Privacy and security of patient data in the pathology laboratory.

PubMed

Cucoranu, Ioan C; Parwani, Anil V; West, Andrew J; Romero-Lauro, Gonzalo; Nauman, Kevin; Carter, Alexis B; Balis, Ulysses J; Tuthill, Mark J; Pantanowitz, Liron

2013-01-01

Data protection and security are critical components of routine pathology practice because laboratories are legally required to securely store and transmit electronic patient data. With increasing connectivity of information systems, laboratory work-stations, and instruments themselves to the Internet, the demand to continuously protect and secure laboratory information can become a daunting task. This review addresses informatics security issues in the pathology laboratory related to passwords, biometric devices, data encryption, internet security, virtual private networks, firewalls, anti-viral software, and emergency security situations, as well as the potential impact that newer technologies such as mobile devices have on the privacy and security of electronic protected health information (ePHI). In the United States, the Health Insurance Portability and Accountability Act (HIPAA) govern the privacy and protection of medical information and health records. The HIPAA security standards final rule mandate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Importantly, security failures often lead to privacy breaches, invoking the HIPAA privacy rule as well. Therefore, this review also highlights key aspects of HIPAA and its impact on the pathology laboratory in the United States.

Privacy and security of patient data in the pathology laboratory

PubMed Central

Cucoranu, Ioan C.; Parwani, Anil V.; West, Andrew J.; Romero-Lauro, Gonzalo; Nauman, Kevin; Carter, Alexis B.; Balis, Ulysses J.; Tuthill, Mark J.; Pantanowitz, Liron

2013-01-01

Data protection and security are critical components of routine pathology practice because laboratories are legally required to securely store and transmit electronic patient data. With increasing connectivity of information systems, laboratory work-stations, and instruments themselves to the Internet, the demand to continuously protect and secure laboratory information can become a daunting task. This review addresses informatics security issues in the pathology laboratory related to passwords, biometric devices, data encryption, internet security, virtual private networks, firewalls, anti-viral software, and emergency security situations, as well as the potential impact that newer technologies such as mobile devices have on the privacy and security of electronic protected health information (ePHI). In the United States, the Health Insurance Portability and Accountability Act (HIPAA) govern the privacy and protection of medical information and health records. The HIPAA security standards final rule mandate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Importantly, security failures often lead to privacy breaches, invoking the HIPAA privacy rule as well. Therefore, this review also highlights key aspects of HIPAA and its impact on the pathology laboratory in the United States. PMID:23599904

The Health Insurance Portability and Accountability Act: security and privacy requirements.

PubMed

Tribble, D A

2001-05-01

The security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their implications for pharmacy are discussed. HIPAA was enacted to improve the portability of health care insurance for persons leaving jobs. A section of the act encourages the use of electronic communications for health care claims adjudication, mandates the use of new standard code sets and transaction sets, and establishes the need for regulations to protect the security and privacy of individually identifiable health care information. Creating these regulations became the task of the Department of Health and Human Services. Regulations on security have been published for comment. Regulations on privacy and the definition of standard transaction sets and code sets are complete. National identifiers for patients, providers, and payers have not yet been established. The HIPAA regulations on security and privacy will require that pharmacies adopt policies and procedures that limit access to health care information. Existing pharmacy information systems may require upgrading or replacement. Costs of implementation nationwide are estimated to exceed $8 billion. The health care community has two years from the finalization of each regulation to comply with that regulation. The security and privacy requirements of HIPAA will require pharmacies to review their practices regarding the storage, use, and disclosure of protected health care information.

HIPAA--a real world perspective.

PubMed

Nulan, C

2001-01-01

An effective and realistic approach to HIPAA compliance requires healthcare organizations to achieve a fundamental shift in attitude, awareness, habits and capabilities in the areas of privacy and security. They must create a sense of accountability among staff, and even patients, for the safeguarding of patient information. Only when this culture shift has occurred, along with the required technological advancements, can HIPAA compliance be realistically achieved. There is still ample time to create the organizational shift necessary, along with technological enhancements, to meet HIPAA requirements. Beyond compliance, HIPAA will benefit the healthcare industry by promoting administrative simplification--the original intention of the Act. And it will require the healthcare industry, in an abbreviated timeframe, to upgrade its level of sophistication in managing information. HIPAA certification springs from an organizational compliance method that has been underway in government for the past two decades. The HIPAA playbook is taken lock, stock and barrel from other Federal guidelines. HIPAA's legislative lineage includes the Healthcare Reform Act of 1993, Paperwork Reduction Act of 1980, Computer Security Act of 1987 and the Privacy Act of 1974. HIPAA means that public and private sector healthcare organizations are going to be required by law to adopt the same information-handling practices that have been in effect in the Federal government for years. That boils down to two things: Standardized formatting of data electronically exchanged between providers, payers and business partners (EDI) Federalization of security and privacy practices within private-sector healthcare information management The key to making HIPAA compliance achievable within a practical timeframe, as well as instituting the culture changes that go with enhanced privacy and security standards, is a process that is largely unfamiliar in the private sector, called administrative certification and

HIPAA the Health Care Hippo: Despite the Rhetoric, Is Privacy Still an Issue?

ERIC Educational Resources Information Center

Kuczynski, Kay; Gibbs-Wahlberg, Patty

2005-01-01

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL. 104-191) is a multitiered, comprehensive, convoluted, and controversial federal law for sweeping health care reform. Although HIPAA is dramatically broader in scope than privacy protections for health care information, a provision for privacy in the form of a Privacy Rule…

What if? The one question every administrator should ask. Use HIPAA rules as a blueprint for broader safety, security.

PubMed

Redling, Bob

2007-08-01

Are you doing enough to control security and privacy at your practice? Could you cope if your organization suffered a disaster that destroyed facilities, business documents and patient records? Although Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules focus on patient health information, they also point the way to a more comprehensive approach to managing risk. By using HIPAA rules as a blueprint, you can design policies and procedures to address everything from safeguarding financial information to protecting the personal safety of patients, physicians and staff.

HIPAA compliance and patient privacy protection.

PubMed

Grandison, Tyrone; Bhatti, Rafae

2010-01-01

Recent prosecution of violations of the Health Insurance Portability and Accountability Act (HIPAA), and the amendments currently in process to strengthen the Act of 1996, has led many companies to take serious notice of the measures they must take to be a compliance. A company's privacy policy states the business' privacy practices and embodies the firm's commitments to its users and is normally mandatory step in reaching legislative compliance. in the face of this, the patient has to decipher if the company's privacy practices are congruent with their thoughts on the level of privacy protection they should be receiving. This is the core of our investigation. In this paper, we explore the question "Is a healthcare entity's compliance with regulation sufficient to provide the patient with adequate privacy protection?" in the context of the United States of America.

The complexities of HIPAA and administration simplification.

PubMed

Mozlin, R

2000-11-01

The Health Insurance Portability and Accessibility Act (HIPAA) was signed into law in 1996. Although focused on information technology issues, HIPAA will ultimately impact day-to-day operations at multiple levels within any clinical setting. Optometrists must begin to familiarize themselves with HIPAA in order to prepare themselves to practice in a technology-enriched environment. Title II of HIPAA, entitled "Administration Simplification," is intended to reduce the costs and administrative burden of healthcare by standardizing the electronic transmission of administrative and financial transactions. The Department of Health and Human Services is expected to publish the final rules and regulations that will govern HIPAA's implementation this year. The rules and regulations will cover three key aspects of healthcare delivery: electronic data interchange (EDI), security and privacy. EDI will standardize the format for healthcare transactions. Health plans must accept and respond to all transactions in the EDI format. Security refers to policies and procedures that protect the accuracy and integrity of information and limit access. Privacy focuses on how the information is used and disclosure of identifiable health information. Security and privacy regulations apply to all information that is maintained and transmitted in a digital format and require administrative, physical, and technical safeguards. HIPAA will force the healthcare industry to adopt an e-commerce paradigm and provide opportunities to improve patient care processes. Optometrists should take advantage of the opportunity to develop more efficient and profitable practices.

The End of the HIPAA Privacy Rule? Currents in Contemporary Bioethics.

PubMed

Rothstein, Mark A

2016-06-01

The HIPAA Privacy Rule is notoriously weak because of its incomplete coverage, numerous exclusions and exemptions, and limited rights for individuals. The three areas in which it provides the most protection are fundraising, marketing, and research. Provisions of the 21st Century Cures Act, pending in Congress, and the Notice of Proposed Rulemaking to amend the federal research regulations (Common Rule), awaiting final regulatory action, would weaken the privacy protections for research. If these measures are adopted, the HIPAA Privacy Rule would have so little value that it might not be worth the aggravation and burden. © 2016 American Society of Law, Medicine & Ethics.

Protecting the Privacy and Security of Your Health Information

MedlinePlus

... Access to Medical Records Privacy, Security, and HIPAA Laws, Regulation, and Policy Scientific Initiatives Standards & Technology Usability ... care providers and professionals, and the government. Federal laws require many of the key persons and organizations ...

mHealth data security: the need for HIPAA-compliant standardization.

PubMed

Luxton, David D; Kayl, Robert A; Mishkind, Matthew C

2012-05-01

The rise in the use of mobile devices, such as smartphones, tablet personal computers, and wireless medical devices, as well as the wireless networks that enable their use, has raised new concerns for data security and integrity. Standardized Health Insurance Portability and Accountability Act of 1996 (HIPAA)-compliant electronic data security that will allow ubiquitous use of mobile health technologies is needed. The lack of standardized data security to assure privacy, to allow interoperability, and to maximize the full capabilities of mobile devices presents a significant barrier to care. The purpose of this article is to provide an overview of the issue and to encourage discussion of this important topic. Current security needs, standards, limitations, and recommendations for how to address this barrier to care are discussed.

HIPAA Compliance and Training: A Perfect Storm for Professionalism Education?

PubMed

Agris, Julie L; Spandorfer, John M

2016-12-01

The HIPAA Rules continue to support and bolster the importance of protecting the privacy and security of patients' protected health information. The HIPAA training requirements are at the cornerstone of meaningful implementation and provide a ripe opportunity for critical education.

HIPAA for physicians in the information age.

PubMed

Kavoussi, Shaheen C; Huang, John J; Tsai, James C; Kempton, James E

2014-08-01

The increased prominence of electronic health records, email, mobile devices, and social media has transformed the health care environment by providing both physicians and patients with opportunities for rapid communication and knowledge exchange. However, these technological advances require increased attention to patient privacy under the Health Insurance Portability and Accountability Act (HIPAA). Instant access to large amounts of electronic protected health information (PHI) merits the highest standard of network security and HIPAA training for all staff members. Physicians are responsible for protecting PHI stored on portable devices. Personal, residential, and public wireless connections are not certified with HIPAA-compliant Business Associate Agreements and are unsuitablefor PHI. A professional and privacy-oriented approach to electronic communication, online activity, and social media is imperative to maintaining public trust in physician integrity. As new technologies are integrated into health care practice, the assurance of privacy will encourage patients to continue to seek medical care.

Integration of LDSE and LTVS logs with HIPAA compliant auditing system (HCAS)

NASA Astrophysics Data System (ADS)

Zhou, Zheng; Liu, Brent J.; Huang, H. K.; Guo, Bing; Documet, Jorge; King, Nelson

2006-03-01

The deadline of HIPAA (Health Insurance Portability and Accountability Act) Security Rules has passed on February 2005; therefore being HIPAA compliant becomes extremely critical to healthcare providers. HIPAA mandates healthcare providers to protect the privacy and integrity of the health data and have the ability to demonstrate examples of mechanisms that can be used to accomplish this task. It is also required that a healthcare institution must be able to provide audit trails on image data access on demand for a specific patient. For these reasons, we have developed a HIPAA compliant auditing system (HCAS) for image data security in a PACS by auditing every image data access. The HCAS was presented in 2005 SPIE. This year, two new components, LDSE (Lossless Digital Signature Embedding) and LTVS (Patient Location Tracking and Verification System) logs, have been added to the HCAS. The LDSE can assure medical image integrity in a PACS, while the LTVS can provide access control for a PACS by creating a security zone in the clinical environment. By integrating the LDSE and LTVS logs with the HCAS, the privacy and integrity of image data can be audited as well. Thus, a PACS with the HCAS installed can become HIPAA compliant in image data privacy and integrity, access control, and audit control.

