Index

A

Access control list (ACL) mechanisms, 93, 96

Access controls, 1, 5, 10, 80-81, 93-97, 115, 140-142, 161, 170, 217-218.

See also Authentication;

Threats

bypassing, 31, 58-59

monitoring, 9, 50, 99, 102, 110, 173

for networks, 2, 102-106

overriding, 94-95

recommended improvements in, 96-97, 104-105, 176

Accountability. See Access controls;

Audit trails

Accreditation Manual for Hospitals, 49

Adverse consequences. See Privacy, interests at stake

Agencies. See Oversight agencies

AIDS information, 45, 133

Alcohol treatment information. See Substance abuse information

Alternative power, 101

American Health Information Management Association, 13n, 178, 183n

American Hospital Association, 13n, 183n

American Medical Association, 13n, 183n

American Medical Informatics Association, 13n, 183n

American National Standards Institute (ANSI), 47-48, 178

Americans with Disabilities Act (ADA), 38, 43-44

Anonymous care, 17, 96-97, 133, 192

problems with, 96n

ANSI. See American National Standards Institute (ANSI)

Assessment. See Self-assessment

Audit trails, 5, 8, 26, 62, 94-95, 97-99, 115, 135, 162, 170-171, 187.

See also Access controls;

Health information, giving patients access to

difficulties with, 29

expanding, 10, 165

recommended improvements in, 98-99, 176-177

tools to analyze, 17, 192-193



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 255
--> Index A Access control list (ACL) mechanisms, 93, 96 Access controls, 1, 5, 10, 80-81, 93-97, 115, 140-142, 161, 170, 217-218. See also Authentication; Threats bypassing, 31, 58-59 monitoring, 9, 50, 99, 102, 110, 173 for networks, 2, 102-106 overriding, 94-95 recommended improvements in, 96-97, 104-105, 176 Accountability. See Access controls; Audit trails Accreditation Manual for Hospitals, 49 Adverse consequences. See Privacy, interests at stake Agencies. See Oversight agencies AIDS information, 45, 133 Alcohol treatment information. See Substance abuse information Alternative power, 101 American Health Information Management Association, 13n, 178, 183n American Hospital Association, 13n, 183n American Medical Association, 13n, 183n American Medical Informatics Association, 13n, 183n American National Standards Institute (ANSI), 47-48, 178 Americans with Disabilities Act (ADA), 38, 43-44 Anonymous care, 17, 96-97, 133, 192 problems with, 96n ANSI. See American National Standards Institute (ANSI) Assessment. See Self-assessment Audit trails, 5, 8, 26, 62, 94-95, 97-99, 115, 135, 162, 170-171, 187. See also Access controls; Health information, giving patients access to difficulties with, 29 expanding, 10, 165 recommended improvements in, 98-99, 176-177 tools to analyze, 17, 192-193

OCR for page 255
--> Authentication, 10, 86-92, 115, 161, 169-170, 217. See also Encryption biometric, 92 of EMR creators, 10, 89, 101, 106, 177 of EMR users, 8, 62, 88-89, 140 reauthentication, 121 recommended improvements in, 89-92, 176-177 at remote locations, 8, 89, 104, 133, 171-172 token-based, 10, 88-89, 91-92, 125, 163 Authorization forms, 135-137 improving, 9, 174-175 Availability of data, In, 61, 65, 82, 93-94, 117n, 129 B Backups, 8, 111-112, 116, 171, 218-219 recommended improvements in, 112 Backup tape disposal. See Degaussing Bastion host, 103 Billing systems, 2, 160 Bill of rights, patient, 136 Biometric technologies. See Authentication, biometric Blackmail, 57n Break-in scripts. See Access controls, monitoring C Capitation system, 23 CERT. See Computer emergency response team (CERT) College of Health Information Management Executives, 13n, 183n Committees, 138-139. See also Institutional review boards (IRBs); Security and confidentiality committees Common law protections, 39, 46 Common Object Request Broker Architecture (CORBA), 111 Complaints. See Patient privacy, complaints about Compliance issues, 4, 33, 239-241 Computer-based Patient Record Institute (CPRI), 13n, 48, 150-151, 178, 183n Computer disposal. See Degaussing Computer emergency response team (CERT), 11, 106, 113-114, 179-180 Computer failure. See Backups Computer Security Institute (CSI), 55 Confidentiality, 9, 11 defined, 1n, 20n policies for, 130-131 warning screens, 146-147 Confidentiality agreements, 149-151 Confidentiality committees. See Security and confidentiality committees Congress, recommendations for action by for funding, 11, 179-180 for legislation, 12, 52-53, 186-187 Consensus-style decision making, 139 Consequences, adverse. See Privacy, interests at stake Constitutional protections, 38-39, 42-43 Consumer awareness initiatives, 13 Consumer concerns, 45, 164. See also U.S. Office of Consumer Affairs Continuing medical education courses, 144 Controls. See Access controls; Audit trails; Linkage of records, controlling; Rights management technologies; Secondary use, controlling; Software discipline CORBA. See Common Object Request Broker Architecture (CORBA) Core dump analyses, 121 CPRI. See Computer-based Patient Record Institute (CPRI) Critiquing engines, 26 Cryptography. See Encryption CSI. See Computer Security Institute (CSI)

