UNIT-3

INFORMATION TECHNOLOGY
INFORMATION ARCHITECTURE AND TECHNOLOGIES THAT SUPPORT HEALTH CARE INFORMATION SYSTEMS:
Believe that an exposure to some of the core technologies used to develop and implement common health care information systems is quite useful. This knowledge will help health care executives be more informed decision makers. We discuss tech !"!#ies used i e$ch !% the %!""!&i # c$te#!'ies: System software Data management and access etworks and data communications !nformation processing distribution schemes The !nternet" intranets" and extranets #linical and managerial decision support Trends in user interactions with systems

S(ste) S!%t&$'e:
!n this section we will begin with a general discussion of software and then define programming languages" operating systems" and interface engines$ The'e $'e t&! *$sic t(+es !% s!%t&$'e: %. systems software and &. applications software. These t&! t(+es !% s!%t&$'e h$,e $ c!))! ch$'$cte'istic: Both represent a series of computer programs. 'emember that at its most basic level of functioning the computer recogni(es two things" an electrical impulse that is on and an electrical impulse that is off) these signals are often represented as * and % +or bits,. - human programmer must write programming code to translate the desires of the user into computer actions. There are many different programming languages in use today" and they are continue to evolve. M$chi e "$ #u$#es are the oldest computer programming languages. .achine language programmers had to literally translate each character or operator into binary code" displayed as groups of *s and %s. .achine languages are often referred to as first generation languages. /ortunately" by the %01*s" assembly languages" the sec! d #e e'$ti! "$ #u$#es- were developed" which simplified machine language programming.

 The +'!cedu'$" +'!#'$))i # "$ #u$#es +third generation," for example" /2'T'and #2B23" came along shortly after the assembly languages" allowing programmers to write computer programs without being as concerned with manually producing the machine language. T!d$(- %!u'th #e e'$ti! "$ #u$#es ./GLs0- which have many preprogrammed functions" allow individuals to develop applications without writing a single line of program code themselves. The software creates the code in the background" invisibly from the developer4s point of view. !n the data management section we will discuss st'uctu'ed 1ue'( "$ #u$#e .S2L," which is an example of a 563. T&! !the' t(+es of programming frequently used today are ,isu$" +'!#'$))i # $ d !*3ect-!'ie ted +'!#'$))i #. The most common type of ,isu$" +'!#'$))i # is .icrosoft4s 7isual Basic" which allows developers to see the final visual appearance of an application"such as the buttons" scroll8down menus" and windows" as they develop the application. The !*3ect-!'ie ted "$ #u$#es differ from traditional procedural languages in that they allow the programmer to create ob9ects that include the operations +methods, linked to the data. /or example" a master patient index +.:!, ob9ect would contain both the .:! data" such as medical record number" last name" first name" and so forth" and the procedures that use this data" such as assigning the medical record number" retrieving patient names by medical record number" and so forth. 2b9ect8oriented languages allow chunks of code to be reused and facilitate program maintenance. #ommon ob9ect8oriented programming languages are #;; and <ava. O+e'$ti # S(ste)s System software is a series of programs that carry out basic computing functions$ F!' e4$)+"e .anaging the user interface" files" and memory. System software also operates any peripherals linked to the computer" such as printers" monitors" and other devices. System software is what allows developers to create applications without having to include basic computer instructions. The operating system is loaded when a computer is turned on and it is responsible for managing all other programs that are subsequently used by the computer. #ommon types of operating systems are =indows +in several different versions," .ac 2S" >nix" and 3inux.

 2perating systems may be proprietary or open source. :roprietary operating systems" such as =indows and .ac 2D. !n the %00*s open source +or nonproprietary, operating systems became viable when a /innish graduate student" 3inus Torvald" developed a variant of the operating system >nix" called 3inux.

I te'%$ce E #i es: -n interface engine is ?a software program designed to simplify the creation and management of interfaces between application systems@ . !nterfaces between applications became increasingly important as health care systems moved from best of breed to more integrated architectures. They wanted to eliminate the need for entering patient demographic information multiple times into separate systems" for example. !n fact" users began to ask for a single sign8on system so they could access all the information they needed through a single user interface. !nterface engines are actually a form of middleware" a class of software that works ?between@ or ?in the middle@ of applications and operating systems. 2ther examples of middleware are applications that check for viruses" medical logic processors" and data encryption software.

A t(+ic$" i te'%$ce e #i e !+e'$tes i th'ee *$sic ste+s:

- typical one8to8many transaction involving a hospital admissionAdischargeAtransfer +-DT, system. The -DT system needs to communicate to the lab and pharmacy systems that a patient has been admitted. The -DT system sends a message with the relevant demographic and account detail to the interface engine. The interface engine receives the message" processes it as necessary" and places it in a queue" or wait line" for delivery to the lab and pharmacy systems. The message is subsequently forwarded from the queue to those systems. Some interface engines can handle many8to8many transactions as well as one8to8many transactions. .essages are received by the interface engine from multiple systems and are then forwarded to multiple systems.

