Scribd Logo
Upload

Welcome to Scribd!

  • Clinical Information System Security Policy

    Uploaded by

    wanya64
    181 views24 pages
    This document outlines the security policy for clinical information systems. It discusses how patient information must be kept confidential, the threats to confidentiality from insiders and technical issues, and establishes 9 security principles for access control, record opening, control, consent, persistence, attribution, information flow, aggregation control, and a trusted computing base. It concludes that threats have enforced the development of secure clinical information systems to protect patient data, but existing systems still have weaknesses and need further enhancement to ensure confidentiality.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines the security policy for clinical information systems. It discusses how patient information must be kept confidential, the threats to confidentiality from insiders and technical issues, and establishes 9 security principles for access control, record opening, control, consent, persistence, attribution, information flow, aggregation control, and a trusted computing base. It concludes that threats have enforced the development of secure clinical information systems to protect patient data, but existing systems still have weaknesses and need further enhancement to ensure confidentiality.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    181 views24 pages

    Clinical Information System Security Policy

    Uploaded by

    wanya64
    This document outlines the security policy for clinical information systems. It discusses how patient information must be kept confidential, the threats to confidentiality from insiders and technical issues, and establishes 9 security principles for access control, record opening, control, consent, persistence, attribution, information flow, aggregation control, and a trusted computing base. It concludes that threats have enforced the development of secure clinical information systems to protect patient data, but existing systems still have weaknesses and need further enhancement to ensure confidentiality.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    CSC 662 Computer Security

    CS2305B

    Introduction
    The patients information is the most important data for

    clinical affairs.
    ACH95 (Keeping Information Confidential)
    Doctors and other clinical professionals are worried

    that making personal health information more widely available may endanger patient confidentiality

    Scope of the policy


    Clinician
    Patient System

    Clinician
    Clinician (licensed professional such as a doctor, nurse,

    dentist physiotherapist or pharmacist) who has access in the line of duty to personal health information and is

    bound by a professional obligation of confidentiality.


    Social workers, students, charity workers and receptionists

    may access personal health information under the supervision of a healthcare professional (but the professional remains responsible for their conduct)

    Patient
    Patient (the individuals concerned or the individuals

    representative)
    The rules may depend on the wishes of the patient If the patient is a child, parent or guardian of a child will be

    acts on his behalf

    System
    System(hardware, software, communications and manual

    procedures which make up a connected information processing system)

    Threats and Vulnerabilities


    The ethical basis of clinical confidentiality
    In GMC (General Medical Council) booklet,

    Confidentiality state that doctors who record of

    confidential information must ensure that it is


    effectively protected against improper disclosure
    The basic ethical principle, state Confidentiality is the

    privilege of the patient, so only he way waive it and the consent must be informed, voluntary and competent

    Threats and Vulnerabilities


    The ethical basis of clinical confidentiality
    for example, patients must be made aware that

    information may be shared between members of a care

    team, such as a general practice or a hospital


    department
    There is the issue of the patient's consent to have his

    record kept on a computer system at all. It is unethical to discriminate against a patient who demands that his

    records be kept on paper instead

    Threats and Vulnerabilities


    Other security requirements for clinical information
    we also concerned with its integrity and availability If information is corrupted, clinicians may take incorrect

    decisions which harm or even kill patients.


    If information is unreliable, in the sense that it could

    have been corrupted then its value as a basis for clinical


    decisions is decrease

    Threats and Vulnerabilities


    Threats to clinical confidentiality
    Experience shows that the main new threat comes from

    insiders
    Eg : most of the big UK banks now let any teller access

    any customer's account (private detectives bribe tellers to get account information)

    Threats and Vulnerabilities


    Threats to clinical confidentiality
    security depends on the fragmentation and scattering

    inherent in manual record systems, and these systems

    are already vulnerable to private detectives ringing up


    and pretending to be from another healthcare provider.

    Threats and Vulnerabilities


    Other security threats to clinical information
    Hardware failures occasionally corrupt messages Higher error rates could result from the spreading

    practice of sending lab results as unstructured email


    messages
    Viruses have already destroyed clinical information, and

    a virus could conceivably be written to make malicious alterations to records


    A malicious attacker might also manipulate messages

    Security Policy
    Principle 1 : Access control
    Each identifiable clinical record shall be marked with an

    access control list naming the people or groups of

    people who may read it and append data to it


    The system shall prevent anyone not on the access

    control list from accessing the record in any way

    Security Policy
    Principle 2 : Record opening
    A clinician may open a record with herself and the

    patient on the access control list


    Where a patient has been refer, she may open a record

    with herself, the patient and the referring clinician on the access control list

    Security Policy
    Principle 3 : Control
    One of the clinicians on the access control list must be

    marked as being responsible.


    Only she may alter the access control list, and she may

    only add other health care professionals to it

    Security Policy
    Principle 4 : Consent and notification
    The responsible clinician must notify the patient of the

    names on his record's access control list when it is

    opened, of all subsequent additions, and whenever


    responsibility is transferred.
    His consent must also be obtained, except in emergency

    case

    Security Policy
    Principle 5 : Persistence
    No-one shall have the ability to delete clinical

    information until the appropriate time period has

    expired

    Security Policy
    Principle 6 : Attribution
    All accesses to clinical records shall be marked on the

    record with the subject's name, as well as the date and

    time
    An audit trail must also be kept of all deletions

    Security Policy
    Principle 7 : Information flow
    Information derived from record A may be appended to

    record B if and only if B's access control list is contained

    in A's

    Security Policy
    Principle 8 : Aggregation control
    There shall be effective measures to prevent the

    aggregation of personal health information

    Security Policy
    Principle 9 : The Trusted Computing Base
    Computer systems that handle personal health

    information shall have a subsystem that enforces the above principles in an effective way
    Its effectiveness shall be subject to evaluation by

    independent experts

    Conclusions
    Based on the experience, we can conclude that the threats

    to the confidentiality, integrity and availability of personal health information enforced the medical sector to developed a Clinical Information System that can give the high level protection to patients data.
    Clinicians making decisions must be compliance with CISS

    Policy

    Conclusions
    Nowadays, there is a lot of Clinical Information System but

    still have a weakness that can cause the data of patients spread
    So we need to enhance the already system so that we can

    keep the data as confidentiality

    Reference: Dr Rose, J. A., (1996). Security in Clinical Information System. Computer Laboratory University of Cambridge.

    THE END

    You might also like