2. Security
Is
the protections or safeguards (administrative,
technical, or physical) put in place to secure protected
health information.
Pertains
to the methods to protect the privacy of patient
information and confidentiality of the patient encounter.
3.
Objective: An organization needs to protect;
Information - documented (paper or electronic) data or
intellectual property collected by and/or used to meet the
organization’s mission.
Systems - a combination of information, software and
hardware that process and store information.
Services and Applications - software applications and
services (operating system, database applications,
networking software, office application) that process,
store and/or transmit information.
4. Security policy is based on the well-known security
components of:
Authentication
Encryption (transport security)
Authorization
Access Control
Auditing
Physical Security
5.
Authentication
Is the process of proving or confirming that an entity or
person is who or what it claims to be. All entities and
workforce members need to be authenticated prior to
accessing electronic health information in order to keep
the data secured
The organization should use a combination of
operational practices and technological solutions to
validate or authenticate that a person or entity
attempting to access to EHI is the one it claims to be.
6.
Encryption
Encryption technology can protect patient health
information whether an EHR is locally installed or
accessed over the Internet, from being read by
unauthorized parties when it is transmitted, or stored on
any device, including mobile devices.
Encrypting protect patient health puts information in a
coded form that can only be read by an authorized user
who has a “key.”
7.
Authorization
Determine what informational resources are permitted
to access and what actions it will be allowed to perform
(run, view, create, delete, or change).
Authorization to access information and other computing
services begins with administrative policies and
procedures. The policies prescribe what information and
computing services can be accessed, by whom, and
under what conditions.
8.
Access Control
Access to protected information must be restricted to
people who are authorized to access the information.
The more sensitive or valuable the information the
stronger the control mechanisms need to be. The
foundation on which access control mechanisms are
built start with identification and authentication.
Common access control mechanisms in use today
include role-based access control available in many
advanced database management systems.
9.
Auditing
To gauge the level of compliance across an organization
through self-audit, walk-through, person-to-person
interviews, checklists or scorecards, and rating scale.
Audit trails is a record of each time data is altered, how it
was altered and by whom. Information includes: user IP
address, patient, data type, access type and time of
access).