Cyber Security Industry Alliance (CSIA), a Washington, D.C.-based CEO public policy and advocacy group composed of security software, hardware and service vendors to address key cyber security issues, has released its recommendations for the development of a secure electronic health care system.These recommendations are designed to support the nation's first strategic framework report on a 10-year initiative to develop electronic health records and other uses of health information technology, which was announced today by Department of Health and Human Services (HHS) Secretary Tommy G. Thompson and David J. Brailer, M.D., Ph. D., the National Health Information Technology Coordinator.
The HHS plan for a national health information infrastructure comes in response to President Bush's initiative to provide all Americans with access to electronic medical records within the next 10 years. A modern technology infrastructure will allow quick, reliable access to information that promotes the best possible care while also saving billions in administration costs. Such a system requires the highest standards of privacy protection, which can be achieved through the right combination of information security technology and best practices. CSIA believes that privacy of information and security controls should be addressed from the beginning of the planning process to ensure that trust in the network is established from its launch.
"The HHS action plan on health information technology offers significant benefits to all Americans and CSIA believes that addressing information assurance concerns from the beginning will maximize the overall effectiveness of the system while ensuring patient privacy," says Paul Kurtz, executive director of CSIA. "We hope Secretary Thompson and Dr. Brailer will find these recommendations useful and we are ready to work with them as they bring their plan to fruition."
CSIA's recommendations cover the confidentiality, integrity and availability of a national heath care information infrastructure as well as foster compliance with the Health Insurance Portability and Accountability Act (HIPAA):
Confidentiality: Protect Patient Information from Unauthorized Access or Disclosure
1. Deploy strong authentication and authorization controls to ensure that only authorized users gain access to a system and only those parts of the system necessary to perform their responsibilities.2. Encrypt data and communications wherever appropriate so that health care data in transit and at rest is protected from unauthorized interception or eavesdropping.
3. Properly dispose of retired data, software and hardware to ensure that unauthorized users cannot recover it later.
Integrity: Protect Patient Information from Unauthorized Changes
4. Validate data to ensure the integrity of data entered through Web interfaces.5. Conduct frequent system audits to ensure only authorized users are accessing, entering or changing information.
6. Use digital signatures to verify that data in transit or data at rest has not been modified by unauthorized parties.
Availability: Ensure Redundancy and Protection for Critical Information Systems
7. Provide for redundancy to avoid downtime due to equipment failure, denial-of-service attacks or scheduled maintenance.8. Use a private data backbone to avoid problems from network bottlenecks and outages that occur on the Internet due to fluctuations in data flows.
9. Develop a rapid incident response mechanism to shorten periods of unavailability due to attacks, intrusions, events and their investigation.
10. Support information sharing networks, such as the existing HealthcareInformation Sharing and Analysis Center (ISAC), to ensure timely dissemination of cyber threats, vulnerabilities and attacks.
Source: Cyber Security Industry Alliance