D$t$ M$ $#e)e t $ d Access:

 - newer database structure is the ob9ect8oriented database +22DB,. The basic component in the 22DB is an ob9ect rather than a table. -n ob9ect includes both data and the relationships among the data in a single conceptual structure. -n ob9ect8oriented database management system +22DB.S, uses classes and subclasses that inherit characteristics from one another in a hierarchical manner. Re"$ti! $" D$t$*$ses:

ADT

LAB

1 Interface Engine 3 Pharmacy

Store and Forward Queue

Transaction

D$t$ Dicti! $'ies 2ne very important step in developing a database to use in a health care application is the development of the data dictionary. The data dictionary gives both users and developers a clear understanding of the data elements contained in the database. A t(+ic$" d$t$ dicti! $'( $""!&s %!' the d!cu)e t$ti! !% Table names -ll attribute or field names - description or definition of each data element The data type of the field +text" number" date" and so forth, The format of each data element +such as DD8..8BBBB for the date, The si(e of each field +such as %% characters for a Social Security umber" including the dashes,

 -n appropriate range of values for the field +such as integers ******C000000 for a medical record number, =hether or not the field is required +is it a primary key or linking keyD, 'elationships among fields C"i ic$" D$t$ Re+!sit!'ies: .any health care organi(ations" particularly those moving toward electronic medical records" develop clinical data repositories. -lthough these databases can take different forms" in general" the clinical data repository is a large database that gets data from various data stores within application systems across the organi(ation. D$t$ W$'eh!uses $ d D$t$ M$'ts: - data warehouse is a type of large database designed to support decision making in an organi(ation.Traditionally" health care organi(ations have collected data in a variety of on8line transactional processing +23T:, systems" such as the traditional relational database and clinical data repository.

Ch$'$cte'istic
:urpose Source of data

OLTP D$t$*$se
Support transaction processing Business transactions

D$t$ W$'eh!use
Support decision support .ultiple files" databases Data internal and External to the firm. 'ead only Simple and complex database queries with increasing use of data mining to recogni(e patterns in the data.

Data access by user :rimary data access mode.

'ead and write Simple database update and query

:rimary database model employed. 3evel of detail

'elational

'elational

Detailed transactions

2ften summari(ed data

-vailability of historical data >pdate process

7ery limitedCtypically a few weeks or months 2n8line" ongoing process as transactions are captured

.ultiple years

:eriodic process" once per week or once per month #omplex" must combine data from many sources) data must go through a data cleanup process. .a9or effort to clean and integrate data from multiple sources.

Ease of update Data integrity issues

'outine and easy Each individual transaction must be closely edited.

D$t$ )$'ts are structurally similar to data warehouses but generally not as large. The typical
data mart is developed for a particular purpose or unit within an organi(ation.

D$t$ Mi i #:
Data mining is another concept closely associated with large databases such as clinical data repositories and data warehouses. Fealth care application vendors may use the term data mining when referring to the user interface of the data warehouse or data repository. Data mining refers to a sophisticated analysis tool that automatically discovers patterns among data in a data store. Net&!'5s $ d D$t$ C!))u ic$ti! s: The term data communications refers to the transmission of electronic data within or among computers and other related devices. The( 'e"$te t! d$t$ c!))u ic$ti! s- +$'ticu"$'"( i he$"th c$'e setti #s: etwork communication protocols etwork types and configurations etwork media and bandwidth etwork communication devices
RELATIONAL DATA6ASE MANAGEMENT SYSTEM COMPONENTS:

!nterface 7ariety of computer languages +7B-" <ava" Delphi" and so forth, Data .anipulation Data .anipulation 3anguage +D.3, Tables Data Definition 3anguage +DD3,

Re"$ti! $" D$t$ M!de"i #:

:atient

6oes

7isit

Fas

#linic

Net&!'5 C!))u ic$ti! P'!t!c!"s:

A++"ic$ti! .L$(e' 70: 8GThis layer supports application and end8user processes. #ommunication partners are identified" quality of service is identified" user authentication and privacy are considered" and any constraints on data syntax are identified. Everything at this layer is application specific. This layer provides application services for file transfers" e8mail" and other network software services. P'ese t$ti! .L$(e' 80: 8GThis layer provides independence from differences in data representation +for example" encryption, by translating from application to network format and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network" providing freedom from compatibility problems.

