Data Privacy and Security

The Privacy Standards and the Security Standards are necessarily linked. Any health record system requires safeguards to ensure that the data is available when needed and that the information is not used, disclosed, accessed, altered, or deleted inappropriately while being stored or retrieved or transmitted. The Security Standards work together with the Privacy Standards to establish appropriate controls and protections. Health sector entities that are required to comply with the Privacy Standards must also comply with the Security Standards.
Organizations must consider several factors when adopting security measures. How a healthcare provider satisfies the security requirements and which technology it decides to use are business decisions left to the individual organizations. In deciding what security measures to adopt, an organization must consider its size, complexity, and capabilities; it’s technical infrastructure, hardware, and software security capabilities; the cost of particular security measures; and the probability and degree of the potential risks to the ePHI it stores, retrieves and transmits.
The security standards require healthcare providers to implement reasonable and appropriate administrative, physical, and technical safeguards to:
  • ensure the confidentiality, integrity, and availability of all the e-PHI they create, transmit, receive, or maintain 
  • protect against reasonably anticipated threats or hazards to the security or integrity of their e-PHI 
  • protect against uses or disclosures of the e-PHI that are not required or permitted under the Privacy Standards 
  • ensure their workforce will comply with their security policies and procedures 
To protect the ePHI handles by a healthcare provider, the provider must implement technical safeguards as part of its security plan. Technical safeguards refer to using technology to protect ePHI by controlling access to it. Therefore, they must address the following standards, focusing on the functionalities thereof. It is worth noting that they will need to use an EHR/EMR solution that is able to successfully and robustly demonstrate the possession and working of these functionalities.
The basic requirements for security and privacy are provided in following standard:
1. ISO/TS 14441:2013 Health Informatics – Security & Privacy Requirements of EHR Systems for Use in Conformity Assessment 
  • Locally within the system the fact that a person or entity seeking access to electronic health information is indeed the one as claimed and is also authorized to access such information must be verifiable. 
  • Across the network, however extensive it might be, the fact that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in this document must be verifiable. 
Automatic log-off: An electronic session after a predetermined time of inactivity must be forcibly terminated. To log in back, the user will have to initiate a new log in session. However, for the sake of ergonomics, it is recommended that the unsaved state of the system at the time of automatic log-off be saved and presented back to the user for further action. This should be a user-specific feature.
The advisory standard for overall information security management in health is:
2. ISO 27799 Health informatics - Information Security Management in Health using ISO/IEC 27002 
Implementation Guideline: The ISO 27799 is provided as a basic advisory standard for security management. Other security management and standard / practices / guidelines given by Law (such as IT Act 2000 and amendments) or regulatory / statutory / certification bodies (such as National Accreditation Board for Hospitals & Health care Providers (NABH)) should be taken in consideration when designing and/or implementing health record system.
Access control: The solution must assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information. In cases of emergency where access controls need to be suspended in order to save a life, authorized users (who are authorized for emergency situations) will be permitted to have unfettered access electronic health information for the duration of the emergency with the access remaining in force during the validity of the emergency situation.
Access Privileges: Ideally only clinical care providers should have access rights to a person’s clinical records. However, different institutional care providers have widely varying access privileges specified that are institution-specific. No country-wide standards can be specified for this at least at this point in time.
For privilege management and access control, following standards may be used:
3. ISO 22600:2014 Health informatics - Privilege Management and Access Control (Part 1 through 3) 
Implementation Guideline: The ISO 22600 set of standards is provided as an advisory standard for policy based access control. For the purpose of privilege management, rule / policy based access is expected to give better control and flexibility in defining and enforcing access control. Access control mechanisms such as Role Based, Policy Based, or singular user (applicable in case of mobile based PHR) are acceptable as long as conformant to applicable data security law(s) and rules as well as policy of the organization where implemented.
Audit log:
  • All actions related to electronic health information in accordance with the standard specified in this document including viewing should be recorded. 
  • All actions based on user-defined events must be recorded. 
  • All or a specified set of recorded audit information, upon request or at a set period of time, must be electronically displayed or printed for user/administrative review. 
  • All actions related to electronic health information must be recorded with the date, time, record identification, and user identification whenever any electronic health information is created, modified (non-clinical data only), deleted (stale and non-clinical data only), or printed; and an indication of which action(s) took place must also be recorded. 
  • A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails should be preferably used within the system. 
The advisory standard for audit trail / log in health record system is:
4. ISO 27789:2013 Health informatics - Audit Trails for Electronic Health Records 
  • During data transit the fact that the electronic health information has not been altered in transit in accordance with the standard specified in this document must be verifiable. 
  • Detection of events – all alterations and deletions of electronic health information and audit logs, in accordance with the standard specified in this document must be detected. 
  • Appropriate verification that electronic health information has not been altered in transit shall be possible at any point in time. A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit and it is recommended that the Secure Hash Algorithm (SHA) used must be SHA-256 or higher. 
  • Generally, all electronic health information must be encrypted and decrypted as necessary according to organization defined preferences in accordance with the best available encryption key strength (minimum 256-bits key). 
  • During data exchange all electronic health information must be suitably encrypted and decrypted when exchanged in accordance with an encrypted and integrity protected link. 
  • Secure Transmission standards and mechanisms must be used to allow access to health information as well as transmit data from one application / site to another. For this purpose HTTPS, SSL v3.0, and TLS v1.2 standards should be used. Please refer to relevant IETF, IEEE, ISO, and FIPS standards for same. 
Digital Certificates:
Use of Digital Certificates for identification and digital signing is recommended in health record system. Health record system must use following standard where digital certificates are used:
5. ISO 17090 Health informatics - Public Key Infrastructure (Part 1 through 5) 
The Administrative Safeguards require healthcare providers to develop and implement a security management process that includes policies and procedures that address the full range of their security vulnerabilities. Being administrative in nature, these need to be internally designed and developed as standard operating procedure (SOP) that must be published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter above. To comply with the Administrative Safeguards, a healthcare provider must implement the following standards.
  • The security management process standard, to prevent security violations; 
  • Assigned security responsibility, to identify a security officer; 
  • Workforce security, to determine e-PHI user access privileges; 
  • Information access management, to authorize access to e-PHI; 
  • Security awareness training, to train staff members in security awareness; 
  • Security incident procedures, to handle security incidents; 
  • Contingency plan, to protect e-PHI during an unexpected event; and 
  • Evaluation, to evaluate an organization's security safeguards. 
Physical safeguards are security measures to protect a healthcare provider’s electronic information systems, related equipment, and the buildings housing the systems from natural and environmental hazards, and unauthorized intrusion. Healthcare providers must fulfill the following standards. However, since most of the implementation specifications in this category are addressable, healthcare providers have the flexibility in determining how to comply with the requirements as long as these are internally designed and developed as per the relevant SOP and published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter above.
The required physical standards are:
  • The facility access control standard, to limit actual physical access to electronic information systems and the facilities where they're located; 
  • The workstation use standard, to control the physical attributes of a specific workstation or group of workstations, to maximize security; 
  • The workstation security standard, to implement physical safeguards to deter the unauthorized access of a workstation; and 
  • The device and media controls standard, to control the movement of any electronic media containing ePHI from, to or within the facility. 

  • PUBLISHED DATE : Jun 03, 2015
  • LAST UPDATED ON : Jan 10, 2017


Write your comments

This question is for preventing automated spam submissions