HIPAA privacy rules and compliance with federal and state employment laws: the participant authorization form.

PubMed

Brislin, Joseph A

2003-03-01

Although HIPAA privacy rules do not apply directly to employers or to employment records, they do apply indirectly to employers because employer-sponsored group health plans and all health care providers are covered. HIPAA privacy regulations overlap with federal and state employment laws, and liabilities for breach of confidentiality can be substantial. Employers can use a participant's authorization form to comply with employment laws and company policies. Sample authorization forms are provided at the end of this article.

Security of electronic medical information and patient privacy: what you need to know.

PubMed

Andriole, Katherine P

2014-12-01

The responsibility that physicians have to protect their patients from harm extends to protecting the privacy and confidentiality of patient health information including that contained within radiological images. The intent of HIPAA and subsequent HIPAA Privacy and Security Rules is to keep patients' private information confidential while allowing providers access to and maintaining the integrity of relevant information needed to provide care. Failure to comply with electronic protected health information (ePHI) regulations could result in financial or criminal penalties or both. Protected health information refers to anything that can reasonably be used to identify a patient (eg, name, age, date of birth, social security number, radiology examination accession number). The basic tools and techniques used to maintain medical information security and patient privacy described in this article include physical safeguards such as computer device isolation and data backup, technical safeguards such as firewalls and secure transmission modes, and administrative safeguards including documentation of security policies, training of staff, and audit tracking through system logs. Other important concepts related to privacy and security are explained, including user authentication, authorization, availability, confidentiality, data integrity, and nonrepudiation. Patient privacy and security of medical information are critical elements in today's electronic health care environment. Radiology has led the way in adopting digital systems to make possible the availability of medical information anywhere anytime, and in identifying and working to eliminate any risks to patients. Copyright © 2014 American College of Radiology. Published by Elsevier Inc. All rights reserved.

HIPAA: update on rule revisions and compliance requirements.

PubMed

Maddox, P J

2002-01-01

Due to the highly technical requirements for HIPAA compliance and the numerous administrative and clinical functions and processes involved, guidance from experts who are knowledgeable about systems design and use to secure private data is necessary. In health care organizations, this will require individuals who are knowledgeable about clinical processes and those who understand health information technology, security, and privacy to work together to establish an entity's compliance plans and revise operations and practices accordingly. As a precondition of designing such systems, it is essential that covered entities understand the HIPAA's statutory requirements and timeline for compliance. An organization's success in preparing for HIPAA will depend upon an active program of assessment, planning, and implementation. Compliance with security and privacy standards can be expected to increase costs initially. However, greater use of EDI is expected to reduce costs and enhance revenues in the long run if processes and systems are improved. NOTE: Special protection for psychotherapy notes holds them to a higher standard of protection. Notes used only by a psychotherapist are not intended to be shared with anyone and are not considered part of the medical record.

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance: Part II.

PubMed

Watzlaf, Valerie J M; Moeini, Sohrab; Matusow, Laura; Firouzan, Patti

2011-01-01

In a previous publication the authors developed a privacy and security checklist to evaluate Voice over Internet Protocol (VoIP) videoconferencing software used between patients and therapists to provide telerehabilitation (TR) therapy. In this paper, the privacy and security checklist that was previously developed is used to perform a risk analysis of the top ten VoIP videoconferencing software to determine if their policies provide answers to the privacy and security checklist. Sixty percent of the companies claimed they do not listen into video-therapy calls unless maintenance is needed. Only 50% of the companies assessed use some form of encryption, and some did not specify what type of encryption was used. Seventy percent of the companies assessed did not specify any form of auditing on their servers. Statistically significant differences across company websites were found for sharing information outside of the country (p=0.010), encryption (p=0.006), and security evaluation (p=0.005). Healthcare providers considering use of VoIP software for TR services may consider using this privacy and security checklist before deciding to incorporate a VoIP software system for TR. Other videoconferencing software that is specific for TR with strong encryption, good access controls, and hardware that meets privacy and security standards should be considered for use with TR.

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security and HIPAA Compliance: Part II

PubMed Central

Watzlaf, Valerie J.M.; Moeini, Sohrab; Matusow, Laura; Firouzan, Patti

2011-01-01

In a previous publication the authors developed a privacy and security checklist to evaluate Voice over Internet Protocol (VoIP) videoconferencing software used between patients and therapists to provide telerehabilitation (TR) therapy. In this paper, the privacy and security checklist that was previously developed is used to perform a risk analysis of the top ten VoIP videoconferencing software to determine if their policies provide answers to the privacy and security checklist. Sixty percent of the companies claimed they do not listen into video-therapy calls unless maintenance is needed. Only 50% of the companies assessed use some form of encryption, and some did not specify what type of encryption was used. Seventy percent of the companies assessed did not specify any form of auditing on their servers. Statistically significant differences across company websites were found for sharing information outside of the country (p=0.010), encryption (p=0.006), and security evaluation (p=0.005). Healthcare providers considering use of VoIP software for TR services may consider using this privacy and security checklist before deciding to incorporate a VoIP software system for TR. Other videoconferencing software that is specific for TR with strong encryption, good access controls, and hardware that meets privacy and security standards should be considered for use with TR. PMID:25945177

Applying your corporate compliance skills to the HIPAA security standard.

PubMed

Carter, P I

2000-01-01

Compliance programs are an increasingly hot topic among healthcare providers. These programs establish policies and procedures covering billing, referrals, gifts, confidentiality of patient records, and many other areas. The purpose is to help providers prevent and detect violations of the law. These programs are voluntary, but are also simply good business practice. Any compliance program should now incorporate the Health Insurance Portability and Accountability Act (HIPAA) security standard. Several sets of guidelines for development of compliance programs have been issued by the federal government, and each is directed toward a different type of healthcare provider. These guidelines share certain key features with the HIPAA security standard. This article examines the common areas between compliance programs and the HIPAA security standard to help you to do two very important things: (1) Leverage your resources by combining compliance with the security standard with other legal and regulatory compliance efforts, and (2) apply the lessons learned in developing your corporate compliance program to developing strategies for compliance with the HIPAA security standard.

Privacy and security compliance in the E-healthcare marketplace.

PubMed

Lutes, M

2000-03-01

Complying with security and privacy regulations proposed by HHS in response to the Health Insurance Portability and Accountability Act (HIPAA) will require healthcare managers to address both internal and external business interactions and initiatives. The proposed regulations mandate certain procedures regarding administration, physical safeguards, technical security for data integrity and confidentiality, and technical security against unauthorized access. In particular, the proposed regulations require organizations to contractually ensure that vendors adhere to the regulations. Healthcare organizations also must implement training procedures for staff members who have contact with protected health information and designate a privacy officer to guard against improper disclosure of such information. Documented policies for organizational decision making are vital to an organization's efforts to implement procedures for compliance with the regulations.

Implementing HIPAA security in a membership organization.

PubMed

Hillabrant, L P; Gaignard, K E

2000-01-01

The upcoming HIPAA security regulations are forcing a change in business and operating procedures that many, if not most, healthcare organizations are ill-prepared to tackle. Of all healthcare organizational structures, membership organizations will most likely face the greatest number of obstacles in preparing for and implementing the HIPAA security regulations. This is because the membership organization as a whole must find a way to accommodate the disparate technologies, business and operating methodologies and processes, and available, limited resources of its individual member organizations, and integrate these into a uniform implementation plan. Compounding these obvious difficulties is the unique challenge of enforcement authority. The individual member organizations are autonomous business entities, whereas the membership organization as a whole merely acts as an advisor or consultant, and has only limited enforcement authority over any individual member organization. This article explores this unique situation in depth. We focus on PROMINA Health System, a nonprofit healthcare membership organization that consists of five disparate member healthcare organizations. We examine the challenges PROMINA has encountered in its quest to institute an organization-wide HIPAA security program and its methodology for accomplishing program implementation.

Privacy preservation and information security protection for patients' portable electronic health records.

PubMed

Huang, Lu-Chou; Chu, Huei-Chung; Lien, Chung-Yueh; Hsiao, Chia-Hung; Kao, Tsair

2009-09-01

As patients face the possibility of copying and keeping their electronic health records (EHRs) through portable storage media, they will encounter new risks to the protection of their private information. In this study, we propose a method to preserve the privacy and security of patients' portable medical records in portable storage media to avoid any inappropriate or unintentional disclosure. Following HIPAA guidelines, the method is designed to protect, recover and verify patient's identifiers in portable EHRs. The results of this study show that our methods are effective in ensuring both information security and privacy preservation for patients through portable storage medium.

HIPAA brings new requirements, new opportunities.

PubMed

Moynihan, J J; McLure, M L

2000-03-01

The passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) brought with it the need for Federal rules to implement the act's simplification and cost-reduction efforts. HHS has published proposed rules related to security for the electronic transmission of health information, privacy of individually identifiable health information, transactions and code sets, and national provider and employer identifiers. Additional proposed rules will be published this year for claims attachments and health plan identifiers. Although HIPAA does not require providers to conduct business electronically, the new standards give providers the opportunity to reduce healthcare administrative costs significantly and undertake electronic commerce efficiently and cost-effectively.

Privacy in the digital world: medical and health data outside of HIPAA protections.

PubMed

Glenn, Tasha; Monteith, Scott

2014-11-01

Increasing quantities of medical and health data are being created outside of HIPAA protection, primarily by patients. Data sources are varied, including the use of credit cards for physician visit and medication co-pays, Internet searches, email content, social media, support groups, and mobile health apps. Most medical and health data not covered by HIPAA are controlled by third party data brokers and Internet companies. These companies combine this data with a wide range of personal information about consumer daily activities, transactions, movements, and demographics. The combined data are used for predictive profiling of individual health status, and often sold for advertising and other purposes. The rapid expansion of medical and health data outside of HIPAA protection is encroaching on privacy and the doctor-patient relationship, and is of particular concern for psychiatry. Detailed discussion of the appropriate handling of this medical and health data is needed by individuals with a wide variety of expertise.

Privacy and Security in Multi-User Health Kiosks

PubMed Central

TAKYI, HAROLD; WATZLAF, VALERIE; MATTHEWS, JUDITH TABOLT; ZHOU, LEMING; DEALMEIDA, DILHARI

2017-01-01

Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) has gotten stricter and penalties have become more severe in response to a significant increase in computer-related information breaches in recent years. With health information said to be worth twice as much as other forms of information on the underground market, making preservation of privacy and security an integral part of health technology development, rather than an afterthought, not only mitigates risks but also helps to ensure HIPAA and HITECH compliance. This paper provides a guide, based on the Office for Civil Rights (OCR) audit protocol, for creating and maintaining an audit checklist for multi-user health kiosks. Implementation of selected audit elements for a multi-user health kiosk designed for use by community-residing older adults illustrates how the guide can be applied. PMID:28814990

Impact of HIPAA on Subject Recruitment and Retention

PubMed Central

Wipke-Tevis, Deidre D.; Pickett, Melissa A.