Sessi! .L$(e' 9:0 This layer establishes" manages" and terminates connections between applications. The session layer sets up" coordinates" and terminates conversations" exchanges" and dialogues between the applications at each end. !t deals with session and connection coordination. T'$ s+!'t .L$(e' /0 This layer provides transparent transfer of data between end systems" or hosts. !t ensures complete data transfer. Net&!'5 .L$(e' 30 This layer provides switching and routing technologies" creating logical paths" known as virtual circuits" for transmitting data from node to node. 'outing and forwarding are functions of this layer" as well as addressing" !nternet working" error handling" congestion control" and packet sequencing. D$t$ Li 5 .L$(e' :0 -t this layer" data packets are encoded and decoded into bits. !t furnishes transmission protocol knowledge and management and handles errors in the physical layer" flow control" and frame synchroni(ation. The data link layer is divided into two sublayers$ the media access control +.-#, layer and the logical link control +33#, layer. The .-# sublayer controls how a computer on the network gains access to the data and permission to transmit it. The 33# layer controls frame synchroni(ation" flow control" and error checking. Ph(sic$" .L$(e' ;0 This layer conveys the bit streamCelectrical impulse" light" or radio signalC through the network at the electrical and mechanical level. !t provides the hardware means of sending and receiving data on a carrier" including defining cables" cards" and physical aspects. /ast Ethernet and -T. are protocols with physical layer components. DATA FLOW IN THE OSI MODEL: -pplication+layer H, :resentation +3ayer I, Session +3ayer 1, Transport + 3ayer 5, etwork +3ayer J, Data 3ink +3ayer &, :hysical +3ayer %, :hysical layer -pplication+layer H, :resentation +3ayer I, Session +3ayer 1, Transport + 3ayer 5, etwork +3ayer J, Data 3ink +3ayer &, :hysical +3ayer %,

OSI MODEL COMPARED TO THE INTERNET MODEL: OSI M!de" -pplication+layer H, -pplication :resentation +3ayer I, Session +3ayer 1, Transport + 3ayer 5, etwork +3ayer J, Data 3ink +3ayer &, :hysical +3ayer %, Transport etwork !nterface I te' et )!de"

Ethernet -synchronous synchronous mode Bluetooth

IEEE !" #11

Net&!'5 T(+es $ d C! %i#u'$ti! s:

LAN <e'sus WAN T!+!"!#(: - second way that networks are described is by their topology" or layout. There are two types of network topology$ physical and logical. 8B>S 8'! 6 Net&!'5 Medi$ $ d 6$ d&idth

Medi$: 8!t refers to the physical ?wires@ or other transmission devices used on the network. Bandwidth is a measure of media capacity. ETHERNET NETWOR= IN A PHYSICAL STAR:

$%B

&or'stati on Twisted pair

Printer Ser( er &or'statio n

#oaxial cable. /iber optic cable .icrowaves Spread spectrum Se',ice C$''ie's:

#ommunications across a =- may involve some type of carrier. These telecommunications carriers provide telephone lines" satellites" modems"and other services that allow data to be transmitted across distances. 6$ d&idth: o Bandwidth is another name for the capacity of a transmission medium. 6enerally" the greater the capacity" or bandwidth" of the medium the greater the speed :>? .anaging Fealth #are !nformation Systems of transmission. Net&!'5 C!))u ic$ti! De,ices:

Hu*- -s its name implies" a hub is a device in which data from a network come together. 2n a
schematic" a hub may appear as the ?box@ where all the Ethernet lines come together for a 3or a segment of the 3- . Today single devices may serve as hubs and switches or even routers.

6'id#e8 - bridge connects networks that use the same communication protocol. !n the 2S!
reference model +/igure K.1," a bridge operates at the data link layer" which is fairly low in the model" which means that it cannot translate signals between networks using different protocols.

R!ute'-- router operates at a higher level" the network layer of the 2S! model.'outers are
more sophisticated devices than bridges. =hereas bridges send on all data they receive" routers are able to help determine the actual destination of specific data.

G$te&$(8 - gateway can connect networks that have different communication protocols.
These devices operate at the transport level of the 2S! model" or higher.

S&itch8 - switch may either be a gateway or a router. !n other words" it may operate
at the router level or at a higher level. There are many types of switches available on the market today. -ll switches will route" or switch" data to their destination

I %!')$ti! P'!cessi # Dist'i*uti! Sche)es

Three common distribution methods are $ %.terminal8to8host" &. file server" and J.clientAserver

C"i ic$" $ d M$ $#e'i$" Decisi! Su++!'t:

Decision8support systems +DSS,$ -rtificial intelligence systems" including expert systems" natural language processing"fu((y logic" and neural networks. ;@ I te""i#e ce$ collecting facts" beliefs" and ideas. !n health care these facts may be stored as data elements in a variety of data stores. :@ Desi# : designing the methods with which to consider the data collected during intelligence. These methods may be models" formulas" algorithms" or other analytical tools. .ethods are selected that will reduce the number of viable alternatives. 3@ Ch!ice: making the most promising choice from the limited set of alternatives. P'!*"e)s that face health care executives and clinicians may be structured" unstructured" or semistructured$

T'e ds i Use' I te'$cti! s &ith S(ste)s:

!nput devices 2utput devices External storage devices .obile personal computing devices

I %!')$ti! S(ste)s A'chitectu'e:

 - definition of architecture -rchitecture perspectives -rchitecture examples 2bservations about architecture

HEALTH CARE INFORMATION SYSTEM STANDARDS:

These standards will be reviewed i th'ee main categories$ #lassification" vocabulary" and terminology standards Data interchange standards Fealth record content standards

