Privacy & Security Requirements: from EHRs to PHRs

Similar documents
Privacy and Security within an Interoperable EHR

For ONC S&I DS4P. Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012

How To Understand The Health Care System In Canada

Electronic Health Record (EHR) Privacy and Security Requirements

Electronic Health Record Infostructure (EHRi)

SOA in the pan-canadian EHR

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Access & Correction Policy

Electronic Health Record Privacy Policies

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Privacy and Security Framework, February 2010

Domain 5 Information Security Governance and Risk Management

SOA in the pan-canadian EHR

Big Data, Big Risk, Big Rewards. Hussein Syed

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

How To Ensure Health Information Is Protected

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Data Governance Policy. Version October 2015

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Management System Policy

Information Security Management System Information Security Policy

Canada Health Infoway Inc. White Paper on Information Governance of the Interoperable Electronic Health Record (EHR)

HIM Master s Degree Competencies* Domains, Subdomains, and Tasks 2007 and Beyond

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ISO COMPLIANCE WITH OBSERVEIT

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Governance and Management of Information Security

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Information Blue Valley Schools FEBRUARY 2015

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

Information Security Management Systems

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Personal Health Information Privacy Policy

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

James Williams Ontario Telemedicine Network

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Program Management Standard

How To Write An Ehr Blueprint

Canada Health Infoway

Cloud Computing: Legal Risks and Best Practices

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

State of Oregon. State of Oregon 1

Information Security Program CHARTER

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Altius IT Policy Collection Compliance and Standards Matrix

Data Management Policies. Sage ERP Online

Singapore s National Electronic Health Record

BMC s Security Strategy for ITSM in the SaaS Environment

INFORMATION SECURITY STRATEGIC PLAN

INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1

Logging In: Auditing Cybersecurity in an Unsecure World

ISO Controls and Objectives

Overview. What are operational policies? Development, adoption, implementation

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

The potential legal consequences of a personal data breach

ISO27001 Controls and Objectives

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Funding Privacy Commissioner of Canada: Secondary use of data from the EHR current governance challenges & potential approaches

University of Liverpool

2009 Progress in Comprehensive Care for Rare Blood Disorders Conference

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Microsoft s Compliance Framework for Online Services

University of Pittsburgh Security Assessment Questionnaire (v1.5)

National Integrated Services Framework The Foundation for Future e-health Connectivity. Peter Connolly HSE May 2013

Information Security Program

Security Issues in Cloud Computing

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

GE Measurement & Control. Cyber Security for NEI 08-09

Central Agency for Information Technology

Supplier Information Security Addendum for GE Restricted Data

Third-Party Access and Management Policy

Building Reference Security Architecture

Matthias Hauss- SRC Security Research & Consulting GmbH October PCI DSS Requirements in the Context of European Data Protection Law

Information security controls. Briefing for clients on Experian information security controls

IHE IT Infrastructure Technical Framework Supplement

CLASSIFICATION SPECIFICATION FORM

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Privacy and Cloud Computing for Australian Government Agencies

Authorized. User Agreement

John Essner, CISO Office of Information Technology State of New Jersey

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Privacy Risk Assessments

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Click to edit Master title style

EHR Standards Landscape

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

IBX Business Network Platform Information Security Controls Document Classification [Public]

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

PII Compliance Guidelines

June 25, Ministry of Health Security enhancement roadmap

System Security Plan University of Texas Health Science Center School of Public Health

Third Party Security Requirements Policy

Architecture, Implementations, Integrations, and Technical Overview

Transcription:

Privacy & Security Requirements: from EHRs to PHRs Oct 28, 2010 Presented by André Carrington, P.Eng, CISSP, CISM, CISA, CIPP/C Director, Implementation, Privacy & Security, SPS

Purpose As suggested by this seminar s organizers, the purpose of this presentation is to assist Ontario stakeholders (eho, LHINs, etc) with informative (not normative) guidance, regarding the development, harmonization and/or maintenance of Privacy & Security (P&S) requirements, via resources, context, considerations and lessons learned. 2

Agenda Security vs. privacy Requirements EHRS blueprint requirements structure Example requirements EHRS blueprint scope Lessons learned, managing requirements Other sources of requirements Portal and PHR requirements 3

Information security vs. privacy Information security & privacy have similar organizational objectives to manage risk and meet due care; and to enable appropriate use and collaboration. That said, privacy pertains to personal information and the law; whereas security pertains to any asset, and has few explicit or specific legal obligations (due care is implicit). 4

Information security vs. privacy To be more specific, privacy pertains to the collection, use and disclosure of personal information with individual rights and organizational obligations set in federal, provincial and territorial laws Security pertains to the confidentiality, integrity and availability of any asset with implicit due care obligations with general requirements re the safeguards privacy principle with a few specific requirements in privacy laws and privacy commissioner/ombud orders 5

Requirements All requirements should trace back to business requirements Technical requirements may not trace back to functional requirements Business Requirements Functional Requirements Technical Requirements Diagram based on concept from Accenture Methods 6

Requirements may be created iteratively, complimenting and/or refining requirements from prior steps Source: TOGAF