2009-01-01

Recruiting and retaining an adequate sample of subjects is critical to the success of any research project involving human subjects. Recent reports indicate the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule has adversely impacted research. Few resources are available to help researchers and their staff navigate the challenges to subject recruitment and retention after the implementation of the HIPAA Privacy rule. This article will address obstacles to subject recruitment in prospective, clinical research studies related specifically to the HIPAA Privacy rule as well as HIPAA compliant strategies to enhance subject recruitment and retention. Recruitment challenges discussed include evolving interpretations of the HIPAA regulations, inability to directly contact potential subjects, complexity of the HIPAA required documents, the increased cost of subject recruitment, and an expanding administrative burden. Among the strategies addressed are preparatory research reviews, use of clinical collaborators/staff liaisons, pre-screening of potential subjects, minimizing subject burden during the consent process, enhancing follow-up of subjects, facilitating recruitment for future studies and streamlining compliance training for research staff. PMID:17551087

75 FR 8363 - Office for Civil Rights; Workshop on the HIPAA Privacy Rule's De-Identification Standard; Notice...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-24

... Recovery and Reinvestment Act of 2009 (ARRA),\\1\\ requires HHS to issue guidance on methods for de...). --Methodological Issues Associated with HIPAA Privacy Rule De- Identification. --Statistical Disclosure Control and...

75 FR 40867 - Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-07-14

.... The Act also provides for the development of guidance, reports, and studies in a number of areas... Privacy and Security enforcement (section 13424(a)); a study and report on the application of privacy and... (section 13424(c)); and a study on the Privacy Rule's definition of ``psychotherapy notes'' at 45 CFR 164...

What litigators need to know about HIPAA.

PubMed

Stein, Scott D

2003-01-01

HIPAA's Privacy Regulations impose a number of new requirements on Covered Entities concerning disclosure of an individual's personal health information. This Article briefly outlines the primary function of HIPAA's general nondisclosure rule and discusses the exceptions under which HIPAA permits disclosure in the course of litigation or government investigations.

HIPAA-compliant automatic monitoring system for RIS-integrated PACS operation

NASA Astrophysics Data System (ADS)

Jin, Jin; Zhang, Jianguo; Chen, Xiaomeng; Sun, Jianyong; Yang, Yuanyuan; Liang, Chenwen; Feng, Jie; Sheng, Liwei; Huang, H. K.

2006-03-01

As a governmental regulation, Health Insurance Portability and Accountability Act (HIPAA) was issued to protect the privacy of health information that identifies individuals who are living or deceased. HIPAA requires security services supporting implementation features: Access control; Audit controls; Authorization control; Data authentication; and Entity authentication. These controls, which proposed in HIPAA Security Standards, are Audit trails here. Audit trails can be used for surveillance purposes, to detect when interesting events might be happening that warrant further investigation. Or they can be used forensically, after the detection of a security breach, to determine what went wrong and who or what was at fault. In order to provide security control services and to achieve the high and continuous availability, we design the HIPAA-Compliant Automatic Monitoring System for RIS-Integrated PACS operation. The system consists of two parts: monitoring agents running in each PACS component computer and a Monitor Server running in a remote computer. Monitoring agents are deployed on all computer nodes in RIS-Integrated PACS system to collect the Audit trail messages defined by the Supplement 95 of the DICOM standard: Audit Trail Messages. Then the Monitor Server gathers all audit messages and processes them to provide security information in three levels: system resources, PACS/RIS applications, and users/patients data accessing. Now the RIS-Integrated PACS managers can monitor and control the entire RIS-Integrated PACS operation through web service provided by the Monitor Server. This paper presents the design of a HIPAA-compliant automatic monitoring system for RIS-Integrated PACS Operation, and gives the preliminary results performed by this monitoring system on a clinical RIS-integrated PACS.

76 FR 31425 - HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-05-31

... 164 HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic... accounting of disclosures of protected health information. The purpose of these modifications is, in part, to...) provides that an accounting must include all disclosures of protected health information, except for...

75 FR 23214 - HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-03

...-AB62 HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic... disclosures, the administrative burden on covered entities and business associates of accounting for such...: HITECH Accounting of Disclosures, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW...

Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance.

PubMed

Drolet, Brian C; Marwaha, Jayson S; Hyatt, Brad; Blazar, Phillip E; Lifchez, Scott D

2017-06-01

Technology has enhanced modern health care delivery, particularly through accessibility to health information and ease of communication with tools like mobile device messaging (texting). However, text messaging has created new risks for breach of protected health information (PHI). In the current study, we sought to evaluate hand surgeons' knowledge and compliance with privacy and security standards for electronic communication by text message. A cross-sectional survey of the American Society for Surgery of the Hand membership was conducted in March and April 2016. Descriptive and inferential statistical analyses were performed of composite results as well as relevant subgroup analyses. A total of 409 responses were obtained (11% response rate). Although 63% of surgeons reported that they believe that text messaging does not meet Health Insurance Portability and Accountability Act of 1996 security standards, only 37% reported they do not use text messages to communicate PHI. Younger surgeons and respondents who believed that their texting was compliant were statistically significantly more like to report messaging of PHI (odds ratio, 1.59 and 1.22, respectively). A majority of hand surgeons in this study reported the use of text messaging to communicate PHI. Of note, neither the Health Insurance Portability and Accountability Act of 1996 statute nor US Department of Health and Human Services specifically prohibits this form of electronic communication. To be compliant, surgeons, practices, and institutions need to take reasonable security precautions to prevent breach of privacy with electronic communication. Communication of clinical information by text message is not prohibited under Health Insurance Portability and Accountability Act of 1996, but surgeons should use appropriate safeguards to prevent breach when using this form of communication. Copyright © 2017 American Society for Surgery of the Hand. Published by Elsevier Inc. All rights reserved.

78 FR 5565 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under...

Federal Register 2010, 2011, 2012, 2013, 2014

2013-01-25

... certain health information, such as standards for certain health care transactions conducted electronically and code sets and unique identifiers for health care providers and employers. The HIPAA... HIPAA apply to three types of entities, which are known as ``covered entities'': health care providers...

The law of unintended (financial) consequences: the expansion of HIPAA business associate liability.

PubMed

Tomes, Jonathan P

2013-01-01

The recent Omnibus Rule published by the Department of Health and Human Services greatly expanded liability for breaches of health information privacy and security under the HIPAA statute and regulations. This expansion could have dire financial consequences for the health care industry. The Rule expanded the definition of business associates to include subcontractors of business associates and made covered entities and business associates liable for breaches of the entities who perform a service for them involving the use of individually identifiable health information under the federal common law of agency. Thus, if a covered entity or its "do wnstream" business associate breaches security or privacy, the covered entity or "upstream" business associate may face HIPAA's civil money penalties or a lawsuit. Financial managers need to be aware of these changes both to protect against the greater liability and to plan for the compliance costs inherent in effectively, if not legally, making business associates into covered entities.

Challenges and Insights in Using HIPAA Privacy Rule for Clinical Text Annotation.

PubMed

Kayaalp, Mehmet; Browne, Allen C; Sagan, Pamela; McGee, Tyne; McDonald, Clement J

2015-01-01

The Privacy Rule of Health Insurance Portability and Accountability Act (HIPAA) requires that clinical documents be stripped of personally identifying information before they can be released to researchers and others. We have been manually annotating clinical text since 2008 in order to test and evaluate an algorithmic clinical text de-identification tool, NLM Scrubber, which we have been developing in parallel. Although HIPAA provides some guidance about what must be de-identified, translating those guidelines into practice is not as straightforward, especially when one deals with free text. As a result we have changed our manual annotation labels and methods six times. This paper explains why we have made those annotation choices, which have been evolved throughout seven years of practice on this field. The aim of this paper is to start a community discussion towards developing standards for clinical text annotation with the end goal of studying and comparing clinical text de-identification systems more accurately.

HIPAA security standards: is your facility ready?

PubMed

2000-05-01

Now that final rules are emerging related to the Health Insurance Portability and Accountability Act of 1996, it's more important than ever to make sure your facility's data security standards measure up. The best advice? 'Forget HIPAA for the moment and look at what you have in place,' says William Spooner, senior vice president and chief information officer for Sharp Healthcare in San Diego.

VoIP for Telerehabilitation: A Pilot Usability Study for HIPAA Compliance

PubMed Central

Watzlaf, Valerie R.; Ondich, Briana

2012-01-01

Consumer-based, free Voice and video over the Internet Protocol (VoIP) software systems such as Skype and others are used by health care providers to deliver telerehabilitation and other health-related services to clients. Privacy and security applications as well as HIPAA compliance within these protocols have been questioned by practitioners, health information managers, and other healthcare entities. This pilot usability study examined whether four respondents who used the top three, free consumer-based, VoIP software systems perceived these VoIP technologies to be private, secure, and HIPAA compliant; most did not. While the pilot study limitations include the number of respondents and systems assessed, the protocol can be applied to future research and replicated for instructional purposes. Recommendations are provided for VoIP companies, providers, and clients/consumers. PMID:25945194

New security and privacy laws require basic changes in professional practice

NASA Astrophysics Data System (ADS)

Sykes, David M.

2005-09-01

Everybody knows about HIPAA-but what about GLBA? FIPA? The Patriot Act? Homeland Security? NCLB? FCRA? CASB1? PIPEDA? All of these are recent laws that impact acoustical design. Throw in the American Hospital Association/ASHE and AIA's about-to-be-released ``Guidelines for the Design of Healthcare Facilities'' as well as the redrafting of DCID 6/9 and it looks like time for careful examination of some professional practices relating to security and privacy. Should INCE members join with and endorse the ASA's recently formed Joint TCAA/TCN Subcommittee which aims to fill a policy vacuum in Washington and Ottawa relating to the fundamental protection of citizens' rights to privacy? This group will formulate consistent guidelines to enable federal and state agencies in the US and Canada to enforce and monitor their laws-will their guidelines affect INCE members? Those who advise or give expert testimony to government agencies, defense/security organizations, courts, and large institutions in financial services, healthcare or education likely find themselves in a rapidly shifting landscape and recognize the need to respond with new research and professional practices.

Family Caregiver Research and the HIPAA Factor

ERIC Educational Resources Information Center

Albert, Steven M.; Levine, Carol

2005-01-01

Research in family caregiving recently has become more challenging because of the strict protection of privacy mandated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. We ask when should Institutional Review Boards (IRBs) follow HIPAA rules to the letter and when might they use the waiver option? What is the appropriate…

Medical image security in a HIPAA mandated PACS environment.

PubMed

Cao, F; Huang, H K; Zhou, X Q

2003-01-01

Medical image security is an important issue when digital images and their pertinent patient information are transmitted across public networks. Mandates for ensuring health data security have been issued by the federal government such as Health Insurance Portability and Accountability Act (HIPAA), where healthcare institutions are obliged to take appropriate measures to ensure that patient information is only provided to people who have a professional need. Guidelines, such as digital imaging and communication in medicine (DICOM) standards that deal with security issues, continue to be published by organizing bodies in healthcare. However, there are many differences in implementation especially for an integrated system like picture archiving and communication system (PACS), and the infrastructure to deploy these security standards is often lacking. Over the past 6 years, members in the Image Processing and Informatics Laboratory, Childrens Hospital, Los Angeles/University of Southern California, have actively researched image security issues related to PACS and teleradiology. The paper summarizes our previous work and presents an approach to further research on the digital envelope (DE) concept that provides image integrity and security assurance in addition to conventional network security protection. The DE, including the digital signature (DS) of the image as well as encrypted patient information from the DICOM image header, can be embedded in the background area of the image as an invisible permanent watermark. The paper outlines the systematic development, evaluation and deployment of the DE method in a PACS environment. We have also proposed a dedicated PACS security server that will act as an image authority to check and certify the image origin and integrity upon request by a user, and meanwhile act also as a secure DICOM gateway to the outside connections and a PACS operation monitor for HIPAA supporting information. Copyright 2002 Elsevier Science Ltd.