St$ d$'ds De,e"!+)e t P'!cess:

Ad h!c$ Standards are established by the ad hoc method when a group of interested people or organi(ations agrees on a certain specification without any formal adoption process. The Digital !maging and #ommunications in .edicine +D!#2., standard for health care imaging came about in this way. De %$ct!$ - de facto standard arises when a vendor or other commercial enterprise controls such a large segment of the market that its product becomes the recogni(ed norm. SL3 and the =indows operating system are examples of de facto standards. Some individuals predict that M.3 will become a de facto standard for health care messaging. Acc!'di # t! ANSI- this +'!cess i c"udes: #onsensus on a proposed standard by a group or ?consensus body@ that includes representatives from materially affected or interested parties) Broad8based public review and comment on draft standards) #onsideration of and response to comments submitted by voting members of the relevant consensus body and by public review commenters) !ncorporation of approved changes into a draft standard) and 'ight to appeal by any participant that believes that due process principles were not sufficiently respected during the standards development in accordance with the - S!8accredited procedures of the standards developer. 6overnment mandate. Standards are also established when the government mandates that the health care industry adopt them. Examples are the transaction and code sets mandated by the Fealth !nsurance :ortability and -ccountability -ct +F!:--, regulations.

 #onsensus. #onsensus8based standards come about when volunteers from various interested groups come together to reach a formal agreement on specifications. The process is generally open and involves considering comment and feedback.

C"$ssi%ic$ti! - <!c$*u"$'(- $ d Te')i !"!#( St$ d$'ds:

Systemati(ed omenclature of .edicineC#linical Terms +S 2.ED #T, 3ogical 2bservation !dentifiers ames and #odes +32! #, laboratory subset Several federal drug terminologies" including 'x orm S(ste)$tiAed N!)e c"$tu'e !% Medici eBC"i ic$" Te')s: J55"*** concepts with unique meanings and formal logic8based definitions" organi(ed as follows$ /inding +swelling of arm, Disease +pneumonia, :rocedure +biopsy of lung, 2bservable entity +tumor stage, Body structure +structure of thyroid, 2rganism +D - virus, Fealth #are !nformation System Standards :37 Substance +gastric acid, :harmaceuticalAbiologic product +tamoxifen, Specimen +urine specimen, :hysical ob9ect +suture needle, :hysical force +friction, Events +flash flood, EnvironmentsAgeographical locations +intensive care unit, Social context +organ donor, #ontext8dependent categories +no nausea, Staging and scales + ottingham ten8point -D3 index assessment scale, -ttribute +controlled temperature, Lualifier value +bilateral, Duplicate concept +inactive concept, 0%J"*** English language descriptions or synonyms for expressing clinical concepts -pproximately %.J million semantic relationships to enable reliability and consistency of data retrieval

D$t$ I te'ch$ #e St$ d$'ds: Fealth 3evel Seven standards Digital !maging and #ommunications in .edicine +D!#2.,

 ational #ouncil for :rescription Drug :rograms + #:D:, - S! M%& standards He$"th Le,e" Se,e St$ d$'ds: %. The data to be exchanged &. The timing of the exchange J. The communication of errors between applications I $dditi! t! )ess$#i # st$ d$'ds- the HL7 !'#$ iA$ti! h$s +u*"ished the %!""!&i #: #linical #ontext .anagement +##., specifications +originally know as ##2=, -rden Syntax for .edical 3ogic Systems EF' functional model Di#it$" I)$#i # $ d C!))u ic$ti! s i Medici e: The stated purpose for the standard was to$ :romote communication of digital image information" regardless of device .anufacturer. /acilitate the development and expansion of picture archiving and communications systems +:-#S, that can also interface with other systems of hospital information. -llow the creation of diagnostic information data bases that can be interrogated by a wide variety of devices distributed geographically The current D!#2. standard accomplishes these purposes by specifying . - set of protocols for network communications. The syntax and semantics of commands which can be used with these protocols. - set of media storage services to be followed" including a file format and medical directory structure. N$ti! $" C!u ci" ! P'esc'i+ti! D'u# P'!#'$)s: The mission of the ational #ouncil for :rescription Drug :rograms + #:D:, is to ?create and promote data interchange standards for the pharmacy services sector of the health care industry" and to provide information and resources that educate the industry and support the diverse needs of its members@.