OCR for page 255
--> D DARPA. See Defense Advanced Research Projects Agency (DARPA) Data availability of (See Availability of data) backups (See Backups) collection, 11, 69 economic value of, 28, 56, 60 encryption (See Encryption) flow (See Flow of data, representative example) integrity of (See Integrity of data) linking (See Linkage of records) ownership of, 50, 216 patient-identifiable (See Patient-identifiable data) secondary users of (See Secondary use, controlling) security of (See Security of data) sharing (See Sharing data) Data custodians, 142 Data Encryption Standard (DES), 87 Data stewards, 141-142 Debate. See Public debate, need for Decision support systems, 26 Defense, Department of, 41-42 Defense Advanced Research Projects Agency (DARPA), 11n, 106n, 113 Defense Information Systems Agency, 56 Degaussing, 100-101 Denial-of-service attacks, 64, 105-106 Department of Defense. See Defense, Department of Department of Health, Education, and Welfare. See Health, Education, and Welfare, Department of Department of Health and Human Services. See Health and Human Services, Department of DES. See Data Encryption Standard (DES) Detailing, 144 Dial-back procedure, 172 Dialysis patients, 229 Digital health care records. See Electronic medical records (EMRs) Disaster recovery procedures. See Backups Disciplinary policies and procedures, 4, 9, 12, 61, 81, 149, 151-153, 174, 214-215 incremental, 152 strengthening, 165 Discrimination issues. See Privacy, interests at stake Distributed Computing Environment (DCE), 91, 96, 111, 125-126 DNS. See Domain Name Service (DNS) information Domain Name Service (DNS) information, 103 Drug interactions, adverse, 225 Drug treatment information. See Substance abuse information E Education and training, 174 for health care workers, 4, 9, 13, 61-62, 109, 142-149, 215 formal, 143-144 informal, 144-145 for medical staff, 143-144, 146-147 for patients, 13 publications useful in, 147-148 videos useful in, 148-149 Elderly patients, 222 Electrical failure. See Alternative power; Backups Electronic medical records (EMRs), 2-4, 21n, 25-26, 122-126, 216 advantages of, 26, 160 difficulties of building, 122-123 transition to, 122-123 E-mail, problems based on, 8, 61, 64 Embarrassing revelations. See Privacy, interests at stake

