Index
A
Access control list (ACL) mechanisms, 93, 96
Access controls, 1, 5, 10, 80-81, 93-97, 115, 140-142, 161, 170, 217-218.
See also Authentication;
Threats
monitoring, 9, 50, 99, 102, 110, 173
overriding, 94-95
recommended improvements in, 96-97, 104-105, 176
Accountability. See Access controls;
Audit trails
Accreditation Manual for Hospitals, 49
Adverse consequences. See Privacy, interests at stake
Agencies. See Oversight agencies
Alcohol treatment information. See Substance abuse information
Alternative power, 101
American Health Information Management Association, 13n, 178, 183n
American Hospital Association, 13n, 183n
American Medical Association, 13n, 183n
American Medical Informatics Association, 13n, 183n
American National Standards Institute (ANSI), 47-48, 178
Americans with Disabilities Act (ADA), 38, 43-44
Anonymous care, 17, 96-97, 133, 192
problems with, 96n
ANSI. See American National Standards Institute (ANSI)
Assessment. See Self-assessment
Audit trails, 5, 8, 26, 62, 94-95, 97-99, 115, 135, 162, 170-171, 187.
See also Access controls;
Health information, giving patients access to
difficulties with, 29
Authentication, 10, 86-92, 115, 161, 169-170, 217.
See also Encryption
biometric, 92
of EMR creators, 10, 89, 101, 106, 177
of EMR users, 8, 62, 88-89, 140
reauthentication, 121
recommended improvements in, 89-92, 176-177
at remote locations, 8, 89, 104, 133, 171-172
token-based, 10, 88-89, 91-92, 125, 163
Authorization forms, 135-137
Availability of data, In, 61, 65, 82, 93-94, 117n, 129
B
Backups, 8, 111-112, 116, 171, 218-219
recommended improvements in, 112
Backup tape disposal. See Degaussing
Bastion host, 103
Bill of rights, patient, 136
Biometric technologies. See Authentication, biometric
Blackmail, 57n
Break-in scripts. See Access controls, monitoring
C
Capitation system, 23
CERT. See Computer emergency response team (CERT)
College of Health Information Management Executives, 13n, 183n
Committees, 138-139.
See also Institutional review boards (IRBs);
Security and confidentiality committees
Common law protections, 39, 46
Common Object Request Broker Architecture (CORBA), 111
Complaints. See Patient privacy, complaints about
Compliance issues, 4, 33, 239-241
Computer-based Patient Record Institute (CPRI), 13n, 48, 150-151, 178, 183n
Computer disposal. See Degaussing
Computer emergency response team (CERT), 11, 106, 113-114, 179-180
Computer failure. See Backups
Computer Security Institute (CSI), 55
policies for, 130-131
warning screens, 146-147
Confidentiality agreements, 149-151
Confidentiality committees. See Security and confidentiality committees
Congress, recommendations for action by
for legislation, 12, 52-53, 186-187
Consensus-style decision making, 139
Consequences, adverse. See Privacy, interests at stake
Constitutional protections, 38-39, 42-43
Consumer awareness initiatives, 13
See also U.S. Office of Consumer Affairs
Continuing medical education courses, 144
Controls. See Access controls;
Audit trails;
Linkage of records, controlling;
Rights management technologies;
Secondary use, controlling;
Software discipline
CORBA. See Common Object Request Broker Architecture (CORBA)
Core dump analyses, 121
CPRI. See Computer-based Patient Record Institute (CPRI)
Critiquing engines, 26
Cryptography. See Encryption
CSI. See Computer Security Institute (CSI)
D
DARPA. See Defense Advanced Research Projects Agency (DARPA)
Data
availability of (See Availability of data)
backups (See Backups)
encryption (See Encryption)
flow (See Flow of data, representative example)
integrity of (See Integrity of data)
linking (See Linkage of records)
patient-identifiable (See Patient-identifiable data)
secondary users of (See Secondary use, controlling)
security of (See Security of data)
sharing (See Sharing data)
Data custodians, 142
Data Encryption Standard (DES), 87
Data stewards, 141-142
Debate. See Public debate, need for
Decision support systems, 26
Defense, Department of, 41-42
Defense Advanced Research Projects Agency (DARPA), 11n, 106n, 113
Defense Information Systems Agency, 56
Degaussing, 100-101