He$"th Rec!'d C! te t St$ d$'ds:

HL7 EHR Fu cti! $" M!de":

 -merican Fealth !nformation .anagement -ssociation +-F!.-, -merican .edical -ssociation +-.-, -merican urses -ssociation +- -, -merican .edical !nformatics -ssociation +-.!-, #ollege of Fealthcare !nformation .anagement Executives +#F!.E, eFealth !nitiative +eF!, Fealthcare !nformation and .anagement Systems Society +F!.SS, ational -lliance for Fealth !nformation Technology + -F!T, HL7 EHR FUNCTIONAL MODEL OUTLINE: D#%.* #are .anagement D#&.* #linical Decision Support D#J.* 2perations .anagement and #ommunication S%.* #linical Support S&.* .easurement" -nalysis" 'esearch" 'eporting SJ.* -dministrative and /inancial ! %.* EF' Security ! &.* EF' !nformation and 'ecords .anagement ! J.* >nique identity" registry" and directory services ! 5.* Support for Fealth !nformatics N Terminology Standards ! 1.* !nteroperability ! I.* .anage business rules ! H.* =orkflow

C! ti uit( !% C$'e Rec!'d St$ d$'d: Ei#ht e"e)e ts: %. Document identifying information +Feader,$ contains information about the referring source and receiving source" the date" and the reason for the referral or transfer. &. :atient identifying information J. :atient insurance and financial information 5. :atient4s health status 1. -dvance directives I. #are documentation H. #are plan K. :roviders.

I)+$ct !% HIPAA ! He$"th C$'e I %!')$ti! St$ d$'ds:

S+eci%ic$""(- the t'$ s$cti! st$ d$'ds cited i the HIPAA 'e#u"$ti! s: Fealth #are #laims or equivalent encounter information +M%& KJH,

 Eligibility for a Fealth :lan +M%& &H*A&H%, 'eferral #ertification and -uthori(ation +M%& &HK" or #:D: for retail pharmacy, Fealth #are #laim Status +M%& &HIA&HH, Enrollment and Disenrollment in a Fealth :lan +M%& KJ5, Fealth #are :ayment and 'emittance -dvice +M%& KJ1, Fealth :lan :remium :ayments +M%& K&*, #oordination of Benefits +M%& KJH" or #:D: for retail pharmacy, It i c"udes" !nternational #lassification of Diseases" ninth edition" clinical modification +!#D808#., #ode on Dental :rocedures and omenclature +#DT, Fealthcare #ommon :rocedural #oding System +F#:#S, #urrent :rocedural Terminology" fourth edition +#:T85,. A"" $'e si# i%ic$ t +"$(e's i the est$*"ish)e t !% he$"th c$'e i %!')$ti! st$ d$'ds: -ccredited Standards #ommittee M%& +- S! -S# M%&, Dental #ontent #ommittee of the -merican Dental -ssociation +-D- D##, Fealth 3evel Seven +F3H, ational #ouncil for :rescription Drug :rograms + #:D:, ational >niform Billing #ommittee + >B#, ational >niform #laim #ommittee + >##, N$ti! $" He$"thc$'e I %!')$ti! I %'$st'uctu'e: The F!! has th'ee overlapping dimensions $ %. :ersonal health$ includes a personal health record created and controlled by an individual or family member. &. Fealth care delivery$ includes clinical information from the providers of care" including decision8support programs and practice guidelines) providers would maintain control of their own patients4 health records. J. :ublic health$ this includes such things as vital statistics" population health information" and disease registries to improve the clinical management of population health. Se,e'$" s+eci%ic *$''ie's t! the 'e$"iA$ti! !% the NHII i this e ,i'! )e t h$,e *ee cited : 3ack of standards for system interoperability 3ack of incentives for establishing electronic systems at the point of care !nsufficient funding for related pro9ects :rivacy and security concerns.

SECURITY OF HEALTH CARE INFORMATION SYSTEMS

we define security" examine the need for establishing an organi(ation8 wide security program" and discuss a variety of security8related topics. =e also look at the various existing threats to health care information. Examples of actual practices and procedures$ -dministrative safeguards :hysical safeguards Technical safeguards I t'!ducti! t! $ He$"th C$'e O'#$ iA$ti! Secu'it( P'!#'$): Fealth care organi(ations must protect their information systems from a range of potential threats. -mong these threats are viruses" fire in the computer room" untested software" and employee theft of clinical and administrative data. Threats may also involve intentional or unintentional damage to hardware" software" or data or misuse of the organi(ation4s hardware" software" or data. - health care organi(ation4s security program involves identifying potential threats and implementing processes to remove the threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organi(ation is balancing the need for security with the cost of security. 2ne aspect of this trade8off is maintaining a satisfactory balance between health care information system security and health care data and information availability. Th'e$ts t! He$"th C$'e I %!')$ti! : =hat are the threats to health care information systemsD !n general" threats to health care information systems will fall into one of these three categories$ Fuman threats" which can result from intentional or unintentional human tampering atural and environmental threats" such as floods" fires" and power outages Technology malfunctions" such as a drive that fails and has no backup. O,e',ie& !% HIPAA Secu'it( St$ d$'ds: Fi $" Ru"e: The F!:-- standards govern covered entities +#Es," which are defined as" - health plan. - health care clearinghouse. - health care provider who transmits protected health information in electronic form. This includes practically every type of health care organi(ation imaginable" including hospitals" clinics" physician4s offices" nursing homes" and so forth.

