
14
]
Another potential source of concern, particularly in healthcare, is the loss or theft
of mobile computing devices. Incidents of this kind are often reported in the press
when they occur. [
15
] Mobile devices should be protected by strong passwords that
are changed at a reasonably frequent interval. Moreover, the data on the disks in
these devices should be encrypted so that even a thief who can get around the pass-
word protection cannot access the data.
A third area of concern is the movement of PHI over networks, particularly the
Internet. Here encryption is not optional. The Internet was not designed with secu-
rity in mind. It was originally used by only a few national research laboratories that
knew and trusted each other.
The importance of encryption of PHI is highlighted by the new trends in health
information exchange, such as DIRECT. In the following chapters we'll see that
cloud-based tools for data transport are increasingly being used in clinical practice
particularly outside of the hospital. These trends only amplify the need for routine
use of encryption to assure data is not compromised.
So, what exactly is encryption? This is a highly mathematical subject and any-
thing beyond a very basic conceptual explanation is outside the scope of this topic.
[
16
] In healthcare information exchange we are primarily concerned with a kind of
encryption called public key encryption. The central idea is that two very large
numbers are generated in a way that they are mathematically related, but determin-
ing one from the other is prohibitively time consuming and expensive. The end
products are a “public key” that can be made available to everyone that an individual
or business wants to securely share information with and a “private key” that, impor-
tantly, only that individual or business has access to.