Health Insurance Portability and Accountability Act (HIPAA) legislation and its implication on speech privacy design in health care facilities

NASA Astrophysics Data System (ADS)

Tocci, Gregory C.; Storch, Christopher A.

2005-09-01

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (104th Congress, H.R. 3103, January 3, 1986), among many things, individual patient records and information be protected from unnecessary issue. This responsibility is assigned to the U.S. Department of Health and Human Services (HHS) which has issued a Privacy Rule most recently dated August 2002 with a revision being proposed in 2005 to strengthen penalties for inappropriate breaches of patient privacy. Despite this, speech privacy, in many instances in health care facilities need not be guaranteed by the facility. Nevertheless, the regulation implies that due regard be given to speech privacy in both facility design and operation. This presentation will explore the practical aspects of implementing speech privacy in health care facilities and make recommendations for certain specific speech privacy situations.

Security and privacy in electronic health records: a systematic literature review.

PubMed

Fernández-Alemán, José Luis; Señor, Inmaculada Carrión; Lozoya, Pedro Ángel Oliver; Toval, Ambrosio

2013-06-01

To report the results of a systematic literature review concerning the security and privacy of electronic health record (EHR) systems. Original articles written in English found in MEDLINE, ACM Digital Library, Wiley InterScience, IEEE Digital Library, Science@Direct, MetaPress, ERIC, CINAHL and Trip Database. Only those articles dealing with the security and privacy of EHR systems. The extraction of 775 articles using a predefined search string, the outcome of which was reviewed by three authors and checked by a fourth. A total of 49 articles were selected, of which 26 used standards or regulations related to the privacy and security of EHR data. The most widely used regulations are the Health Insurance Portability and Accountability Act (HIPAA) and the European Data Protection Directive 95/46/EC. We found 23 articles that used symmetric key and/or asymmetric key schemes and 13 articles that employed the pseudo anonymity technique in EHR systems. A total of 11 articles propose the use of a digital signature scheme based on PKI (Public Key Infrastructure) and 13 articles propose a login/password (seven of them combined with a digital certificate or PIN) for authentication. The preferred access control model appears to be Role-Based Access Control (RBAC), since it is used in 27 studies. Ten of these studies discuss who should define the EHR systems' roles. Eleven studies discuss who should provide access to EHR data: patients or health entities. Sixteen of the articles reviewed indicate that it is necessary to override defined access policies in the case of an emergency. In 25 articles an audit-log of the system is produced. Only four studies mention that system users and/or health staff should be trained in security and privacy. Recent years have witnessed the design of standards and the promulgation of directives concerning security and privacy in EHR systems. However, more work should be done to adopt these regulations and to deploy secure EHR systems. Copyright

HIPAA is larger and more complex than Y2K.

PubMed

Tempesco, J W

2000-07-01

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a larger and more complex problem than Y2K ever was. According to the author, the costs associated with a project of such unending scope and in support of intrusion into both information and operational systems of every health care transaction will be incalculable. Some estimate that the administrative simplification policies implemented through HIPAA will save billions of dollars annually, but it remains to be seen whether the savings will outweigh implementation and ongoing expenses associated with systemwide application of the regulations. This article addresses the rules established for electronic data interchange, data set standards for diagnostic and procedure codes, unique identifiers, coordination of benefits, privacy of individual health care information, electronic signatures, and security requirements.

Mum's the Word: Feds Are Serious About Protecting Patients' Privacy.

PubMed

Conde, Crystal

2010-08-01

The Health Information Technology for Economic and Clinical Health (HITECH) Act significantly changes HIPAA privacy and security policies that affect physicians. Chief among the changes are the new breach notification regulations, developed by the U.S. Department of Health and Human Services Office for Civil Rights. The Texas Medical Association has developed resources to help physicians comply with the new HIPAA regulations.

HIPAA Compliance in U.S. Hospitals: A Self-Report of Progress Toward the Security Rule

PubMed Central

Having, Karen; Davis, Diane C

2005-01-01

In January 2004, a random sampling of 1,000 U.S. hospitals was surveyed by researchers at a midwestern university to determine perceived level of compliance with the security requirements of the federal Health Insurance Portability and Accountability Act (HIPAA). Exactly one year later, a follow-up survey was sent to the 286 respondents of the 2004 survey, yielding a 50 percent return rate (n = 144). There was an overall trend in increased HIPAA security compliance from 2004 to 2005. There was no significant difference in perceived level of compliance based on the size of the hospital for the majority of security standards. PMID:18066377

Impact of HIPAA's minimum necessary standard on genomic data sharing.

PubMed

Evans, Barbara J; Jarvik, Gail P

2018-04-01

This article provides a brief introduction to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule's minimum necessary standard, which applies to sharing of genomic data, particularly clinical data, following 2013 Privacy Rule revisions. This research used the Thomson Reuters Westlaw database and law library resources in its legal analysis of the HIPAA privacy tiers and the impact of the minimum necessary standard on genomic data sharing. We considered relevant example cases of genomic data-sharing needs. In a climate of stepped-up HIPAA enforcement, this standard is of concern to laboratories that generate, use, and share genomic information. How data-sharing activities are characterized-whether for research, public health, or clinical interpretation and medical practice support-affects how the minimum necessary standard applies and its overall impact on data access and use. There is no clear regulatory guidance on how to apply HIPAA's minimum necessary standard when considering the sharing of information in the data-rich environment of genomic testing. Laboratories that perform genomic testing should engage with policy makers to foster sound, well-informed policies and appropriate characterization of data-sharing activities to minimize adverse impacts on day-to-day workflows.

High standards. A decade after the law went into effect, there is still debate about the pros and cons of the HIPAA privacy and electronic transaction regulations.

PubMed

Edlin, Mari; Johns, Stephanie

2006-01-01

When congress passed the Health Insurance Portability and Accountability act in 1996, the goal was to create a simpler, more standardized system that would eventually lower health care costs; reduce errors through safe, universally accepted electronic communication of health care transactions; and eliminate paper claims. Ten years later, the jury is still out on whether HIPAA has been worth the time, energy, and financial investment for insurers. That's not to say, however, that HIPAA hasn't generated benefits while also creating new challenges. "Standards made sense," says Tom Fitzpatrick, Horizon Blue Cross Blue Shield of New Jersey's director of enterprise strategic planning, "but no one ever said it would be fast, cheap, or easy. It was challenging to integrate proprietary claims systems and legacy software with the new standards that took effect in October 2003. But that wasn't the end of the story. HIPAA's privacy and security rules and the standard identifiers have meant even more upgrades and improvements and have required payers to spend millions of additional dollars over the past three years on HIPAA compliance." According to a set of quarterly surveys conducted by HIMSS/Phoenix Health Systems, progress has actually been fairly rapid. On the other hand, some things have remained much the same. In 2003, payers cited "understanding/interpreting the legal requirements" as the most difficult aspect of the HIPAA remediation process, followed by "achieving successful integration of new policies and procedures" and "resolving issues with third parties". In 2006, the barriers are similar, with users citing the same top two struggles.

Privacy Preserving Nearest Neighbor Search

NASA Astrophysics Data System (ADS)

Shaneck, Mark; Kim, Yongdae; Kumar, Vipin

Data mining is frequently obstructed by privacy concerns. In many cases data is distributed, and bringing the data together in one place for analysis is not possible due to privacy laws (e.g. HIPAA) or policies. Privacy preserving data mining techniques have been developed to address this issue by providing mechanisms to mine the data while giving certain privacy guarantees. In this chapter we address the issue of privacy preserving nearest neighbor search, which forms the kernel of many data mining applications. To this end, we present a novel algorithm based on secure multiparty computation primitives to compute the nearest neighbors of records in horizontally distributed data. We show how this algorithm can be used in three important data mining algorithms, namely LOF outlier detection, SNN clustering, and kNN classification. We prove the security of these algorithms under the semi-honest adversarial model, and describe methods that can be used to optimize their performance. Keywords: Privacy Preserving Data Mining, Nearest Neighbor Search, Outlier Detection, Clustering, Classification, Secure Multiparty Computation

Information Systems, Security, and Privacy.

ERIC Educational Resources Information Center

Ware, Willis H.

1984-01-01

Computer security and computer privacy issues are discussed. Among the areas addressed are technical and human security threats, security and privacy issues for information in electronic mail systems, the need for a national commission to examine these issues, and security/privacy issues relevant to colleges and universities. (JN)

Evaluating re-identification risks with respect to the HIPAA privacy rule

PubMed Central

Benitez, Kathleen

2010-01-01

Objective Many healthcare organizations follow data protection policies that specify which patient identifiers must be suppressed to share “de-identified” records. Such policies, however, are often applied without knowledge of the risk of “re-identification”. The goals of this work are: (1) to estimate re-identification risk for data sharing policies of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule; and (2) to evaluate the risk of a specific re-identification attack using voter registration lists. Measurements We define several risk metrics: (1) expected number of re-identifications; (2) estimated proportion of a population in a group of size g or less, and (3) monetary cost per re-identification. For each US state, we estimate the risk posed to hypothetical datasets, protected by the HIPAA Safe Harbor and Limited Dataset policies by an attacker with full knowledge of patient identifiers and with limited knowledge in the form of voter registries. Results The percentage of a state's population estimated to be vulnerable to unique re-identification (ie, g=1) when protected via Safe Harbor and Limited Datasets ranges from 0.01% to 0.25% and 10% to 60%, respectively. In the voter attack, this number drops for many states, and for some states is 0%, due to the variable availability of voter registries in the real world. We also find that re-identification cost ranges from $0 to $17 000, further confirming risk variability. Conclusions This work illustrates that blanket protection policies, such as Safe Harbor, leave different organizations vulnerable to re-identification at different rates. It provides justification for locally performed re-identification risk estimates prior to sharing data. PMID:20190059

Text Messaging to Communicate With Public Health Audiences: How the HIPAA Security Rule Affects Practice

PubMed Central

Karasz, Hilary N.; Eiden, Amy; Bogan, Sharon

2013-01-01

Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals’ needs. However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is written with flexibility to account for changing technologies. In practice, however, the rule leads to uncertainty about how to make text messaging policy decisions. Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: restructuring text messages to remove personal health information and retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule. PMID:23409902

Text messaging to communicate with public health audiences: how the HIPAA Security Rule affects practice.

PubMed

Karasz, Hilary N; Eiden, Amy; Bogan, Sharon

2013-04-01

Text messaging is a powerful communication tool for public health purposes, particularly because of the potential to customize messages to meet individuals' needs. However, using text messaging to send personal health information requires analysis of laws addressing the protection of electronic health information. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is written with flexibility to account for changing technologies. In practice, however, the rule leads to uncertainty about how to make text messaging policy decisions. Text messaging to send health information can be implemented in a public health setting through 2 possible approaches: restructuring text messages to remove personal health information and retaining limited personal health information in the message but conducting a risk analysis and satisfying other requirements to meet the HIPAA Security Rule.

Counterfeit Compliance with the HIPAA Security Rule: A Study of Information System Success

ERIC Educational Resources Information Center

Johnson, James R.

2013-01-01

The intent of the security standards adopted by the Department of Health and Human Services (DHS) implementing some of the requirements of the Administrative Simplification (AS) subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to improve Federal and private health care programs and to improve the…

Assessing the privacy policies in mobile personal health records.

PubMed

Zapata, Belén Cruz; Hernández Niñirola, Antonio; Fernández-Alemán, José Luis; Toval, Ambrosio

2014-01-01

The huge increase in the number and use of smartphones and tablets has led health service providers to take an interest in mHealth. Popular mobile app markets like Apple App Store or Google Play contain thousands of health applications. Although mobile personal health records (mPHRs) have a number of benefits, important challenges appear in the form of adoption barriers. Security and privacy have been identified as part of these barriers and should be addressed. This paper analyzes and assesses a total of 24 free mPHRs for Android and iOS. Characteristics regarding privacy and security were extracted from the HIPAA. The results show important differences in both the mPHRs and the characteristics analyzed. A questionnaire containing six questions concerning privacy policies was defined. Our questionnaire may assist developers and stakeholders to evaluate the security and privacy of their mPHRs.

