Home - Knowledge
Center - Healthcare Technologies
- Emerging Technologies
SECURITY TECHNOLOGIES
Healthcare computer systems process a lot of data and there
has been rising concerns in an industry already committed to protecting patient
information. The Health Information Portability and Accountability Act in the
United States and the Data Protection Act in the United Kingdom, backed by the
European Directive on Data Protection, are some of the laws that have been
passed to patients’ privacy and confidentiality are protected whenever their
details are processed by healthcare computer systems.
The onus is now on healthcare organisations to secure data on
their systems as stated out in these laws. Failure to comply will result in
fines being brought against the offending organisations and in some cases
criminal charges.
advertisement
Security technologies are available to assist prevent
unauthorised access of patient information. Three areas that these technologies
have been addressing are
- Data Theft –This includes unauthorised copy of data
and equipment theft, especially common with mobile computing devices.
- Unauthorised access of patient data – This can
occur at remote access points, where the intruder accesses data at a computer
that has been left unattended. It could also occur when intruders hack
externally into the a network and either access the data at the central server
or ‘listen’ for data as it is being passed round the network.
- Unintentional access of patient data – This occurs
in situations where members of a healthcare organisation are not authorised to
view some or all of a patient’s information but still have access to it. This
can lead to events when such information is accidentally viewed.
SECURITY MEASURES
User Identification
All users logging into the information system need to be
correctly and successfully identified. Typing in a password and an ID, both of
which would be verified against one another, usually does this.
In large organisations with multiple systems, a single user
may have a variety of passwords with multiple IDs, to access data on disparate
systems. Having to remember all the passwords can be a burden and sometimes a
security risk, as users might tend to write down their passwords, which can be
found and used to illegally gain access to a system. Sometimes to make things
easier for themselves, users might choose a password so trivial that intruders
can easily guess it.
The use of single-sign technology can eliminate that problem.
Single-sign technology, when installed across the various systems allows a user
to have a single ID and password that can be used to log on to them. This
simplifies the setting up and managing of passwords and IDs for multiple users
and address the security risk that are associated with multiple passwords.
While the use of passwords is probably the most common and
easiest way of identifying users, biometrics is another. Biometrics technology
allows users to use distinct physical attributes about themselves such
fingerprints or their iris to be scanned in order to identify themselves.
Another identification technology would be that of the smart
cards. These are credit card sized plastic cards with embed microprocessor or
memory chips and when used with a reader provider an adequate method of
identification.
Data Access
The use of firewalls provides the first line of defence in the
defence of illegal access to a network. Firewalls, which can either be software
or hardware, sit between a system’s network and the outside world. It monitors
and when necessary blocks traffic when triggered by a set of rules.
Unauthorised access by employees of an organisation is also a
worry. The user’s profession usually determines access to information and the
type of information the user is allowed to view. While medical data and
sometimes therapeutic data of individual patients should be made available to
certain healthcare professional (such as their designated physician), it should
be made readily available to all. There are now systems that are available that
can determine the level of access whenever a user logs on the system.
Data Encryption
This involves the encoding of data such that only personnel
with the proper authorisation can decode and view it. The most common method of
encryption is the use of the Public Key infrastructure along with digital
certificates. This involves the use a secret key to encrypt information, which
can then be stored or transmitted. The encrypted data is digitally certified to
authenticate its validity and can only be decrypted through the use of a
similar key.
The ease at which intruders can decrypt the data by other
means depend son the strength of the encryption. The greater the strength, the
harder it is to decrypt. 40 bits encryptions are generally considered weak and
are easily decoded. Most security experts recommend encryption strengths of 128
bits or more.
This has been a bone of contention for many US organisations
as the US government has placed a restriction on systems that use encryption
strengths of more than 64 bits. Luckily the healthcare sector has been exempt
from that rule and would definitely benefit from using systems that offer
encryptions of 128 bits or more.
While software and hardware might aid organisations in
securing patient data, social and organisational factors might also need to
addressed as well. Installing of hardware in secure places, not writing down or
choosing trivial passwords as well as periodically changing them, turning on
password protected screen savers when leaving a computer unattended are just
some of the things that could a long way in securing data.
|