The specifications contained in the Security 'ule are designated as either required or addressable. - required specification must be implemented by a #E for that organi(ation to be in compliance. !mplements the specification as stated. !mplements an alternative security measure to accomplish the purposes of the standard or specification. #hooses not to implement anything" provided it can demonstrate that the standard or specification is not reasonable and appropriate and that the standard can still be met. Out"i e !% HIPAA Secu'it( St$ d$'ds: Fi $" Ru"eThe -dministrative Safeguards section contains i e st$ d$'ds$ ;@ Secu'it( )$ $#e)e t %u cti! s: This standard requires the #E to implement policies and procedures to prevent" detect" contain" and correct security violations. There are four implementation specifications for this standard 'isk analysis +required,. The #E must conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality" integrity" and availability of e:F!. 'isk management +required,. The #E must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction policy +required,. The #E must apply appropriate sanctions against workforce members who fail to comply with the #E4s security policies and procedures. !nformation system activity review +required,. The #E must implement procedures to regularly review records of information system activity" such as audit logs" access reports" and security incident tracking reports. &. -ssigned security responsibility. This standard does not have any implementation specifications. !t requires the #E to identify the individual responsible for overseeing development of the organi(ation4s security policies and procedures. J. =orkforce security. This standard requires the #E to implement policies and procedures to ensure that all members of its workforce have appropriate access to e:F! and to prevent those workforce members who do not have access from obtaining access. There are three implementation specifications for this standard$ -uthori(ation andAor supervision +addressable,. =orkforce clearance procedure +addressable,. Termination procedures +addressable,.

3@ !nformation access management. This standard requires the #E to implement policies and procedures for authori(ing access to e:F!. There are three implementation specifications within this standard. -ccess authori(ation +addressable,. The #E must have a process for granting access to e:F! through a workstation" transaction" program" or other process. -ccess establishment and modification +addressable,. The #E must have a process +based on the access authori(ation, to establish" document" review" and modify a user4s right to access to a workstation" transaction" program" or process. 1. Security awareness and training. This standard requires the #E to implement awareness and training programs for all members of its workforce. This training should include periodic security reminders and address protection from malicious software" log8in monitoring" and password management. I. Security incident reporting. This standard requires the #E to implement policies and procedures to address security incidents. H. #ontingency plan. This standard has five implementation specifications$ Data backup plan +required,. Disaster recovery plan +required,. Emergency mode operation plan +required,. Testing and revision procedures +addressable,. The #E should periodically test and modify all contingency plans. -pplications and data criticality analysis +addressable,. The #E should assess the relative criticality of specific applications and data in support of its contingency plan. K. Evaluation. This standard requires the #E to periodically perform technical and nontechnical evaluations in response to changes that may affect the security of e:F!. 0. Business associate contracts and other arrangements. This standard outlines the conditions under which a #E must have a formal agreement with business associates to exchange e:F!. The Ph(sic$" S$%e#u$'ds secti! c! t$i s %!u' st$ d$'ds: ;@ F$ci"it( $ccess c! t'!"s. This standard requires the #E to implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed to authori(ed users. There are %!u' i)+"e)e t$ti! specifications with this standard$ C C! ti #e c( !+e'$ti! s .$dd'ess$*"e0@ The #E should have a process for allowing facility access to support the restoration of lost data under the disaster recovery plan and emergency mode operation plan. F$ci"it( secu'it( +"$ .$dd'ess$*"e,. The #E must have a process to safeguard the facility and its equipment from unauthori(ed access" tampering" and theft.

 Access c! t'!" $ d ,$"id$ti! +$dd'ess$*"e0@ The #E should have a process to control and validate access to facilities based on users4 roles or functions. C M$i te $ ce 'ec!'ds .$dd'ess$*"e0@ The #E should have a process to document repairs and modifications to the physical components of a facility as they relate to security. :@ W!'5st$ti! use: -DThis standard requires the #E to implement policies and procedures that specify the proper functions to be performed and the manner in which those functions are to be performed on a specific workstation or class of workstation that can be used to access e:F!" and that specify the physical attributes of the surroundings of such workstations. 3@ W!'5st$ti! secu'it(. This standard requires the #E to implement physical safeguards for all workstations that are used to access e:F! and to restrict access to authori(ed users. /@ De,ice $ d )edi$ c! t'!"s@ This standard requires the #E to implement policies and procedures for the movement of hardware and electronic media that contain e:F! into and out of a facility and within a facility. There are four implementation specifications with this standard$ Disposal +required,. The #E must have a process for the final disposition of e:F! and of the hardware and electronic media on which it is stored. .edia re8use +required,. The #E must have a process for removal of e:F! from electronic media before the media can be re8used. -ccountability +addressable,. The #E must maintain a record of movements of hardware and electronic media and any person responsible for these items. Data backup and storage +addressable,. The #E must create a retrievable" exact copy of e:F!" when needed" before movement of equipment. The Tech ic$" S$%e#u$'ds secti! h$s %i,e st$ d$'ds: ;@Access c! t'!"s: To access the functionality. :@ Audit c! t'!"s. This standard requires the #E to implement hardware" software" and procedures that record and examine activity in the information systems that contain e:F!. 3@ I te#'it(. This standard requires the #E to implement policies and procedures to protect e:F! from improper alteration or destruction. /@ Pe's! !' e tit( $uthe tic$ti! @ This standard requires the #E to implement procedures to verify that a person or entity seeking access to e:F! is in fact the person or entity claimed. 9@ T'$ s)issi! secu'it(@ This standard requires the #E to implement technical measures to guard against unauthori(ed access to e:F! being transmitted across a network.