HIPPA privacy regulations: practical information for physicians.

PubMed

McMahon, E B; Lee-Huber, T

2001-07-01

After much debate and controversy, the Bush administration announced on April 12, 2001, that it would implement the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations issued by the Clinton administration in December of 2000. The privacy regulations became effective on April 14, 2001. Although the regulations are considered final, the Secretary of the Department of Health and Human Services has the power to modify the regulations at any time during the first year of implementation. These regulations affect how a patient's health information is used and disclosed, as well as how patients are informed of their privacy rights. As "covered entities," physicians have until April 14, 2003, to comply fully with the HIPAA privacy regulations, which are more than 1,500 pages in length. This article presents a basic overview of the new and complex regulations and highlights practical information about physicians' compliance with the regulations. However, this summary of the HIPAA privacy regulations should not be construed as legal advice or an opinion on specific situations. Please consult an attorney concerning your compliance with HIPAA and the regulations promulgated thereunder.

Effective Management of Information Security and Privacy

ERIC Educational Resources Information Center

Anderson, Alicia

2006-01-01

No university seems immune to cyber attacks. For many universities, such events have served as wake-up calls to develop a comprehensive information security and privacy strategy. This is no simple task, however. It involves balancing a culture of openness with a need for security and privacy. Security and privacy are not the same, and the…

Digital Photograph Security: What Plastic Surgeons Need to Know.

PubMed

Thomas, Virginia A; Rugeley, Patricia B; Lau, Frank H

2015-11-01

Sharing and storing digital patient photographs occur daily in plastic surgery. Two major risks associated with the practice, data theft and Health Insurance Portability and Accountability Act (HIPAA) violations, have been dramatically amplified by high-speed data connections and digital camera ubiquity. The authors review what plastic surgeons need to know to mitigate those risks and provide recommendations for implementing an ideal, HIPAA-compliant solution for plastic surgeons' digital photography needs: smartphones and cloud storage. Through informal discussions with plastic surgeons, the authors identified the most common photograph sharing and storage methods. For each method, a literature search was performed to identify the risks of data theft and HIPAA violations. HIPAA violation risks were confirmed by the second author (P.B.R.), a compliance liaison and privacy officer. A comprehensive review of HIPAA-compliant cloud storage services was performed. When possible, informal interviews with cloud storage services representatives were conducted. The most common sharing and storage methods are not HIPAA compliant, and several are prone to data theft. The authors' review of cloud storage services identified six HIPAA-compliant vendors that have strong to excellent security protocols and policies. These options are reasonably priced. Digital photography and technological advances offer major benefits to plastic surgeons but are not without risks. A proper understanding of data security and HIPAA regulations needs to be applied to these technologies to safely capture their benefits. Cloud storage services offer efficient photograph sharing and storage with layers of security to ensure HIPAA compliance and mitigate data theft risk.

HIPAA and patient care: the role for professional judgment.

PubMed

Lo, Bernard; Dornbrand, Laurie; Dubler, Nancy N

2005-04-13

Federal health privacy regulations, commonly known as the Health Insurance Portability and Accountability Act (HIPAA) regulations, came into effect in April 2003. Many clinicians and institutions have relied on consultants and risk managers to tell them how to implement these regulations. Much of the controversy and confusion over the HIPAA regulations concern so-called incidental disclosures. Some interpretations of the privacy regulations would limit essential communication and compromise good patient care. This article analyzes misconceptions regarding what the regulations say about incidental disclosures and discusses the reasons for such misunderstandings. Many misconceptions arise from gaps in the regulations. These gaps are appropriately filled by professional judgment informed by ethical guidelines. The communication should be necessary and effective for good patient care, and the risks of a breach of confidentiality should be proportional to the likely benefit for the patient's care. The alternative for communication should be impractical. We offer specific recommendations to help physicians think through what incidental disclosures in patient care are ethically permissible and what safeguards ought to be taken. Physicians should work with risk managers and practice administrators to develop policies that promote good communication in patient care, while taking appropriate steps to protect patient privacy.

Privacy and security in teleradiology.

PubMed

Ruotsalainen, Pekka

2010-01-01

Teleradiology is probably the most successful eHealth service available today. Its business model is based on the remote transmission of radiological images (e.g. X-ray and CT-images) over electronic networks, and on the interpretation of the transmitted images for diagnostic purpose. Two basic service models are commonly used teleradiology today. The most common approach is based on the message paradigm (off-line model), but more developed teleradiology systems are based on the interactive use of PACS/RIS systems. Modern teleradiology is also more and more cross-organisational or even cross-border service between service providers having different jurisdictions and security policies. This paper defines the requirements needed to make different teleradiology models trusted. Those requirements include a common security policy that covers all partners and entities, common security and privacy protection principles and requirements, controlled contracts between partners, and the use of security controls and tools that supporting the common security policy. The security and privacy protection of any teleradiology system must be planned in advance, and the necessary security and privacy enhancing tools should be selected (e.g. strong authentication, data encryption, non-repudiation services and audit-logs) based on the risk analysis and requirements set by the legislation. In any case the teleradiology system should fulfil ethical and regulatory requirements. Certification of the whole teleradiology service system including security and privacy is also proposed. In the future, teleradiology services will be an integrated part of pervasive eHealth. Security requirements for this environment including dynamic and context aware security services are also discussed in this paper. Copyright (c) 2009 Elsevier Ireland Ltd. All rights reserved.

77 FR 70796 - Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-11-27

... privacy issues, please contact: Jonathan Cantor, (202-343-1717), Acting Chief Privacy Officer, Privacy... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security Administration System of Records AGENCY: Privacy...

The Role of HIPAA Omnibus Rules in Reducing the Frequency of Medical Data Breaches: Insights From an Empirical Study.

PubMed

Yaraghi, Niam; Gopal, Ram D

2018-03-01

Policy Points: Frequent data breaches in the US health care system undermine the privacy of millions of patients every year-a large number of which happen among business associates of the health care providers that continue to gain unprecedented access to patients' data as the US health care system becomes digitally integrated. Implementation of the HIPAA Omnibus Rules in 2013 has led to a significant decrease in the number of privacy breach incidents among business associates. Frequent data breaches in the US health care system undermine the privacy of millions of patients every year. A large number of such breaches happens among business associates of the health care providers that continue to gain unprecedented access to patients' data as the US health care system becomes digitally integrated. The Omnibus Rules of the Health Insurance Portability and Accountability Act (HIPAA), which were enacted in 2013, significantly increased the regulatory oversight and privacy protection requirements of business associates. The objective of this study is to empirically examine the effects of this shift in policy on the frequency of medical privacy breaches among business associates in the US health care system. The findings of this research shed light on how regulatory efforts can protect patients' privacy. Using publicly available data on breach incidents between October 2009 and August 2017 as reported by the Office for Civil Rights (OCR), we conducted an interrupted time-series analysis and a difference-in-differences analysis to examine the immediate and long-term effects of implementation of HIPAA omnibus rules on the frequency of medical privacy breaches. We show that implementation of the omnibus rules led to a significant reduction in the number of breaches among business associates and prevented 180 privacy breaches from happening, which could have affected nearly 18 million Americans. Implementation of HIPAA omnibus rules may have been a successful federal policy

Privacy and Security: A Bibliography.

ERIC Educational Resources Information Center

Computer and Business Equipment Manufacturers Association, Washington, DC.

Compiled at random from many sources, this bibliography attempts to cite as many publications concerning privacy and security as are available. The entries are organized under seven headings: (1) systems security, technical security, clearance of personnel, (2) corporate physical security, (3) administrative security, (4) miscellaneous--privacy…

Security and Privacy in Cyber-Physical Systems

DOE Office of Scientific and Technical Information (OSTI.GOV)

Fink, Glenn A.; Edgar, Thomas W.; Rice, Theora R.

As you have seen from the previous chapters, cyber-physical systems (CPS) are broadly used across technology and industrial domains. While these systems enable process optimization and efficiency and allow previously impossible functionality, security and privacy are key concerns for their design, development, and operation. CPS have been key components utilized in some of the highest publicized security breaches over the last decade. In this chapter, we will look over the CPS described in the previous chapters from a security perspective. In this chapter, we explain classical information and physical security fundamentals in the context of CPS and contextualize them acrossmore » application domains. We give examples where the interplay of functionality and diverse communication can introduce unexpected vulnerabilities and produce larger impacts. We will discuss how CPS security and privacy is inherently different from that of pure cyber or physical systems and what may be done to secure these systems, considering their emergent cyber-physical properties. Finally, we will discuss security and privacy implications of merging infrastructural and personal CPS. Our hope is to impart the knowledge of what CPS security and privacy are, why they are important, and explain existing processes and challenges.« less

Security Concerns in Android mHealth Apps.

PubMed

He, Dongjing; Naveed, Muhammad; Gunter, Carl A; Nahrstedt, Klara

2014-01-01

Mobile Health (mHealth) applications lie outside of regulatory protection such as HIPAA, which requires a baseline of privacy and security protections appropriate to sensitive medical data. However, mHealth apps, particularly those in the app stores for iOS and Android, are increasingly handling sensitive data for both professionals and patients. This paper presents a series of three studies of the mHealth apps in Google Play that show that mHealth apps make widespread use of unsecured Internet communications and third party servers. Both of these practices would be considered problematic under HIPAA, suggesting that increased use of mHealth apps could lead to less secure treatment of health data unless mHealth vendors make improvements in the way they communicate and store data.

48 CFR 52.239-1 - Privacy or Security Safeguards.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 48 Federal Acquisition Regulations System 2 2014-10-01 2014-10-01 false Privacy or Security....239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (AUG 1996) (a) The Contractor shall not publish or...

48 CFR 52.239-1 - Privacy or Security Safeguards.

Code of Federal Regulations, 2011 CFR

2011-10-01

... 48 Federal Acquisition Regulations System 2 2011-10-01 2011-10-01 false Privacy or Security....239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (AUG 1996) (a) The Contractor shall not publish or...

48 CFR 52.239-1 - Privacy or Security Safeguards.

Code of Federal Regulations, 2012 CFR

2012-10-01

... 48 Federal Acquisition Regulations System 2 2012-10-01 2012-10-01 false Privacy or Security....239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (AUG 1996) (a) The Contractor shall not publish or...

48 CFR 52.239-1 - Privacy or Security Safeguards.

Code of Federal Regulations, 2013 CFR

2013-10-01

... 48 Federal Acquisition Regulations System 2 2013-10-01 2013-10-01 false Privacy or Security....239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (AUG 1996) (a) The Contractor shall not publish or...

48 CFR 52.239-1 - Privacy or Security Safeguards.

Code of Federal Regulations, 2010 CFR

2010-10-01

... 48 Federal Acquisition Regulations System 2 2010-10-01 2010-10-01 false Privacy or Security....239-1 Privacy or Security Safeguards. As prescribed in 39.107, insert a clause substantially the same as the following: Privacy or Security Safeguards (AUG 1996) (a) The Contractor shall not publish or...

Privacy enhanced group communication in clinical environment

NASA Astrophysics Data System (ADS)

Li, Mingyan; Narayanan, Sreeram; Poovendran, Radha

2005-04-01

Privacy protection of medical records has always been an important issue and is mandated by the recent Health Insurance Portability and Accountability Act (HIPAA) standards. In this paper, we propose security architectures for a tele-referring system that allows electronic group communication among professionals for better quality treatments, while protecting patient privacy against unauthorized access. Although DICOM defines the much-needed guidelines for confidentiality of medical data during transmission, there is no provision in the existing medical security systems to guarantee patient privacy once the data has been received. In our design, we address this issue by enabling tracing back to the recipient whose received data is disclosed to outsiders, using watermarking technique. We present security architecture design of a tele-referring system using a distributed approach and a centralized web-based approach. The resulting tele-referring system (i) provides confidentiality during the transmission and ensures integrity and authenticity of the received data, (ii) allows tracing of the recipient who has either distributed the data to outsiders or whose system has been compromised, (iii) provides proof of receipt or origin, and (iv) can be easy to use and low-cost to employ in clinical environment.