EHRS Blueprint (v2) P&S Requirements The EHRS Blueprint Privacy & Security Requirements are identified as pertaining to: the EHR infostructure (EHRi) Point of Service (POS) systems connected to the EHRi organizations hosting components of the EHRi organizations connecting to the EHRi This allows people in different roles to focus on their respective areas. but they aren t organized this way Technical Administrative 8

EHRS Blueprint (v2) P&S Requirements^ are organized in accordance with the best practices they are based on: CAN/CSA-Q830-96 Model Code for the Protection of Personal Information (incorporated into PIPEDA) 10 principles (28 blueprint privacy requirements ) ISO 17799:2005 * Code of Practice for Information Security Management 11 control objectives (86 blueprint security requirements) * this standard was re-designated as ISO/IEC 27002:2008 ; and it is complimented by ISO 27799:2009. ^ http://knowledge.infoway-inforoute.ca/ehrsra/doc/ehr-privacy-security-requirements.pdf 9

The privacy code CAN/CSA-Q830-96 Model Code for the Protection of Personal Information (incorporated into PIPEDA^) Accountability Accuracy Identifying Purposes Safeguards Consent Openness Limiting Collection Individual Access Limiting Use, Disclosure, Retention Challenging Compliance ^ http://laws.justice.gc.ca/eng/p-8.6/page-4.html#anchorsc:1 10

The security code of practice ISO 17799:2005 * Code of Practice for Information Security Management Security policy Organising information security Asset management Human resources security Physical and environmental security Communications and operational management Access control Information systems acquisition, development and maintenance Security incident management Business continuity management Compliance * this standard was re-designated as ISO/IEC 27002:2005; and it is complimented by ISO 27799:2009. http://webstore.ansi.org/recorddetail.aspx?sku=incits%2fiso%2fiec+27002-2005 11

Example requirements PR19: Logging Access, Modification and Disclosure The EHRi and POS systems connected to the EHRi must: have a mechanism to record every access, modification or disclosure of PHI, together with the time and identity of the accessing user; have a mechanism to record every access, modification or disclosure of provider and user registration data, together with the time and identity of the accessing user; and Tech Requirement where required by law, have mechanisms to alert the organisation s individual accountable for privacy when [a breach of PHI is suspected] 12 ^ http://knowledge.infoway-inforoute.ca/ehrsra/doc/ehr-privacy-security-requirements.pdf

Policy & Procedures Example requirements Admin Requirement SR5: Assessing Threats and Risks from Third Parties Organisations hosting components of the EHRi must assess, by means of threat and risk analysis, the risks associated with access by external parties to hosted components or to facilities managed by external parties and must implement appropriate security controls where necessary to mitigate identified risks. SR17: Terminating User Access When Terminating Policy & Procedu Employment res All organisations hosting components of the EHRi or connecting to the EHRi must, as soon as possible, terminate the user access privileges of each permanent or temporary employee or thirdparty contractor who is a registered user of a POS connected to the EHRi or who has access to hosted components of the EHRi upon termination of their employment with the organisation. 13

EHRS blueprint v2 scope Focus: Interoperability EHR/POS, inter/intra EHR EHR services & infostructure Out of scope : most network security most logical design * detailed design some operations e.g. server hardening portals, PHRs, data warehouses, research, genomic databanks * except some requirements and use cases at the logical level other links: http://knowledge.infoway-inforoute.ca/ehrsra/doc/ehr-privacy-security.pdf http://forums.infoway-inforoute.ca/psa/psa_materials/ehr%20p%26s%20use%20cases/ http://www2.infoway-inforoute.ca/documents/chi_625_pia_rj13.pdf 14

Agenda checkpoint Security vs. privacy Requirements EHRS blueprint requirements structure Example requirements EHRS blueprint scope Lessons learned, managing requirements Other sources of requirements Portal and PHR requirements 15

How do we foster stakeholder agreement on common requirements? Understand stakeholders and their business drivers, opportunities, constraints Critical path The need to start now The need to be inclusive of future participants Pay attention to change management (tone at the top, heart of change champions, mavens) 16

Be a pragmatist, not a purist (look for options) Seek agreement on higher-level principles first vs. detailed requirements, to avoid getting stuck Don t worry about strict adherence to a method such as TOGAF. Disagreement about requirements, may be a timing issue re budget, availability of resources seek agreement on the roadmap, the process, the levels and even exceptions. use formal governance! 17

Case study: Quebec Legislation and regulations provide the ministry with a role responsible for the development and evolution of P&S requirements across the province; to create (as a facilitator) the mechanisms whereby the regional authorities can achieve consensus on a uniform level of P&S requirements/controls The required activity also met regional needs for P&S requirement management Cost savings re development; competition for annual assessment 18

Case study: Quebec (continued) The Ministry asks that every healthcare facility submit an annual compliance report to the requirements Self-assessments are submitted to a portal on the internal network Followed by corresponding paperwork, proof, letter of attestation (incl. exceptions and action plan) The Ministry can see the provincial security posture 19