OCR for page 255
--> Emergencies. See Access controls, overriding; Backups Emergency room care applications, 224, 229 Employee input into policy development, 138 Employee Retirement and Income Security Act (ERISA), 46, 165 Employees. See Authentication, of EMR users educating (See Education and training) Employment affected by health information. See Privacy, interests at stake EMRs. See Electronic medical records (EMRs) Encryption, 8, 10, 62, 64, 86-87, 106-108, 116, 121, 162, 172, 218 availability of, 124-125 Enforcement policy. See Disciplinary policies and procedures ERISA. See Employee Retirement and Income Security Act (ERISA) Event monitors. See Audit trails External agents, 55, 162n, 216, 218 F Fair Credit Reporting Act, 33 Fair Health Information Practices Act of 1997 (HIPA), 6n, 52-53 Fair Health Information Practices Act of 1995, 6n Federal government. See Governments Federal Register, 41-42, 182 Firewalls, 8, 64-65, 102-104 monitoring performance of, 104 Floppy disk disposal. See Degaussing Flow of data, representative examples, 69-73, 195-196 Food and Drug Administration, 135 Forms. See Authorization forms, improving Freedom of Information Act of 1966, 38, 41 G Genetic information, 20n, 27, 45-46 misuse of, 77 Global audit trails, 10 health care network, 105 Governments. See also Congress, recommendations for action by; Health and Human Services, Department of collection of data by, 72-76, 135 role of, 10, 16, 178 H Hacker scripts. See Access controls, monitoring Hand geometry patterns. See Authentication, biometric Handwritten notes, 132 Health, Education, and Welfare, Department of, 182, 185n Health and Human Services, Department of, 6, 11-17, 52-53, 78, 118, 168, 178-181, 183-185, 192-194 Health Care Financing Administration (HCFA), 41-42 Health care industry, 65-81 recommended improvements in, 175-180 role of, 13, 178 standards needed, 5-6, 11, 45, 47-49, 125, 235-239 structural changes in, 2, 21-24 unregulated dissemination of information within (See Threats, systemic) Healthcare Information and Management Systems Society, 13n, 183n Health care organizations, 1-3, 54-65, 127-159. See also Health care providers new roles for, 24, 162

OCR for page 255
--> policies, 166, 173, 213-214 development process, 138-139 implementation structures, 139-142 periodic review, need for, 154 recommended improvements in, 9, 153-159, 167-177 vulnerability to attack (See Threats) Health care providers, 1-3, 82, 99 access to information, 4-5, 94-95, 129-131, 162-163 authentication (See Authentication, of EMR creators) awareness of health data flows, 13 saving time of, 122 (See also Availability of data) Health care researchers, 1-2, 13 use of health information, 134-135, 214 Health identifier. See Universal health identifiers Health Informatics Standards Board (HISB), 47-48, 178 Health information, 69-72. See also Data; Marketing uses of health information balancing privacy with public interest, 12, 34, 83, 129, 181 classes of, 94 giving patients access to, 9, 45n, 133, 137-138, 175, 213, 226 infrastructure, creating, 10, 105, 177-180 new users of, 23-24, 30-31, 65-69 protecting, 4-7, 26-33, 54-81, 117-122, 164-166 (See also Education and training; Information security officers; Ombudsman; Security and confidentiality committees) acceptable uses of, 11 policies and procedures for, 9, 128-142 sanctions (See Disciplinary policies) releasing, 135, 213 secondary users of (See Secondary use, controlling) technology, 1, 7-10, 16-17, 82-126, 191-194 (See also Access controls; Audit trails; Authentication; Backups; Electronic medical records (EMRs); Linkage of records; Physical access to computers and records; Software discipline) awareness of, 112-114 cost of, 20, 83, 125, 156 demand from health care organizations, 7, 123, 162-163 growing use of, 2, 161 investing in, 2-3, 16-17, 25 obstacles to using, 122-126 pace of change in, 35, 220 promoting exchange of, 16-17, 177, 214 trade-offs in, 4, 83 Health Insurance Portability and Accountability Act of 1996, 6, 14, 39, 53, 78, 118, 168, 185, 233-246 Health maintenance organizations (HMOs), 22, 146-147 Health Plan Employer Data and Information Set (HEDIS), 23 HIPA. See Fair Health Information Practices Act of 1997 (HIPA) Hippocratic oath, 19n, 147 HISB. See Health Informatics Standards Board (HISB) HIV information, 27, 45, 97, 131-132, 213 HMOs. See Health maintenance organizations (HMOs) Home care applications, 224-225 Home computers, access from. See Authentication I Identifiers. See Universal health identifiers IDSs, Integrated delivery systems (IDSs) Images, managing, 226