77 FR 70796 - Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-11-27

...; email: [email protected] . For privacy issues please contact: Jonathan Cantor, (202-343-1717), Acting... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security Administration System of Records AGENCY: Privacy...

77 FR 70795 - Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-11-27

... 20598-6036; email: [email protected] . For privacy issues please contact: Jonathan Cantor, (202-343... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security Administration System of Records AGENCY: Privacy...

Security Concerns in Android mHealth Apps

PubMed Central

He, Dongjing; Naveed, Muhammad; Gunter, Carl A.; Nahrstedt, Klara

2014-01-01

Mobile Health (mHealth) applications lie outside of regulatory protection such as HIPAA, which requires a baseline of privacy and security protections appropriate to sensitive medical data. However, mHealth apps, particularly those in the app stores for iOS and Android, are increasingly handling sensitive data for both professionals and patients. This paper presents a series of three studies of the mHealth apps in Google Play that show that mHealth apps make widespread use of unsecured Internet communications and third party servers. Both of these practices would be considered problematic under HIPAA, suggesting that increased use of mHealth apps could lead to less secure treatment of health data unless mHealth vendors make improvements in the way they communicate and store data. PMID:25954370

Public assessment of new surveillance-oriented security technologies: Beyond the trade-off between privacy and security.

PubMed

Pavone, Vincenzo; Esposti, Sara Degli

2012-07-01

As surveillance-oriented security technologies (SOSTs) are considered security enhancing but also privacy infringing, citizens are expected to trade part of their privacy for higher security. Drawing from the PRISE project, this study casts some light on how citizens actually assess SOSTs through a combined analysis of focus groups and survey data. First, the outcomes suggest that people did not assess SOSTs in abstract terms but in relation to the specific institutional and social context of implementation. Second, from this embedded viewpoint, citizens either expressed concern about government's surveillance intentions and considered SOSTs mainly as privacy infringing, or trusted political institutions and believed that SOSTs effectively enhanced their security. None of them, however, seemed to trade privacy for security because concerned citizens saw their privacy being infringed without having their security enhanced, whilst trusting citizens saw their security being increased without their privacy being affected.

The Challenges of Seeking Security While Respecting Privacy

NASA Astrophysics Data System (ADS)

Kantor, Paul B.; Lesk, Michael E.

Security is a concern for persons, organizations, and nations. For the individual members of organizations and nations, personal privacy is also a concern. The technologies for monitoring electronic communication are at the same time tools to protect security and threats to personal privacy. Participants in this workshop address the interrelation of personal privacy and national or societal security, from social, technical and legal perspectives. The participants represented industry, the academy and the United States Government. The issues addressed have become, if anything, even more pressing today than they were when the conference was held.

A Comprehensive Comparison of Multiparty Secure Additions with Differential Privacy

PubMed Central

Goryczka, Slawomir; Xiong, Li

2016-01-01

This paper considers the problem of secure data aggregation (mainly summation) in a distributed setting, while ensuring differential privacy of the result. We study secure multiparty addition protocols using well known security schemes: Shamir’s secret sharing, perturbation-based, and various encryptions. We supplement our study with our new enhanced encryption scheme EFT, which is efficient and fault tolerant. Differential privacy of the final result is achieved by either distributed Laplace or Geometric mechanism (respectively DLPA or DGPA), while approximated differential privacy is achieved by diluted mechanisms. Distributed random noise is generated collectively by all participants, which draw random variables from one of several distributions: Gamma, Gauss, Geometric, or their diluted versions. We introduce a new distributed privacy mechanism with noise drawn from the Laplace distribution, which achieves smaller redundant noise with efficiency. We compare complexity and security characteristics of the protocols with different differential privacy mechanisms and security schemes. More importantly, we implemented all protocols and present an experimental comparison on their performance and scalability in a real distributed environment. Based on the evaluations, we identify our security scheme and Laplace DLPA as the most efficient for secure distributed data aggregation with privacy. PMID:28919841

A Comprehensive Comparison of Multiparty Secure Additions with Differential Privacy.

PubMed

Goryczka, Slawomir; Xiong, Li

2017-01-01

This paper considers the problem of secure data aggregation (mainly summation) in a distributed setting, while ensuring differential privacy of the result. We study secure multiparty addition protocols using well known security schemes: Shamir's secret sharing, perturbation-based, and various encryptions. We supplement our study with our new enhanced encryption scheme EFT, which is efficient and fault tolerant. Differential privacy of the final result is achieved by either distributed Laplace or Geometric mechanism (respectively DLPA or DGPA), while approximated differential privacy is achieved by diluted mechanisms. Distributed random noise is generated collectively by all participants, which draw random variables from one of several distributions: Gamma, Gauss, Geometric, or their diluted versions. We introduce a new distributed privacy mechanism with noise drawn from the Laplace distribution, which achieves smaller redundant noise with efficiency. We compare complexity and security characteristics of the protocols with different differential privacy mechanisms and security schemes. More importantly, we implemented all protocols and present an experimental comparison on their performance and scalability in a real distributed environment. Based on the evaluations, we identify our security scheme and Laplace DLPA as the most efficient for secure distributed data aggregation with privacy.

Security, privacy, and confidentiality issues on the Internet.

PubMed

Kelly, Grant; McKenzie, Bruce

2002-01-01

We introduce the issues around protecting information about patients and related data sent via the Internet. We begin by reviewing three concepts necessary to any discussion about data security in a healthcare environment: privacy, confidentiality, and consent. We are giving some advice on how to protect local data. Authentication and privacy of e-mail via encryption is offered by Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME). The de facto Internet standard for encrypting Web-based information interchanges is Secure Sockets Layer (SSL), more recently known as Transport Layer Security or TLS. There is a public key infrastructure process to 'sign' a message whereby the private key of an individual can be used to 'hash' the message. This can then be verified against the sender's public key. This ensures the data's authenticity and origin without conferring privacy, and is called a 'digital signature'. The best protection against viruses is not opening e-mails from unknown sources or those containing unusual message headers.

45 CFR 155.260 - Privacy and security of personally identifiable information.

Code of Federal Regulations, 2013 CFR

2013-10-01

... 45 Public Welfare 1 2013-10-01 2013-10-01 false Privacy and security of personally identifiable... AFFORDABLE CARE ACT General Functions of an Exchange § 155.260 Privacy and security of personally... must establish and implement privacy and security standards that are consistent with the following...

Logical Specification of the GLBA and HIPAA Privacy Laws

DTIC Science & Technology

2010-04-29

a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail...the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of...T dii ). Since we ensure that this class is distinct from phi , we have no norm here. All other norms that we have in HIPAA will include the constraint

Safeguarding patient privacy in electronic healthcare in the USA: the legal view.

PubMed

Walsh, Diana; Passerini, Katia; Varshney, Upkar; Fjermestad, Jerry

2008-01-01

The conflict between the sweeping power of technology to access and assemble personal information and the ongoing concern about our privacy and security is ever increasing. While we gradually need higher electronic access to medical information, issues relating to patient privacy and reducing vulnerability to security breaches surmount. In this paper, we take a legal perspective and examine the existing patchwork of laws and obligations governing health information in the USA. The study finds that as Electronic Medical Records (EMRs) increase in scope and dissemination, privacy protections gradually decrease due to the shortcomings in the legal system. The contributions of this paper are (1) an overview of the legal EMR issues in the USA, and (2) the identification of the unresolved legal issues and how these will escalate when health information is transmitted over wireless networks. More specifically, the paper discusses federal and state government regulations such as the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) and judicial intervention. Based on the legal overview, the unresolved challenges are identified and suggestions for future research are included.

Security, privacy, and confidentiality issues on the Internet

PubMed Central

Kelly, Grant; McKenzie, Bruce

2002-01-01

We introduce the issues around protecting information about patients and related data sent via the Internet. We begin by reviewing three concepts necessary to any discussion about data security in a healthcare environment: privacy, confidentiality, and consent. We are giving some advice on how to protect local data. Authentication and privacy of e-mail via encryption is offered by Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME). The de facto Internet standard for encrypting Web-based information interchanges is Secure Sockets Layer (SSL), more recently known as Transport Layer Security or TLS. There is a public key infrastructure process to `sign' a message whereby the private key of an individual can be used to `hash' the message. This can then be verified against the sender's public key. This ensures the data's authenticity and origin without conferring privacy, and is called a `digital signature'. The best protection against viruses is not opening e-mails from unknown sources or those containing unusual message headers. PMID:12554559

42 CFR 401.713 - Ensuring the privacy and security of data.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 42 Public Health 2 2014-10-01 2014-10-01 false Ensuring the privacy and security of data. 401.713... Performance Measurement § 401.713 Ensuring the privacy and security of data. (a) A qualified entity must... require the qualified entity to maintain privacy and security protocols throughout the duration of the...

Cyber security challenges in Smart Cities: Safety, security and privacy

PubMed Central

Elmaghraby, Adel S.; Losavio, Michael M.

2014-01-01

The world is experiencing an evolution of Smart Cities. These emerge from innovations in information technology that, while they create new economic and social opportunities, pose challenges to our security and expectations of privacy. Humans are already interconnected via smart phones and gadgets. Smart energy meters, security devices and smart appliances are being used in many cities. Homes, cars, public venues and other social systems are now on their path to the full connectivity known as the “Internet of Things.” Standards are evolving for all of these potentially connected systems. They will lead to unprecedented improvements in the quality of life. To benefit from them, city infrastructures and services are changing with new interconnected systems for monitoring, control and automation. Intelligent transportation, public and private, will access a web of interconnected data from GPS location to weather and traffic updates. Integrated systems will aid public safety, emergency responders and in disaster recovery. We examine two important and entangled challenges: security and privacy. Security includes illegal access to information and attacks causing physical disruptions in service availability. As digital citizens are more and more instrumented with data available about their location and activities, privacy seems to disappear. Privacy protecting systems that gather data and trigger emergency response when needed are technological challenges that go hand-in-hand with the continuous security challenges. Their implementation is essential for a Smart City in which we would wish to live. We also present a model representing the interactions between person, servers and things. Those are the major element in the Smart City and their interactions are what we need to protect. PMID:25685517

Cyber security challenges in Smart Cities: Safety, security and privacy.

PubMed

Elmaghraby, Adel S; Losavio, Michael M

2014-07-01

The world is experiencing an evolution of Smart Cities. These emerge from innovations in information technology that, while they create new economic and social opportunities, pose challenges to our security and expectations of privacy. Humans are already interconnected via smart phones and gadgets. Smart energy meters, security devices and smart appliances are being used in many cities. Homes, cars, public venues and other social systems are now on their path to the full connectivity known as the "Internet of Things." Standards are evolving for all of these potentially connected systems. They will lead to unprecedented improvements in the quality of life. To benefit from them, city infrastructures and services are changing with new interconnected systems for monitoring, control and automation. Intelligent transportation, public and private, will access a web of interconnected data from GPS location to weather and traffic updates. Integrated systems will aid public safety, emergency responders and in disaster recovery. We examine two important and entangled challenges: security and privacy. Security includes illegal access to information and attacks causing physical disruptions in service availability. As digital citizens are more and more instrumented with data available about their location and activities, privacy seems to disappear. Privacy protecting systems that gather data and trigger emergency response when needed are technological challenges that go hand-in-hand with the continuous security challenges. Their implementation is essential for a Smart City in which we would wish to live. We also present a model representing the interactions between person, servers and things. Those are the major element in the Smart City and their interactions are what we need to protect.