Denial-of-service attacks, 64, 105-106
Department of Defense. See Defense, Department of
Department of Health, Education, and Welfare. See Health, Education, and Welfare, Department of
Department of Health and Human Services. See Health and Human Services,
Department of
DES. See Data Encryption Standard (DES)
Detailing, 144
Dial-back procedure, 172
Dialysis patients, 229
Digital health care records. See Electronic medical records (EMRs)
Disaster recovery procedures. See Backups
Disciplinary policies and procedures, 4, 9, 12, 61, 81, 149, 151-153, 174, 214-215
incremental, 152
strengthening, 165
Discrimination issues. See Privacy, interests at stake
Distributed Computing Environment (DCE), 91, 96, 111, 125-126
DNS. See Domain Name Service (DNS) information
Domain Name Service (DNS) information, 103
Drug interactions, adverse, 225
Drug treatment information. See Substance abuse information
E
Education and training, 174
for health care workers, 4, 9, 13, 61-62, 109, 142-149, 215
formal, 143-144
informal, 144-145
for medical staff, 143-144, 146-147
for patients, 13
publications useful in, 147-148
videos useful in, 148-149
Elderly patients, 222
Electrical failure. See Alternative power;
Backups
Electronic medical records (EMRs), 2-4, 21n, 25-26, 122-126, 216
difficulties of building, 122-123
transition to, 122-123
E-mail, problems based on, 8, 61, 64
Embarrassing revelations. See Privacy, interests at stake
Emergencies. See Access controls, overriding;
Backups
Emergency room care applications, 224, 229
Employee input into policy development, 138
Employee Retirement and Income Security Act (ERISA), 46, 165
Employees. See Authentication, of EMR users educating (See Education and training)
Employment affected by health information. See Privacy, interests at stake
EMRs. See Electronic medical records (EMRs)
Encryption, 8, 10, 62, 64, 86-87, 106-108, 116, 121, 162, 172, 218
availability of, 124-125
Enforcement policy. See Disciplinary policies and procedures
ERISA. See Employee Retirement and Income Security Act (ERISA)
Event monitors. See Audit trails
External agents, 55, 162n, 216, 218
F
Fair Credit Reporting Act, 33
Fair Health Information Practices Act of 1997 (HIPA), 6n, 52-53
Fair Health Information Practices Act of 1995, 6n
Federal government. See Governments
monitoring performance of, 104
Floppy disk disposal. See Degaussing
Flow of data, representative examples, 69-73, 195-196
Food and Drug Administration, 135
Forms. See Authorization forms, improving
Freedom of Information Act of 1966, 38, 41
G
Genetic information, 20n, 27, 45-46
misuse of, 77
Global
audit trails, 10
health care network, 105
Governments. See also Congress, recommendations for action by;
Health and Human Services, Department of
collection of data by, 72-76, 135
H
Hacker scripts. See Access controls, monitoring
Hand geometry patterns. See Authentication, biometric
Handwritten notes, 132
Health, Education, and Welfare, Department of, 182, 185n
Health and Human Services, Department of, 6, 11-17, 52-53, 78, 118, 168, 178-181, 183-185, 192-194
Health Care Financing Administration (HCFA), 41-42
Health care industry, 65-81
recommended improvements in, 175-180
standards needed, 5-6, 11, 45, 47-49, 125, 235-239
structural changes in, 2, 21-24
unregulated dissemination of information within (See Threats, systemic)
Healthcare Information and Management Systems Society, 13n, 183n
Health care organizations, 1-3, 54-65, 127-159.
See also Health care providers
development process, 138-139
implementation structures, 139-142
periodic review, need for, 154
recommended improvements in, 9, 153-159, 167-177
vulnerability to attack (See Threats)
Health care providers, 1-3, 82, 99
access to information, 4-5, 94-95, 129-131, 162-163
authentication (See Authentication, of EMR creators)
awareness of health data flows, 13
saving time of, 122
(See also Availability of data)
Health care researchers, 1-2, 13
use of health information, 134-135, 214
Health identifier. See Universal health identifiers
Health Informatics Standards Board (HISB), 47-48, 178
Health information, 69-72.