OCR for page 255
--> Inappropriate access. See Threats Incremental backups, 112 Independent health care network, 105 Indian Health Service, 40 Industry, health care. See Health care industry Information. See Health information Information infrastructure. See Health information; National information infrastructure Information management (IM) standards, 49, 157-158, 215 Information security officers, 9, 140, 174, 214-215 Informed consent, 137n Institute of Medicine, 12n, 51 Institutional review boards (IRBs), 134-135, 214 Insurers, 4, 11 access to information, 95 new roles for, 24 Integrated delivery systems (IDSs), 2-3, 22, 119-120, 156-157 Integrated management models, 154 Integrity of data, 1n, 10, 80, 117n Internal agents, 54-55, 151-152, 216 International Organization for Standardization (ISO), 48 Internet, 2, 8, 21, 56-59, 64-65, 97, 102-106, 172. See also Firewalls faking addresses on, 89, 113 need for accountability on, 64 Internet Engineering Task Force, 193 IRBs. See Institutional review boards (IRBs) ISO. See International Organization for Standardization (ISO) J JCAHO. See Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Joint Commission on Accreditation of Healthcare Organizations (JCAHO), 23, 49 K Kerberos system, 90-91, 97, 107-108 Key distribution center (KDC) systems, 91, 97 L Laptop computer users. See Authentication, at remote locations Legal protections. See Security of data, legal framework Legitimate users, hampering. See Availability of data Linkage of records, 117-120, 185-186, 192 controlling, 14-17, 24, 79, 102-106, 115, 187-188 Local area networks (LANs), 102, 224 Low-birth-weight infants. See Newborns, high-risk M Magnetic strip swipe cards. See Authentication, token-based Magnuson, Warren Grant. See Warren Grant Magnuson Clinical Center Managed care programs, 22-24, 119-120, 146-147. See also Health maintenance organizations (HMOs) Marketing uses of health information, 69 Med-CERT, 11, 179-180 Medical Information Bureau (MIB) Inc., 30, 32-33 Medical Privacy in the Age of New Technologies Act of 1996, 6n Medical records, electronic. See Electronic medical records (EMRs) Medical Records Confidentiality Act of 1995, 6n

OCR for page 255
--> Medical school training, changes needed in, 146 Medicare Conditions of Participation for Hospitals, 41-42 Medicare program, 15n, 38, 189, 233. See also Joint Commission on Accreditation of Healthcare Organizations (JCAHO) Medication lists, 132 Mental health information, 45, 131. See also Psychiatric records Mobile users. See Authentication, at remote locations N NAIC Act. See National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection Model Act National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection Model Act, 32-33 National Committee for Quality Assurance, 23 National Committee on Vital and Health Statistics (NCVHS), 11, 53, 178, 243-245 National information infrastructure, 27, 105. See also Health information, infrastructure; National Library of Medicine (NLM) National Institutes of Health, 2 National Library of Medicine (NLM), 2, 21, 194 awards to health care applications of the national information infrastructure, 222-232 Natural disasters. See Backups NCVHS. See National Committee on Vital and Health Statistics (NCVHS) Network File System (NFS), 113 Network Information System (NIS), 113 Networks. See Access controls, for networks; Internet; Local area networks (LANs) Newborns, high-risk, 223-224 NFS. See Network File System (NFS) NIS. See Network Information System (NIS) NLM. See National Library of Medicine (NLM) O Office of Consumer Affairs. See U.S. Office of Consumer Affairs Office of Technology Assessment (OTA), 50-51 Ombudsman proposal, 12, 14, 184, 187 Open Software Foundation (OSF), 91, 96 Organizational threats. See Threats Organizations. See Health care organizations OTA. See Office of Technology Assessment (OTA) Outpatient care application, 229 Oversight agencies, 2, 4 P Packet sniffers, 113 Password crackers. See Access controls, monitoring Patient-identifiable data, 13-14, 20, 46, 66-68, 183-184, 235 restricting, 186 Patient identifiers. See Universal health identifiers Patient privacy complaints about, 98, 156, 163-164 protecting, 1, 6, 13-15, 19 (See also Education and training; Health information, protecting; Information security officers; Ombudsman; Security and confidentiality committees)