Can EHRs and HIEs get along with HIPAA security requirements?

PubMed

Sarrico, Christine; Hauenstein, Jim

2011-02-01

For Enloe Medical Center in California, a good-faith effort to self-report a breach in the privacy of a patient's medical record resulted in a six-figure fine imposed by a state regulatory agency. Hospitals face a "catch-22" situation in responding to the conflicting mandates of developing electronic health records that allow information sharing across institutions versus ensuring absolute protection and security of patients' individual health information. Some industry analysts suggest that the sanctions for security breaches such as the one experienced by Enloe will have the unintended effect of discouraging self-reporting of breaches.

42 CFR 600.350 - Privacy and security of information.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 42 Public Health 5 2014-10-01 2014-10-01 false Privacy and security of information. 600.350 Section 600.350 Public Health CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF HEALTH AND HUMAN... (Eff. 1-1-15) Eligibility and Enrollment § 600.350 Privacy and security of information. The State must...

The Regulatory Framework for Privacy and Security

NASA Astrophysics Data System (ADS)

Hiller, Janine S.

The internet enables the easy collection of massive amounts of personally identifiable information. Unregulated data collection causes distrust and conflicts with widely accepted principles of privacy. The regulatory framework in the United States for ensuring privacy and security in the online environment consists of federal, state, and self-regulatory elements. New laws have been passed to address technological and internet practices that conflict with privacy protecting policies. The United States and the European Union approaches to privacy differ significantly, and the global internet environment will likely cause regulators to face the challenge of balancing privacy interests with data collection for many years to come.

75 FR 8096 - Privacy Act of 1974; Department of Homeland Security Transportation Security Administration-023...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-23

... Prevention Program System of Records AGENCY: Privacy Office, DHS. ACTION: Notice of Privacy Act system of... to establish a new system of records titled, ``Department of Homeland Security/Transportation Security Administration--023 Workplace Violence Prevention Program System of Records.'' This system will...

Privacy, confidentiality, and security in information systems of state health agencies.

PubMed

O'Brien, D G; Yasnoff, W A

1999-05-01

To assess the employment and status of privacy, confidentiality, security and fair information practices in electronic information systems of U.S. state health agencies. A survey instrument was developed and administered to key contacts within the state health agencies of each of the 50 U.S. states, Puerto Rico and the District of Columbia. About a third of U.S. state health agencies have no written policies in place regarding privacy and confidentiality in electronic information systems. The doctrines of fair information practice often seemed to be ignored. One quarter of the agencies reported at least one security breach during the past two years, and 16% experienced a privacy and confidentiality related transgression. Most of the breaches were committed by personnel from within the agencies. These results raise questions about the integrity of existing privacy, confidentiality and security measures in the information systems of U.S. state health agencies. Recommendations include the development and vigorous enforcement of written privacy and confidentiality policies, increased personnel training, and expanded implementation of security measures such as encryption and system firewalls. A discussion of the current status of U.S. privacy, confidentiality and security issues is offered.

Towards a privacy preserving cohort discovery framework for clinical research networks.

PubMed

Yuan, Jiawei; Malin, Bradley; Modave, François; Guo, Yi; Hogan, William R; Shenkman, Elizabeth; Bian, Jiang

2017-02-01

The last few years have witnessed an increasing number of clinical research networks (CRNs) focused on building large collections of data from electronic health records (EHRs), claims, and patient-reported outcomes (PROs). Many of these CRNs provide a service for the discovery of research cohorts with various health conditions, which is especially useful for rare diseases. Supporting patient privacy can enhance the scalability and efficiency of such processes; however, current practice mainly relies on policy, such as guidelines defined in the Health Insurance Portability and Accountability Act (HIPAA), which are insufficient for CRNs (e.g., HIPAA does not require encryption of data - which can mitigate insider threats). By combining policy with privacy enhancing technologies we can enhance the trustworthiness of CRNs. The goal of this research is to determine if searchable encryption can instill privacy in CRNs without sacrificing their usability. We developed a technique, implemented in working software to enable privacy-preserving cohort discovery (PPCD) services in large distributed CRNs based on elliptic curve cryptography (ECC). This technique also incorporates a block indexing strategy to improve the performance (in terms of computational running time) of PPCD. We evaluated the PPCD service with three real cohort definitions: (1) elderly cervical cancer patients who underwent radical hysterectomy, (2) oropharyngeal and tongue cancer patients who underwent robotic transoral surgery, and (3) female breast cancer patients who underwent mastectomy) with varied query complexity. These definitions were tested in an encrypted database of 7.1 million records derived from the publically available Healthcare Cost and Utilization Project (HCUP) Nationwide Inpatient Sample (NIS). We assessed the performance of the PPCD service in terms of (1) accuracy in cohort discovery, (2) computational running time, and (3) privacy afforded to the underlying records during PPCD. The

Implementing Patient Access to Electronic Health Records Under HIPAA: Lessons Learned

PubMed Central

Wang, Tiffany; Pizziferri, Lisa; Volk, Lynn A; Mikels, Debra A; Grant, Karen G; Wald, Jonathan S; Bates, David W

2004-01-01

In 2001, the Institute of Medicine (IOM) and the Health Insurance Portability and Accountability Act (HIPAA) emphasized the need for patients to have greater control over their health information. We describe a Boston healthcare system's approach to providing patients access to their electronic health records (EHRs) via Patient Gateway, a secure, Web-based portal. Implemented in 19 clinic sites to date, Patient Gateway allows patients to access information from their medical charts via the Internet in a secure manner. Since 2002, over 19,000 patients have enrolled in Patient Gateway, more than 125,000 patients have logged into the system, and over 37,000 messages have been sent by patients to their practices. There have been no major security concerns. By providing access to EHR data, secure systems like Patient Gateway allow patients a greater role in their healthcare process, as envisioned by the IOM and HIPAA. PMID:18066391

75 FR 57904 - Announcing a Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2010-09-23

... Office, --Update of NIST Computer Security Division, and --Information Security and Privacy Advisory... Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet...

Homomorphic encryption-based secure SIFT for privacy-preserving feature extraction

NASA Astrophysics Data System (ADS)

Hsu, Chao-Yung; Lu, Chun-Shien; Pei, Soo-Chang

2011-02-01

Privacy has received much attention but is still largely ignored in the multimedia community. Consider a cloud computing scenario, where the server is resource-abundant and is capable of finishing the designated tasks, it is envisioned that secure media retrieval and search with privacy-preserving will be seriously treated. In view of the fact that scale-invariant feature transform (SIFT) has been widely adopted in various fields, this paper is the first to address the problem of secure SIFT feature extraction and representation in the encrypted domain. Since all the operations in SIFT must be moved to the encrypted domain, we propose a homomorphic encryption-based secure SIFT method for privacy-preserving feature extraction and representation based on Paillier cryptosystem. In particular, homomorphic comparison is a must for SIFT feature detection but is still a challenging issue for homomorphic encryption methods. To conquer this problem, we investigate a quantization-like secure comparison strategy in this paper. Experimental results demonstrate that the proposed homomorphic encryption-based SIFT performs comparably to original SIFT on image benchmarks, while preserving privacy additionally. We believe that this work is an important step toward privacy-preserving multimedia retrieval in an environment, where privacy is a major concern.

Complying with the Health Insurance Portability and Accountability Act. Privacy standards.

PubMed

Shuren, A W; Livsey, K

2001-11-01

The Privacy Rule: Limits the use and disclosure of PHI to purposes of treatment, payment, or routine health care operations. Requires covered entities to provide advance notice to the public of its policy governing disclosure of PHI. Requires entities covered by the Standard to secure general client consent to use and to disclose PHI for treatment, payment, or routine health care operations and to obtain specific client authorization to use or to disclose PHI for all other purposes unless the disclosure is specifically permitted without consent or authorization (e.g., a covered entity may disclose PHI to a health care oversight agency such as the Office of the Inspector General without first obtaining client authorization). In certain situations, a covered entity need only obtain client agreement to disclose PHI which may be oral or inferred from the circumstances surrounding the disclosure. For example, a covered entity could disclose PHI to a relative caring for the individual who is the subject of the health information. Expects covered entities to take measures to protect PHI from both inadvertent and deliberate misuse and disclosure. Requires, except in certain circumstances, the amount of PHI disclosed on any occasion to be limited to the minimum necessary to achieve the purpose of the disclosure. Gives individuals more control of their health information by permitting them to review and amend health information pertaining to themselves and to demand an accounting of persons to whom their health information has been disclosed. Establishes terms under which a covered entity may disclose PHI to a business associate. Permits states to maintain state laws that are more stringent than the Privacy Rule. The statute provides for significant civil and criminal penalties for failure to comply with the Standards. Violations are punishable by fines as much as $250,000 and 10 years imprisonment. The HHS, Office of Civil Rights is charged with enforcing the Standards. The

SAFETY, SECURITY, HYGIENE AND PRIVACY IN MIGRANT FARMWORKER HOUSING

PubMed Central

Arcury, Thomas A.; Weir, Maria M.; Summers, Phillip; Chen, Haiying; Bailey, Melissa; Wiggins, Melinda F.; Bischoff, Werner E.; Quandt, Sara A.

2013-01-01

Safety, security, hygiene, and privacy in migrant farmworker housing have not previously been documented, yet these attributes are important for farmworker quality of life and dignity. This analysis describes the safety, security, hygiene, and privacy of migrant farmworker housing and delineates camp characteristics that are associated with these attributes, using data collected in 183 eastern North Carolina migrant farmworker camps in 2010. Migrant farmworker housing is deficient. For example, 73.8 percent of housing had structural damage and 52.7 percent had indoor temperatures that were not safe. Farmworkers in 83.5 percent of the housing reported that they did not feel they or their possessions were secure. Bathing or toileting privacy was absent in 46.2 percent of the housing. Camps with residents having H-2A visas or North Carolina Department of Labor certificates of inspection posted had better safety, security, and hygiene. Regulations addressing the quality of migrant farmworker housing are needed. PMID:22776578

76 FR 19107 - Privacy Act of 1974; Department of Homeland Security Federal Emergency Management Agency-011...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-04-06

... Ellen Callahan, Chief Privacy Officer, Privacy Office, Department of Homeland Security, Washington, DC... (703-235- 0780), Chief Privacy Officer, Privacy Office, Department of Homeland Security, Washington, DC... Chief Privacy Officer and Chief Freedom of Information Act Officer, Department of Homeland Security, 245...

Secure privacy-preserving biometric authentication scheme for telecare medicine information systems.

PubMed

Li, Xuelei; Wen, Qiaoyan; Li, Wenmin; Zhang, Hua; Jin, Zhengping

2014-11-01

Healthcare delivery services via telecare medicine information systems (TMIS) can help patients to obtain their desired telemedicine services conveniently. However, information security and privacy protection are important issues and crucial challenges in healthcare information systems, where only authorized patients and doctors can employ telecare medicine facilities and access electronic medical records. Therefore, a secure authentication scheme is urgently required to achieve the goals of entity authentication, data confidentiality and privacy protection. This paper investigates a new biometric authentication with key agreement scheme, which focuses on patient privacy and medical data confidentiality in TMIS. The new scheme employs hash function, fuzzy extractor, nonce and authenticated Diffie-Hellman key agreement as primitives. It provides patient privacy protection, e.g., hiding identity from being theft and tracked by unauthorized participant, and preserving password and biometric template from being compromised by trustless servers. Moreover, key agreement supports secure transmission by symmetric encryption to protect patient's medical data from being leaked. Finally, the analysis shows that our proposal provides more security and privacy protection for TMIS.

