Policy Proposal for healthcare

Data Privacy - HIPAA

Data privacy is regulated by the implementation of regulations set forth by Health Insurance Portability and Accountability Act (HIPAA) for health care industry (HHS, 2018). The law prohibits the sharing of protected health information without the consent of patient, which include individual’s present, past or future physical or mental health condition, provision of health care to the individual, present, past or future provision of health care to individual besides the identity information which can be used to recognize individual like, name, address, date of birth, and social security number. Anonymization of protected health information is achieved by either qualified statistician or by removing specific identifiers from the data (2018).

Data Security - HIPAA

Security rule of HIPAA outlined the regulations regarding the security standard for the protection of electronic protected health information to store or transfer the information in electronic format (HHS, 2018). Security rule applies to health care providers, health care clearing houses, health care plan etc. General rules to safeguard the health information encompass administrative, technical and physical practices by ensuring confidentiality, integrity, availability, breach and compliance while creating, storing and transmitting the health information. Administrative safeguards are ensured by realizing security personnel, evaluation, information access management, security management process and workforce training and management. Physical attributes include facility access and control along with workstation and device security. Technical implementation requires strict access control, encrypted transmission, integrity and audit controls. HIPAA mandates the risk analysis and management of security rules to evaluate risks, implement security measures identified from risk analysis, document the measures and maintain continuous security protections. In the event of breach, HIPAA mandates the reporting of breach without any delay. Penalties imposed in lieu of HIPAA violations fall under four categories (HIPAA Journal, 2018):

1. Tier 1 (lowest): unaware of HIPAA violation while exercising due diligence

2. Tier 2: knowingly violating HIPAA laws

3. Tier 3: willful neglect of HIPAA laws with corrective measures

4. Tier 4 (highest): willful neglect of HIPAA laws without corrective measures (2018)

Security Issues – Cloud

UbaidullahBokhari, Shallal and Tamandani (2016) mentioned some of the key security issues faced by cloud as data traffic hijacking, insecure interface and APIs, denial of service attacks, using cloud computing resources for attacks, shared technology vulnerabilities, unknown risk profile etc. Traffic hijacking include redirection of the SaaS, PaaS and IaaS traffic to illegal websites, spamming, phishing and so on. Best practices to reduce such threat is to prohibit the sharing of account credentials, two-factor authentication, proactive monitoring, cloud security and service level agreements (UbaidullahBokhari, Shallal & Tamandani, 2016).

Interfaces and APIs are meant to enable interaction between cloud and user but open another venue of exploitation such as improper authorization, clear-text authentication etc. Computing resources of cloud can also be used to launch malicious botnet attacks by using infrastructure and applications to spread malware and spam (UbaidullahBokhari, Shallal & Tamandani, 2016). Another vulnerability of cloud is due to sharing of resources between multiple tenants, which can be exploited by malicious users to steal data thus requiring enforcement of strict security practices. Data breach is yet another important security threat to steal personal and financial data. Isolation failure between multiple users pose severe security threat (2016). Transportation of data between client and cloud can lead to data theft. Key solutions to remediate the security threat involve stronger encryption, authentication and access control mechanism (Kaur & Kaur, 2015). Image Steganography is also a method employed to hide the secret information with other information (2015).

Big Data Tools – Security

Joshi and Kadhiwala (2017) highlighted couple of security issues which are inherently related to big data during data transition and data storage. Confidentiality is defined as a phenomenon to restrict the illegal disclosure of data whereas integrity means protection of data against unauthorized changes or modifications (joshi & Kadhiwala, 2017).

To ensure confidentiality, cryptographic techniques are widely used by following:

1. Encryption of data during data transfer and storage in plain text format

2. Authentication procedure to control access of data

3. Storage of data in encrypted form and unencrypted data during processing or use

One such encryption scheme is referred as CPABE, that is Ciphertext policy attributed based encryption whereas authentication is ensured using access control procedure by following steps, which include system setup, key generation, data encryption and data decryption (Joshi & Khadiwala, 2017). Filters are used to ensure privacy of plain text data; however this method can still suffer from offline attack (2017).

To ensure integrity of data, several techniques can be employed like data provenance, data trustworthiness, data loss and data deduplication (Joshi & Khadiwala, 2017.

Data provenance – debugging, security and trust models are maintained from creation through transformation of data

Data trustworthiness – correlation techniques are used to assure data trustworthiness

Data loss – data loss prevention techniques are utilized to avoid data loss

Data deduplication – elimination of unnecessary copies of data reduces chances of illegal data changes but impact fault tolerance

Hadoop utilize both encryption and access control mechanisms to protect big data, by employing triple encryption in the form of HDFS file encryption using DEA, data key encryption using RSA ad then data key encryption using IDEA (Abouelmehdi, Beni-Hssane, Khaloufi & Saadi, 2016). MapReduce also make use of RSA, Rjindael, AES and RC6 encryption techniques (Abouelmehsi et al., 2016).

Data Privacy and Security Policy

Data security of sensitive health care data in the given health care organization will be achieved by following the best practices of cyber security, which include (Ntiva, 2018):

1. Automated software patching and updates,

2. Employee training program,

3. IoT device tracking,

4. Strict access control,

5. Network segmentation,

6. Leverage AI driven technologies,

7. Implement incident response plan,

8. Data encryption,

9. Data loss prevention and

10. Mobile device management.

Data privacy will be enabled by realizing:

1. Sensitive health care data will be visible to only handful of folks, which include physician, patient and billing/insurance associates with highest level of permissions

2. Health care data will be created, stored and transmitted with highest available encryption

3. Health care data will only be accessible through private cloud accessed using virtual private network via hard and soft code token authentication

4. Medical records will not be allowed to be copied on any form of storage media including computers, laptops, smartphones, external hard drive etc.

5. Health care data will not be shared with any person or entity outside the company for research or marketing purposes

6. Explicit permissions from patients will be required to share sensitive health care data with other health care providers

7. Inside the premises of health care facility, only wired network connections will be allowed

8. Anonymization techniques will be applied to remove identifiers from the data

9. Email, internet and other communication services offered to employees of health care organization will be available over only company supplied devices for strictly work-related usage

Zero tolerance policy will be practiced towards data security and privacy realization across the health care organization, which means any violation will result in termination from employment with immediate effect. As per HIPAA regulations, all laws will be strictly followed and implemented to avoid penalty from the governing body. However, in the event of data breach or loss relevant authorities will be notified immediately along with the resolution steps taken to resolve the security lapse. Patients will be informed immediately if their personal data is compromised during the breach.

References:

Joshi, N. & Kadhiwala, B. (2018). Big data security and privacy issues – a survey. 2017 International conference on innovations in power and advanced computing technologies

Abouelmehdi, K., Beni-Hssane, A., Khaloufi, H. & Saadi, M. (2016). Big data emerging issues: Hadoop security and privacy. 2016 5th International Conference on Multimedia Computing and Systems.

Kaur, R. & Kaur, J. (2015). Cloud computing security issues and its solution: a review. 2015 2nd international conference on computing for sustainable global development.

UbaidullahBokhari, M., Shallal, Q. & Tamandani, Y. (2016). Security and privacy issues in cloud computing. 2016 international conference for sustainable global development.

HIPAA Journal (2018). Health data breach statistics. Retrieved from https://www.hipaajournal.com/healthcare-data-breach-statistics/

HHS (2018). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

HHS (2018). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html