OCR for page 255
--> respect for, 128 right to, 158 (See also Bill of rights, patient; Rights management technologies) establishing, 12, 45n, 136, 187 as fundamental, 27 and willingness to confide in providers, 81, 127, 129 Payers, 1-2. See also Insurers; Managed care programs; Medicare program; Self-insured employers Perimeter identification and defense, 82, 95-96, 152 Pharmaceutical benefits programs, 4, 24, 77 Physical access to computers and records, 8, 57-58, 99-102, 115, 171, 216. See also Perimeter identification and defense countermeasures presenting obstacles, 62, 64 Physicians. See Authentication, of EMR creators; Education and training, for medical staff; Health care providers Portable computer users. See Authentication, at remote locations Power outages. See Alternative power; Backups Pretty Good Privacy system, 107 Privacy. See also Patient privacy defined, 1n, 20n, 245-246 interests at stake, 4, 27-28, 51-52, 60, 65, 69-80, 185-186 tort right of, 46 violations of, 1n, 3, 77-78 recourse, 155, 163, 182 (See also Security of data, legal framework) Privacy Act of 1974, 12, 37-42, 165, 181-182 Professional societies, role of, 13 Protecting health information. See Health information, protecting Protecting Privacy in Computerized Medical Information, 50-51 Providers. See Health care providers Proxy handlers, 103 Pseudonyms, use of, 17, 62, 192. See also Anonymous care Psychiatric records, 27 Publications. See Education and training Public debate, need for, 12-13, 180-181, 186. See also Consumer awareness initiatives R Real-time quality assurance, 26 transmission of vital signs, 224 Reimbursement. See Capitation system; Insurers Remote users, 101-102. See also Authentication Reportable conditions, 74 Researchers. See Health care researchers Retinal geometry patterns. See Authentication, biometric Retraining, 149 Rights management technologies, 17, 84, 120-122, 193 Risk assessment, 130, 140 Rivest, Shamir, Adleman (RSA) system, 87 RSA. See Rivest, Shamir, Adleman (RSA) system Rural care applications, 223, 225-228, 230-231 S Sanctions. See Disciplinary policies and procedures SATAN. See Security Administrator Tool for Analyzing Networks (SATAN)

OCR for page 255
--> Satellite communication technologies, 105 Screening router, 103 Screen scraping, 121 Secondary use, controlling, 17, 65-69, 120-122 Secure Sockets, 107 Secure Telephone Unit-III (STU-III) specification, 107-108 Security Administrator Tool for Analyzing Networks (SATAN), 109n, 114 Security and confidentiality committees, 9, 174 Security of data, 1, 6, 9, 115-116, 216-219. See also Access controls; Audit trails; Linkage of records, controlling; Rights management technologies; Secondary use, controlling; Software discipline; Threats defined, 1n, 20n legal framework, 5, 38-39, 52-53 policies for, 129-130 implementing, 5, 53 technology for (See Health information, technology) Self-assessment, 112-114, 116, 173 Self-insured employers, 5, 30n, 47 Sharing data, 3, 24 Site visits, 3, 7, 50, 84-117 Study committee's guide for, 211-220 Smart card tokens. See Authentication, token-based Social contract, 27n Social Security Administration, 108, 118 Social Security number (SSN), 15-16, 79, 118-119, 189, 196, 216 Software discipline, 9, 108-111, 116, 173, 218. See also Viruses, computer recommended improvements in, 110-111 Specialists, consulting with remote, 223, 231-232 State governments. See Governments STU-III. See Secure Telephone Unit-III (STU-III) specification Substance abuse information, 45, 131, 213 Suggestion boxes, 139n Systemic concerns. See Threats, systemic T TCP wrappers, 172 Testbeds, 16-17, 193-194, 222-232 Threats, 1, 3, 5, 8, 83, 112-114, 121, 216. See also Blackmail; Denial-of service attacks; Tunneling attacks organizational, 3, 9, 54-65 countering, 61-62, 64-65 levels of, 59-61, 63 systemic concerns, 2, 4, 6, 12-14, 65-81, 164-165 Time-stamped incremental backups, 112 Token use. See Authentication, token based Tort right of privacy. See Privacy Total quality management, 23 Training programs. See Education and training Transcription services, 219 tripwire (software program), 109, 114 Trojan horses. See Viruses, computer Tunneling attacks, 103 U Unauthorized access. See Threats Underserved patients, 222 Uniform Healthcare Information Act, 45 Unique health identifiers. See Universal health identifiers Universal health identifiers, 6, 14-16, 78-81, 117-120, 185-190, 216, 237. See also Social Security number (SSN)

OCR for page 255
--> U.S. Office of Consumer Affairs, 14, 184 U.S. Postal Service, 107 User authentication. See Authentication V Validating access. See Access controls Veterans Affairs, Department of, 15n, 40-41 Videos. See also Education and training consultations using, 227 Viruses, computer, 9, 61, 108-109, 113 Vulnerability. See Threats W Warren Grant Magnuson Clinical Center, 2 Watermarking, 121 Wireless communication technologies, 104-105 World Wide Web, 28-29, 64, 226 browsers, 108 protecting, 107, 111 Z Zero tolerance, 152