The'e $'e t&! i)+"e)e t$ti! s+eci%ic$ti! s &ith this st$ d$'d: I te#'it( c! t'!"s .$dd'ess$*"e,. The #E must implement security measures to ensure that electronically transmitted e:F! is not improperly modified without detection. C E c'(+ti! .$dd'ess$*"e0@ The #E should encrypt e:F! whenever it is deemed appropriate.

The P!"icies- P'!cedu'es- $ d D!cu)e t$ti! secti! h$s t&! st$ d$'ds:
;@ P!"icies $ d +'!cedu'es@ This standard requires the #E to establish and implement policies and procedures to comply with the standards" implementation specifications" and other requirements. :@ D!cu)e t$ti! @ This standard requires the #E to maintain the policies and procedures implemented to comply with the security rule in written form. There are three implementation specifications$ C Ti)e "i)it .'e1ui'ed0@ The #E must retain the documentation for six years from the date of its creation or the date when it was last in effect" whichever is later. C A,$i"$*i"it( .'e1ui'ed0@ The #E must make the documentation available to those persons responsible for implementing the policies and procedures. C U+d$tes .'e1ui'ed,. The #E must review the documentation periodically and update it as needed. Ad)i ist'$ti,e S$%e#u$'ds: 'isk analysis and management #hief security officer System security evaluation Ris5 A $"(sis $ d M$ $#e)e t: ;@ 6!u d$'( de%i iti! During the boundary definition step the organi(ation should develop a detailed inventory of all health information and information systems. This review can be conducted using interviews" inspections" questionnaires" or other means. :@ Th'e$t ide ti%ic$ti! @ !dentifying threats will result in a list of all potential threats to the organi(ation4s health care information systems. The three general types of threats that should be considered are a. atural" such as floods and fires b. Fuman" which can be intentional or unintentional c. Environmental" such as power outages 3@ <u" e'$*i"it( ide ti%ic$ti! . !n this step the organi(ation identifies all the specific vulnerabilities that exist in its own health care information systems. 6enerally"

vulnerabilities take the form of flaws or weaknesses in system procedures or design. /@ Secu'it( c! t'!" $ $"(sis. The organi(ation also needs to conduct a thorough analysis of the security controls that are currently in place. These controls include both preventive controls" such as access controls and authentication procedures" and controls designed to detect actual or potential breaches" such as audit trails and alarms. 9@ Ris5 "i5e"ih!!d dete')i $ti! @ This step in the process involves assigning a risk rating to each area of the health care information system. There are a variety of rating systems that may be employed. =eil recommends using a fairly straightforward high8risk" medium8risk" and low8 risk system of rating. 8@ I)+$ct $ $"(sis. This is the step in which the organi(ation determines what the actual impact of specific security breaches would be. - breach may affect confidentiality" integrity" or availability. !mpact too can be rated as high" medium" or low. 7@ Ris5 dete')i $ti! . The information gathered up to this point in the risk analysis process is now brought together in order to determine the actual level of risk to specific information and specific information systems. The risk determination is based on" a. The likelihood that a certain threat will attempt to exploit a specific vulnerability +high" medium" or low, b. The level of impact should the threat successfully exploit the vulnerability +high" medium" or low, c. The adequacy of planned or existing security controls +high" medium" or low,. K@ Secu'it( c! t'!" 'ec!))e d$ti! s. The final step of the process is to compile a summary report on the findings of the analysis and recommendations for improving security controls. Chie% Secu'it( O%%ice': Each health care organi(ation must have a single individual who is responsible for overseeing the information security program. 6enerally" this individual is identified as the organi(ation4s chief security officer. The chief security officer may report to the chief information officer +#!2, or to another administrator in the health care organi(ation. S(ste) Secu'it( E,$"u$ti! : #hief security officers must periodically evaluate their organi(ation4s health care information systems and networks for proper technical controls and processes. #learly" an established set of health information technical standards for security would facilitate this evaluation process. 2ne source of such standards is the Department of Defense publication Trusted #omputer System Evaluation #riteria +T#SE#,. !t is sometimes referred to as the 2range Book" due to the color of its cover.

