2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining

Security Standards For Electronic Health Records

Oznur Esra Par

Department of Health Informatics Hacettepe University Ankara, Turkey par@hacettepe.edu.tr

Ergin Soysal
Department of Health Informatics Hacettepe University Ankara, Turkey esoysal@gmail.com

AbstractCirculation of personal health records in digital media has increased by intensive usage of technology on health sector. Circulation of personal health records in electronic media brings with security and privacy issues. Electronic health records are all of this information which includes patient data from birth to the death of the patient. Since electronic health records include private and unchangeable information, it is being tried to forbid their usage revelation without permission in accordance with the related legislations. Digitization of personal health records also brings with security risks. A number of technical and legal infrastructure is needed to eliminate these risks. With the scope of the research national (such as HIPAA) and international standards (such as ISO) has been studied. Keywords- HIPAA; Security of Personal Health Records; ISO 20000; ISO)

II.

FINDINGS

ISO 20000, ISO 27001 standards which are used for security of electronic health records, relevant legislation and HIPAA act which is in effect in the Unites States of America were compared, and the findings on Table 1 were obtained as a result. III. HIPAA ACT

I.

INTRODUCTION

With the active use of current technology in health sector, we have begun to face some risks of technology. It became a must to take security measures against risks which threaten electronic health records as well as against those which threaten any kind of data in electronic environment. Electronic health records are composed of all health information of an individual from his/her prenatal up to postmortem. Digitizing health records is a remarkable move for efficient health service. Since modern technology increases the risks in terms of confidentiality, integrity and accessibility of electronic health records, the security of health information is harmed. The confidentiality of health records is crucial. For this reason, it became compulsory to take measures, to determine risks and to reduce such risks. HIPAA (Health Insurance Portability and Accountability Act) is a body of regulations which defines the conditions of how and in what circumstances the healthcare staff and other organizations can access to health information in order to provide security of health records, and which includes procedures and protocols that restrict access to health records, and actions (such as fine and imprisonment) to be taken in case of unauthorized use and disclosure of health information, and which also includes some administrative, physical and technical standards. [1]
978-0-7695-4799-2/12 $26.00 2012 IEEE DOI 10.1109/ASONAM.2012.148 847 815

HIPAA Act began to be applied on 21 August 1996 in order to provide security and sustainability of information in health sector and information flow in the United States of America.[2] Under HIPAA security rules, confidentiality, integrity and accessibility of electronic health records must be guaranteed. Measures must be taken against any kind of unauthorized access which threatens integrity and/or puts confidentiality and the privacy at risk. Standards and their particulars developed in the scope of HIPAA in order to standardize the confidentiality of electronic health records and to provide security and sustainability for them are as follows: [1] Security Standards: They include general conditions to be complied with; and constitute flexibility of the approach; define standards and implementation specifications; define required security maintenance which is necessary for sustainability of economical and rational security of electronic health records. Administrative Measures: They include supervision of covert health organizations (health plans, health exchange bureaus, organizations operating in health sector); classification of accessibility; regulations; management of selection, development and implementation procedures; maintenance of necessary security measures and management of workforce in order to provide security. Physical Measures: They define physical measures, necessary procedures for protection and supervision of related buildings and vehicles in

case of natural and environmental hazards and/or unauthorized accessions. Technical Measures: They include procedures, technologies, regulations, risk analysis and risk management which are related with protection of electronic health records and accession to them. Organizational requirements: They include business partnership contracts, agreements made on that third party organizations will comply with set standards, and other legal regulations. Regulation, Procedure and Documentation Requirements: Implementation specifications and security rules are expected to be suitable procedures with regulations which are in compliance with other requirement standards. IV. ISO STANDARDS

evaluating risks; producing security policies, physical, environmental and workforce security; access security; information security management, and it standardizes these stages. In health sector, ISO 27799 Information Security Management System in Health Facilities, which is the substandard of ISO 27000 family, is implemented for protection and sustainability of confidentiality, integrity and accessibility of electronic health records. It also includes, out of the scope of ISO 27001 Information Security Management System, information security in health facilities, health information which requires protection and risks towards health sector.

Comparison of HIPAA and ISO Standars in terms of security of health informations

Standards and Laws ISO 20000 + ISO 27000 +

A. ISO 20000 Management of Information Technology Services[3] It is the first standard to be developed in 2005 for information technology management service, this was revised in 2011. ISO 20000, which is based on BS 15000 standard consist of two sections. Section 1: It covers information technologies service management. It standardizes required way of managing information operations and sets conditions to provide a quality level for available services. Section 2: It is the guideline standard where service management practices are explained. ISO 20000 requirement analysis includes several integrated processes such as defining a service system and service sustainability , accessibility, finance, capacity, business relations, information security and system management process. ISO 20000 takes ISO 27000 Information Security Management System as reference which guides selection of competent and proportionate security supervisions in information security. B. ISO 27000 Information Security Management System[4] This is a standard developed to provide and maintain confidentiality, integrity and accessibility concepts which compose essential principles of information security. This helps to detect and minimize critical security risks. ISO 27001 standard, which helps to detect and reduce present and possible risks in information security, is the main standard of ISO 27000 standard family which is the Information Security Management Service. ISO 27001 Information Security Management System includes stages which are necessary for establishment and sustainability of information security such as detecting and

Features International Relevance Determination of the General System Requirements, Regulations, and Agreements Provision of Information Security Protection of Personal Information Related Sanctions Information Security Risk Analysis Requirements for Information Security Physical and Technical Reserves Human Resources Safety

HIPAA -

Laws

+ +

+ -

+ -

+ +

+ +

+ +

Table 1.

V.

DISCUSSION

In parallel with the rapid widespread use of information technologies, electronic attacks launched by means of information technologies increase. In terms of electronic health records, these attacks can be specialized as obtaining and changing personal information without permission. Privacy of the electronic health records is essential but since they include health information from different and separate systems and they have different roles and organizations in its structure, circumstances occur where information and security technologies that are applied in national information systems fail. HIPAA is an integrated act which provides confidentiality, integrity and accessibility of electronic health records. ISO 20000 and ISO 27001 are used to provide information security in health information technology

816 848

practices, and relevant laws and by-law are referred for sanctions. HIPAA laws cane be given an international standard form like ISO standards and sanctions can be adjusted according to the legal system of every country. Establishing integrated laws like HIPAA will provide maximum security for electronic health records.

REFERENCES
[1] National Institiue of Standarts and Technology, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountabilit Act (HIPAA) Security Rule, USA, 2008 Prajesh Chhanabhai, Alec Holt, Inga Huntur, Consumers, Security and Electronic Health Records, New Zelland, 2006. ISO/IEC 20000 Certification and Implementation Guide, Claire Engle,Gerard Blokdijk,Jackie Brewster, Emereo Publishing, Australia, 2008. Information Security Based on ISO 27001/ISO 27002: A Management Guide, Alan Calder, Van Haren Puplishing, NL, 2006.

[2] [3]

[4]

817 849