Case study: TLI specification crypto update The spec must facilitate interoperability The spec must support algorithms and approaches that avoid undue risk, and meet requirements Each jurisdiction has their own roadmap to meet TLI CSEC and NIST have deprecated the use of lesser encryption key lengths and weaker algorithms Rather than deprecate in TLI (future versions may): In general, TLS clients and TLS servers negotiate the strongest mutually shared ciphersuite For implementations that meet the spec, the spec requires support for sufficient algorithms, which are then used by default, except for legacy systems http://forums.infoway-inforoute.ca/webx?14@785.hkkjaqspeke.190@.ef3665d http://forums.infowayinforoute.ca/pscwg/work%20program%20and%20discussion%20documents/tli%20specification/tli%20crypto %20Update%20v1.01%20AC%2020101020.pptx 20

Agenda checkpoint Security vs. privacy Requirements EHRS blueprint requirements structure Example requirements EHRS blueprint scope Lessons learned, managing requirements Other sources of requirements Portal and PHR requirements 21

P&S Resources and Standards spreadsheet Architecture Information & IT Governance Processes Implementation http://forums.infowayinforoute.ca/pscwg/meetings%20%26%20administration/fall%202010%20infoway%20partnership%2 0Conference%20Nov%2015%20-%2017%2C%202010 22

CHI Information Governance White Paper Provider and Community Rights Trust and Accountability Assessment and Compliance Respecting communities of interest UserId management and protection Accountability Information custodianship Openness Trans-border and crossjurisdictional data flow Assessment of governance Compliance mechanisms Liability and sanctions Risk assessment Patient Privacy Rights Quality Safeguards Access to information Data retention Information consent Archiving and disposal Information notices Accuracy and data quality Limiting collection Limiting disclosure and privacy protection Secondary use Access controls Electronic (digital) signatures Auditing and incident handling http://www.infowayinforoute.ca/admin/upload/dev/document/information%20governance%20paper%20final_20070328_en.pdf 23

P&S requirements in processes Governance P&S Activities and Deliverables Laws, Regulations, Commissioner Orders, Principles, Policy, Strategy/Budget/Plans, MOUs/Contracts/SLAs/ DSAs/ISAs, Risk Management, Committees/WGs, REBs/IRBs, Roles & Responsibilities, Enterprise Architecture, Business Continuity & Disaster Recovery, Change & Release Management, Standards, Procedures Project P&S Activities and Deliverables Project P&S Strategy/Plan, P&S Bus. & Tech Requirements, Data Classification/SOS i. P&S Conceptual Architecture, PIA, TRA, Review ii. P&S Logical Architecture, PIA, TRA, Review iii. P&S Detailed Design (or Physical Architecture), Review Peer Review, Configuration, Hardening, Testing, Vulnerability Assessment (VA) Security Quality Assurance, Certification & Accreditation, Penetration Testing & VA Base diagram from ISO 12207 Software Life Cycle - Waterfall Model Diagram concept by Andre Carrington User Access Review, Penetration Testing & VA Patch Management, Periodic Compliance Review, Security Awareness Training 24

Recently published resources to consider COACH Putting it into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records Infoway s TLI Specification 3.0 HL7 PASS Audit domain analysis model HL7 EHR-S Functional Model ISO DTS 14265 Classification of Purposes for PHI ONCHIT Draft Model PHR Privacy Notice http://hssp-security.wikispaces.com/pass_audit http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov model_phr _privacy_notice/1176 25

Upcoming resources Aligning Jurisdictional EMR specifications to Infoway EMR (interoperability) specifications Health Information Privacy (HIP) group s Common Understandings paper ISO/IEC 29101.5 Privacy Reference Architecture HL7 PHR Functional Model ISO/IEC 29100.3 Privacy Framework 26

Personal Health Record (PHR) An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual. The National Alliance for Health Information Technology: Defining Key Health Information Technology Terms, April 28, 2008

Typical P&S requirements in portals & PHRs Identity management capacity for large populations Consumer enrolment & authentication User agreements Privacy policies & statements/pias Browser privacy & security Server privacy & security Network security, penetration testing, audits Privacy protective e-mail notifications 28

Interesting privacy considerations in PHRs Consumer as custodian; provider is hands-off Consumer can impact privacy of third-parties Consumer understanding of privacy impacts re: sharing data with other users granting write access vs. custodianship sharing data with applications (esp. external) Potential unmediated consumer access to EHR data Consumer experience with PHRs may set expectations for EHRs re: consent granularity, use & disclosure reports, EHR export, research opt in/out Data retention after account closed Ongoing visibility of erroneous/corrected data 29

Interesting security considerations in PHRs PHR process of on-boarding the EHR and applications: requirements, agreements, processes EHR/PHR account connection/enrolment Authentication per Windows Live ID & Open ID Direct access by EHR/EMR to PHR, to correct data Security of data sharing invitations Secure e-mail 30

acarrington@infowayinforoute.ca Oct 28, 2010 Presented by André Carrington, P.Eng, CISSP, CISM, CISA, CIPP/C Director, Implementation, Privacy & Security, SPS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information