 The 2range Book provides a rating system broken into four categories" Decision through Decision D. Decision D is the lowest8level security rating" indicating a system with no inherent security features. Ph(sic$" S$%e#u$'ds - security program must address physical as well as technical and administrative safeguards. :hysical safeguards involve protecting the actual computer hardware" software" data" and information from physical damage or loss due to natural" human" or environmental threats. -ssigned security responsibility .edia controls :hysical access controls =orkstation security Assi# ed Secu'it( Res+! si*i"it(: Each component of the health care information system should be secure" and one easily identifiable employee should be responsible for that security. These individuals are in turn accountable to the chief security officer. F!' e4$)+"e" in a nursing department the department manager might be responsible for ensuring that all employees have been trained to understand and use security measures and that they know the importance of maintaining the security of patient information. Medi$ C! t'!"s: The physical media on which health information is stored must be physically protected..edia controls are the policies and procedures that govern the receipt and removal of hardware" software" and computer media such as disks and tapes into and out of the organi(ation and also their movements inside the organi(ation. Ph(sic$" Access C! t'!"s: :hysical access controls are designed to limit physical access to health information to persons authori(ed to see that information. 3ocks and keys are examples of physical access controls. Tech ic$" S$%e#u$'ds: -ccess control Entity authentication -udit trails Data encryption /irewall protection

 7irus checking Access C! t'!": #ontrol over access to health data may make use of any one of the following methods$ >ser8based access 'ole8based access #ontext8based access E tit( Authe tic$ti! : -utomatic log8off is a security procedure that causes a computer session to end after a predetermined period of inactivity" such as ten minutes. .ultiple software products are available that allow network administrators to set automatic log8off parameters. Entity authentication can be implemented in a number of different ways in a health care information system. The most common entity authentication method is a password system. 2ther mechanisms include personal identification numbers +:! s," biometric identification systems" telephone callback systems" and tokens. These implementation methods can be used alone or in combination with other systems. Security experts often encourage layered security systems that use more than one security mechanism. Th'ee )eth!ds %!' $uthe tic$ti! - and any two of them used together would constitute a two8factor system$ Something you know" such as a password or personal identification number +:! , Something you have" such as an -T. card" token" or swipe card Something you are" such as a biometric fingerprint" voice scan" or iris or retinal Scan. P$ss&!'d S(ste)s: The most common way to control access to a health care information system is through a combination of the user !D and a password or :! . >ser !Ds and passwords for a system are maintained either as a part of the access control list for the network or local operating system or in a special database. Pe's+ecti,e: P$ss&!'d D!Es $ d D! Ets: DONET: :ick a password that someone who knows you can easily guess +for example" do not use your Social Security umber" birthday" maiden name" pet4s name" child4s name" or car name,.

 :ick a word that can be found in the dictionary +because cracker programs can rapidly try every word in the dictionaryO,. :ick a word that is currently newsworthy. :ick a password that is similar to your previous password. Share your password with others. DO: :ick a combination of letters and at least one number. :ick a password with at least eight characters" mixing uppercase and lowercase if your password system is case sensitive. :ick a word that you can easily remember. #hange your password often. 8Biometric !dentification Systems. Telephone #allback :rocedures Tokens -udit Trails$ o o o o !ndividual accountability. 'econstructing electronic events. :roblem monitoring !ntrusion detection.

D$t$ E c'(+ti! : Data encryption is used to ensure that data transferred from one location on a network to another are secure from anyone eavesdropping or seeking to intercept them. This becomes particularly important when sensitive data" such as health information" are transmitted over public networks such as the !nternet or across wireless networks. Secure data are data that cannot be intercepted" copied" modified" or deleted. Some basic terms associated with encryption are plaintext" encryption algorithm" ciphertext" and key. Pu*"ic =e( I %'$st'uctu'e: :ublic key cryptography addresses the basic problems of single" private key systems. !n a public key system" there are two keys" a private key and a public key. Basically" in this two8key system" data encrypted with the public key can be decrypted only by the private key" and data encrypted by the private key can be decrypted only by the public key. ENCRYPTION PROCEDURE@: :lain text :lain Text

Encry)tion A*gorithm +E,

Fi'e&$"" P'!tecti! : - firewall is ?a system or combination of systems that supports an access control policy between two networks@ +=hite" &**%,. The term firewall may be used to describe software that protects computing resources or to describe a combination of software" hardware" and policies that protects these resources. The *$sic t(+es !% %i'e&$""s $'e: +%, packet filter" or network level" and +&, proxy servers"or application level. <i'us Chec5i #: #omputer viruses come in many different varieties. The common types may be classified as$ /ile infectors" which attach to program files so that when a program is loaded the virus is also loaded System or boot8record infectors" which infect system areas of diskettes or hard disks .acro viruses" which infect .icrosoft =ord applications" inserting unwanted words or phrases A &!') is a special type of computer virus that stores and then replicates itself. =orms usually transfer from computer to computer via e8mail. These programs have th'ee )$i %e$tu'es$ 8G signature8based scanning" 8G terminate8resident monitoring" and 8G multilevel generic scanning. Secu'it( i $ Wi'e"ess E ,i'! )e t: Securing the handheld devices and laptop computers commonly associated with a wireless network also poses challenges for the health care organi(ation. #ases that do not appear to contain computers. #ables with locks that hook onto tables) once this cable is removed from the computer" an unauthori(ed person cannot turn the computer on.

 -larms and software that ?instruct@ the computer to call and ?report@ its location#