See also Data;
Marketing uses of health information
balancing privacy with public interest, 12, 34, 83, 129, 181
classes of, 94
giving patients access to, 9, 45n, 133, 137-138, 175, 213, 226
infrastructure, creating, 10, 105, 177-180
new users of, 23-24, 30-31, 65-69
protecting, 4-7, 26-33, 54-81, 117-122, 164-166
(See also Education and training; Information security officers; Ombudsman; Security and confidentiality committees)
acceptable uses of, 11
policies and procedures for, 9, 128-142
sanctions (See Disciplinary policies)
secondary users of (See Secondary use, controlling)
technology, 1, 7-10, 16-17, 82-126, 191-194
(See also Access controls; Audit trails; Authentication; Backups; Electronic medical records (EMRs); Linkage of records; Physical access to computers and records; Software discipline)
awareness of, 112-114
demand from health care organizations, 7, 123, 162-163
obstacles to using, 122-126
promoting exchange of, 16-17, 177, 214
Health Insurance Portability and Accountability Act of 1996, 6, 14, 39, 53, 78, 118, 168, 185, 233-246
Health maintenance organizations (HMOs), 22, 146-147
Health Plan Employer Data and Information Set (HEDIS), 23
HIPA. See Fair Health Information Practices Act of 1997 (HIPA)
HISB. See Health Informatics Standards Board (HISB)
HIV information, 27, 45, 97, 131-132, 213
HMOs. See Health maintenance organizations (HMOs)
Home care applications, 224-225
Home computers, access from. See Authentication
I
Identifiers. See Universal health identifiers
IDSs, Integrated delivery systems (IDSs)
Images, managing, 226
Inappropriate access. See Threats
Incremental backups, 112
Independent health care network, 105
Indian Health Service, 40
Industry, health care. See Health care industry
Information. See Health information
Information infrastructure. See Health information;
National information infrastructure
Information management (IM) standards, 49, 157-158, 215
Information security officers, 9, 140, 174, 214-215
Informed consent, 137n
Institute of Medicine, 12n, 51
Institutional review boards (IRBs), 134-135, 214
access to information, 95
new roles for, 24
Integrated delivery systems (IDSs), 2-3, 22, 119-120, 156-157
Integrated management models, 154
Integrity of data, 1n, 10, 80, 117n
Internal agents, 54-55, 151-152, 216
International Organization for Standardization (ISO), 48
Internet, 2, 8, 21, 56-59, 64-65, 97, 102-106, 172.
See also Firewalls
need for accountability on, 64
Internet Engineering Task Force, 193
IRBs. See Institutional review boards (IRBs)
ISO. See International Organization for Standardization (ISO)
J
JCAHO. See Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
Joint Commission on Accreditation of Healthcare Organizations (JCAHO), 23, 49
K
Kerberos system, 90-91, 97, 107-108
Key distribution center (KDC) systems, 91, 97
L
Laptop computer users. See Authentication, at remote locations
Legal protections. See Security of data, legal framework
Legitimate users, hampering. See Availability of data
Linkage of records, 117-120, 185-186, 192
controlling, 14-17, 24, 79, 102-106, 115, 187-188
Local area networks (LANs), 102, 224
Low-birth-weight infants. See Newborns, high-risk
M
Magnetic strip swipe cards. See Authentication, token-based
Magnuson, Warren Grant. See Warren Grant Magnuson Clinical Center
Managed care programs, 22-24, 119-120, 146-147.
See also Health maintenance organizations (HMOs)
Marketing uses of health information, 69
Medical Information Bureau (MIB) Inc., 30, 32-33
Medical Privacy in the Age of New Technologies Act of 1996, 6n
Medical records, electronic. See Electronic medical records (EMRs)
Medical Records Confidentiality Act of 1995, 6n
Medical school training, changes needed in, 146
Medicare Conditions of Participation for Hospitals, 41-42
Medicare program, 15n, 38, 189, 233.
See also Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
Medication lists, 132
Mental health information, 45, 131.
See also Psychiatric records
Mobile users. See Authentication, at remote locations
N
NAIC Act. See National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection Model Act
National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection Model Act, 32-33
National Committee for Quality Assurance, 23
National Committee on Vital and Health Statistics (NCVHS), 11, 53, 178, 243-245
National information infrastructure, 27, 105.
See also Health information, infrastructure;
National Library of Medicine (NLM)
National Institutes of Health, 2
National Library of Medicine (NLM), 2, 21, 194
awards to health care applications of the national information infrastructure, 222-232
Natural disasters. See Backups
NCVHS. See National Committee on Vital and Health Statistics (NCVHS)
Network File System (NFS), 113
Network Information System (NIS), 113
Networks. See Access controls, for networks;
Internet;
Local area networks (LANs)
Newborns, high-risk, 223-224
NFS. See Network File System (NFS)
NIS. See Network Information System (NIS)
NLM. See National Library of Medicine (NLM)
O
Office of Consumer Affairs. See U.S. Office of Consumer Affairs
Office of Technology Assessment (OTA), 50-51
Ombudsman proposal, 12, 14, 184, 187
Open Software Foundation (OSF), 91, 96
Organizational threats. See Threats
Organizations. See Health care organizations
OTA. See Office of Technology Assessment (OTA)
Outpatient care application, 229
P
Packet sniffers, 113
Password crackers. See Access controls, monitoring
Patient-identifiable data, 13-14, 20, 46, 66-68, 183-184, 235
restricting, 186
Patient identifiers. See Universal health identifiers
Patient privacy
complaints about, 98, 156, 163-164
(See also Education and training; Health information, protecting; Information security officers; Ombudsman; Security and confidentiality committees)
respect for, 128
right to, 158
(See also Bill of rights, patient; Rights management technologies)
establishing, 12, 45n, 136, 187
as fundamental, 27
and willingness to confide in providers, 81, 127, 129
Payers, 1-2.
See also Insurers;
Managed care programs;
Medicare program;
Self-insured employers
Perimeter identification and defense, 82, 95-96, 152
Pharmaceutical benefits programs, 4, 24, 77
Physical access to computers and records, 8, 57-58, 99-102, 115, 171, 216.
See also Perimeter identification and defense
countermeasures presenting obstacles, 62, 64
Physicians. See Authentication, of EMR creators;
Education and training, for medical staff;
Health care providers
Portable computer users. See Authentication, at remote locations
Power outages. See Alternative power;
Backups
Pretty Good Privacy system, 107
Privacy. See also Patient privacy defined, 1n, 20n, 245-246
interests at stake, 4, 27-28, 51-52, 60, 65, 69-80, 185-186
tort right of, 46
(See also Security of data, legal framework)
Privacy Act of 1974, 12, 37-42, 165, 181-182
Professional societies, role of, 13
Protecting health information. See Health information, protecting
Protecting Privacy in Computerized Medical Information, 50-51
Providers. See Health care providers
Proxy handlers, 103
Pseudonyms, use of, 17, 62, 192.
See also Anonymous care
Psychiatric records, 27
Publications. See Education and training
Public debate, need for, 12-13, 180-181, 186.
See also Consumer awareness initiatives
R
Real-time
quality assurance, 26
transmission of vital signs, 224
Reimbursement. See Capitation system;
Insurers
Remote users, 101-102.
See also Authentication
Reportable conditions, 74
Researchers. See Health care researchers
Retinal geometry patterns. See Authentication, biometric
Retraining, 149
Rights management technologies, 17, 84, 120-122, 193
Rivest, Shamir, Adleman (RSA) system, 87
RSA. See Rivest, Shamir, Adleman (RSA) system
Rural care applications, 223, 225-228, 230-231
S
Sanctions. See Disciplinary policies and procedures
SATAN. See Security Administrator Tool for Analyzing Networks (SATAN)
Satellite communication technologies, 105
Screening router, 103
Screen scraping, 121
Secondary use, controlling, 17, 65-69, 120-122
Secure Sockets, 107
Secure Telephone Unit-III (STU-III) specification, 107-108
Security Administrator Tool for Analyzing Networks (SATAN), 109n, 114
Security and confidentiality committees, 9, 174
Security of data, 1, 6, 9, 115-116, 216-219.
See also Access controls;
Audit trails;
Linkage of records, controlling;
Rights management technologies;
Secondary use, controlling;
Software discipline;
Threats
legal framework, 5, 38-39, 52-53
policies for, 129-130
technology for (See Health information, technology)
Self-assessment, 112-114, 116, 173
Self-insured employers, 5, 30n, 47
Study committee's guide for, 211-220
Smart card tokens. See Authentication, token-based
Social contract, 27n
Social Security Administration, 108, 118
Social Security number (SSN), 15-16, 79, 118-119, 189, 196, 216
Software discipline, 9, 108-111, 116, 173, 218.
See also Viruses, computer
recommended improvements in, 110-111
Specialists, consulting with remote, 223, 231-232
State governments. See Governments
STU-III. See Secure Telephone Unit-III (STU-III) specification
Substance abuse information, 45, 131, 213
Suggestion boxes, 139n
Systemic concerns. See Threats, systemic
T
TCP wrappers, 172
Testbeds, 16-17, 193-194, 222-232
Threats, 1, 3, 5, 8, 83, 112-114, 121, 216.
See also Blackmail;
Denial-of service attacks;
Tunneling attacks
systemic concerns, 2, 4, 6, 12-14, 65-81, 164-165
Time-stamped incremental backups, 112
Token use. See Authentication, token based
Tort right of privacy. See Privacy
Total quality management, 23
Training programs. See Education and training
Transcription services, 219
tripwire (software program), 109, 114
Trojan horses. See Viruses, computer
Tunneling attacks, 103
U
Unauthorized access. See Threats
Underserved patients, 222
Uniform Healthcare Information Act, 45
Unique health identifiers. See Universal health identifiers
Universal health identifiers, 6, 14-16, 78-81, 117-120, 185-190, 216, 237.
See also Social Security number (SSN)
U.S. Office of Consumer Affairs, 14, 184
U.S. Postal Service, 107
User authentication. See Authentication
V
Validating access. See Access controls
Veterans Affairs, Department of, 15n, 40-41
Videos. See also Education and training
consultations using, 227
Viruses, computer, 9, 61, 108-109, 113
Vulnerability. See Threats
W
Warren Grant Magnuson Clinical Center, 2
Watermarking, 121
Wireless communication technologies, 104-105
World Wide Web, 28-29, 64, 226
browsers, 108
Z
Zero tolerance, 152