Security and privacy preserving approaches in the eHealth clouds with disaster recovery plan.

PubMed

Sahi, Aqeel; Lai, David; Li, Yan

2016-11-01

Cloud computing was introduced as an alternative storage and computing model in the health sector as well as other sectors to handle large amounts of data. Many healthcare companies have moved their electronic data to the cloud in order to reduce in-house storage, IT development and maintenance costs. However, storing the healthcare records in a third-party server may cause serious storage, security and privacy issues. Therefore, many approaches have been proposed to preserve security as well as privacy in cloud computing projects. Cryptographic-based approaches were presented as one of the best ways to ensure the security and privacy of healthcare data in the cloud. Nevertheless, the cryptographic-based approaches which are used to transfer health records safely remain vulnerable regarding security, privacy, or the lack of any disaster recovery strategy. In this paper, we review the related work on security and privacy preserving as well as disaster recovery in the eHealth cloud domain. Then we propose two approaches, the Security-Preserving approach and the Privacy-Preserving approach, and a disaster recovery plan. The Security-Preserving approach is a robust means of ensuring the security and integrity of Electronic Health Records, and the Privacy-Preserving approach is an efficient authentication approach which protects the privacy of Personal Health Records. Finally, we discuss how the integrated approaches and the disaster recovery plan can ensure the reliability and security of cloud projects. Copyright © 2016 Elsevier Ltd. All rights reserved.

Privacy and data security in E-health: requirements from the user's perspective.

PubMed

Wilkowska, Wiktoria; Ziefle, Martina

2012-09-01

In this study two currently relevant aspects of using medical assistive technologies were addressed-security and privacy. In a two-step empirical approach that used focus groups (n = 19) and a survey (n = 104), users' requirements for the use of medical technologies were collected and evaluated. Specifically, we focused on the perceived importance of data security and privacy issues. Outcomes showed that both security and privacy aspects play an important role in the successful adoption of medical assistive technologies in the home environment. In particular, analysis of data with respect to gender, health-status and age (young, middle-aged and old users) revealed that females and healthy adults require, and insist on, the highest security and privacy standards compared with males and the ailing elderly.

Patient privacy and social media.

PubMed

Hader, Amy L; Brown, Evan D

2010-08-01

Healthcare providers using social media must remain mindful of professional boundaries and patients' privacy rights. Facebook and other online postings must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), applicable facility policy, state law, and AANA's Code of Ethics.

A Practitioner's Response to the New Health Privacy Regulations

ERIC Educational Resources Information Center

Yang, Julia A.; Kombarakaran, Francis A.

2006-01-01

The established professional practice requiring informed consent for the disclosure of personal health information with its implied right to privacy suffered a serious setback with the first federal privacy initiative of the Bush administration. The new Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191) privacy…

Assuring image authenticity within a data grid using lossless digital signature embedding and a HIPAA-compliant auditing system

NASA Astrophysics Data System (ADS)

Lee, Jasper C.; Ma, Kevin C.; Liu, Brent J.

2008-03-01

A Data Grid for medical images has been developed at the Image Processing and Informatics Laboratory, USC to provide distribution and fault-tolerant storage of medical imaging studies across Internet2 and public domain. Although back-up policies and grid certificates guarantee privacy and authenticity of grid-access-points, there still lacks a method to guarantee the sensitive DICOM images have not been altered or corrupted during transmission across a public domain. This paper takes steps toward achieving full image transfer security within the Data Grid by utilizing DICOM image authentication and a HIPAA-compliant auditing system. The 3-D lossless digital signature embedding procedure involves a private 64 byte signature that is embedded into each original DICOM image volume, whereby on the receiving end the signature can to be extracted and verified following the DICOM transmission. This digital signature method has also been developed at the IPILab. The HIPAA-Compliant Auditing System (H-CAS) is required to monitor embedding and verification events, and allows monitoring of other grid activity as well. The H-CAS system federates the logs of transmission and authentication events at each grid-access-point and stores it into a HIPAA-compliant database. The auditing toolkit is installed at the local grid-access-point and utilizes Syslog [1], a client-server standard for log messaging over an IP network, to send messages to the H-CAS centralized database. By integrating digital image signatures and centralized logging capabilities, DICOM image integrity within the Medical Imaging and Informatics Data Grid can be monitored and guaranteed without loss to any image quality.

A Framework for Privacy-preserving Classification of Next-generation PHR data.

PubMed

Koufi, Vassiliki; Malamateniou, Flora; Prentza, Andriana; Vassilacopoulos, George

2014-01-01

Personal Health Records (PHRs), integrated with data from various sources, such as social care data, Electronic Health Record data and genetic information, are envisaged as having a pivotal role in transforming healthcare. These data, lumped under the term 'big data', are usually complex, noisy, heterogeneous, longitudinal and voluminous thus prohibiting their meaningful use by clinicians. Deriving value from these data requires the utilization of innovative data analysis techniques, which, however, may be hindered due to potential security and privacy breaches that may arise from improper release of personal health information. This paper presents a HIPAA-compliant machine learning framework that enables privacy-preserving classification of next-generation PHR data. The predictive models acquired can act as supporting tools to clinical practice by enabling more effective prevention, diagnosis and treatment of new incidents. The proposed framework has a huge potential for complementing medical staff expertise as it outperforms the manual inspection of PHR data while protecting patient privacy.

Privacy Preserved and Secured Reliable Routing Protocol for Wireless Mesh Networks.

PubMed

Meganathan, Navamani Thandava; Palanichamy, Yogesh

2015-01-01

Privacy preservation and security provision against internal attacks in wireless mesh networks (WMNs) are more demanding than in wired networks due to the open nature and mobility of certain nodes in the network. Several schemes have been proposed to preserve privacy and provide security in WMNs. To provide complete privacy protection in WMNs, the properties of unobservability, unlinkability, and anonymity are to be ensured during route discovery. These properties can be achieved by implementing group signature and ID-based encryption schemes during route discovery. Due to the characteristics of WMNs, it is more vulnerable to many network layer attacks. Hence, a strong protection is needed to avoid these attacks and this can be achieved by introducing a new Cross-Layer and Subject Logic based Dynamic Reputation (CLSL-DR) mechanism during route discovery. In this paper, we propose a new Privacy preserved and Secured Reliable Routing (PSRR) protocol for WMNs. This protocol incorporates group signature, ID-based encryption schemes, and CLSL-DR mechanism to ensure strong privacy, security, and reliability in WMNs. Simulation results prove this by showing better performance in terms of most of the chosen parameters than the existing protocols.

Privacy, security and access with sensitive health information.

PubMed

Croll, Peter

2010-01-01

This chapter gives an educational overview of: * Confidentiality issues and the challenges faced; * The fundamental differences between privacy and security; * The different access control mechanisms; * The challenges of Internet security; * How 'safety and quality' relate to all the above.

Do privacy and security regulations need a status update? Perspectives from an intergenerational survey

PubMed Central

Pereira, Stacey; Robinson, Jill Oliver; Gutierrez, Amanda M.; Majumder, Mary A.; McGuire, Amy L.; Rothstein, Mark A.

2017-01-01

Background The importance of health privacy protections in the era of the “Facebook Generation” has been called into question. The ease with which younger people share personal information about themselves has led to the assumption that they are less concerned than older generations about the privacy of their information, including health information. We explored whether survey respondents’ views toward health privacy suggest that efforts to strengthen privacy protections as health information is moved online are unnecessary. Methods Using Amazon’s Mechanical Turk (MTurk), which is well-known for recruitment for survey research, we distributed a 45-item survey to individuals in the U.S. to assess their perspectives toward privacy and security of online and health information, social media behaviors, use of health and fitness devices, and demographic information. Results 1310 participants (mean age: 36 years, 50% female, 78% non-Hispanic white, 54% college graduates or higher) were categorized by generations: Millennials, Generation X, and Baby Boomers. In multivariate regression models, we found that generational cohort was an independent predictor of level of concern about privacy and security of both online and health information. Younger generations were significantly less likely to be concerned than older generations (all P < 0.05). Time spent online and social media use were not predictors of level of concern about privacy or security of online or health information (all P > 0.05). Limitations This study is limited by the non-representativeness of our sample. Conclusions Though Millennials reported lower levels of concern about privacy and security, this was not related to internet or social media behaviors, and majorities within all generations reported concern about both the privacy and security of their health information. Thus, there is no intergenerational imperative to relax privacy and security standards, and it would be advisable to take

Do privacy and security regulations need a status update? Perspectives from an intergenerational survey.

PubMed

Pereira, Stacey; Robinson, Jill Oliver; Peoples, Hayley A; Gutierrez, Amanda M; Majumder, Mary A; McGuire, Amy L; Rothstein, Mark A

2017-01-01

The importance of health privacy protections in the era of the "Facebook Generation" has been called into question. The ease with which younger people share personal information about themselves has led to the assumption that they are less concerned than older generations about the privacy of their information, including health information. We explored whether survey respondents' views toward health privacy suggest that efforts to strengthen privacy protections as health information is moved online are unnecessary. Using Amazon's Mechanical Turk (MTurk), which is well-known for recruitment for survey research, we distributed a 45-item survey to individuals in the U.S. to assess their perspectives toward privacy and security of online and health information, social media behaviors, use of health and fitness devices, and demographic information. 1310 participants (mean age: 36 years, 50% female, 78% non-Hispanic white, 54% college graduates or higher) were categorized by generations: Millennials, Generation X, and Baby Boomers. In multivariate regression models, we found that generational cohort was an independent predictor of level of concern about privacy and security of both online and health information. Younger generations were significantly less likely to be concerned than older generations (all P < 0.05). Time spent online and social media use were not predictors of level of concern about privacy or security of online or health information (all P > 0.05). This study is limited by the non-representativeness of our sample. Though Millennials reported lower levels of concern about privacy and security, this was not related to internet or social media behaviors, and majorities within all generations reported concern about both the privacy and security of their health information. Thus, there is no intergenerational imperative to relax privacy and security standards, and it would be advisable to take privacy and security of health information more seriously.

Prospective study of clinician-entered research data in the Emergency Department using an Internet-based system after the HIPAA Privacy Rule

PubMed Central

Kline, Jeffrey A; Johnson, Charles L; Webb, William B; Runyon, Michael S

2004-01-01

Background Design and test the reliability of a web-based system for multicenter, real-time collection of data in the emergency department (ED), under waiver of authorization, in compliance with HIPAA. Methods This was a phase I, two-hospital study of patients undergoing evaluation for possible pulmonary embolism. Data were collected by on-duty clinicians on an HTML data collection form (prospective e-form), populated using either a personal digital assistant (PDA) or personal computer (PC). Data forms were uploaded to a central, offsite server using secure socket protocol transfer. Each form was assigned a unique identifier, and all PHI data were encrypted, but were password-accessible by authorized research personnel to complete a follow-up e-form. Results From April 15, 2003-April 15 2004, 1022 prospective e-forms and 605 follow-up e-forms were uploaded. Complexities of PDA use compelled clinicians to use PCs in the ED for data entry for most forms. No data were lost and server log query revealed no unauthorized entry. Prospectively obtained PHI data, encrypted upon server upload, were successfully decrypted using password-protected access to allow follow-up without difficulty in 605 cases. Non-PHI data from prospective and follow-up forms were available to the study investigators via standard file transfer protocol. Conclusions Data can be accurately collected from on-duty clinicians in the ED using real-time, PC-Internet data entry in compliance with the Privacy Rule. Deidentification-reidentification of PHI was successfully accomplished by a password-protected encryption-deencryption mechanism to permit follow-up by approved research personnel. PMID:15479471

Are personal health records safe? A review of free web-accessible personal health record privacy policies.

PubMed

Carrión Señor, Inmaculada; Fernández-Alemán, José Luis; Toval, Ambrosio

2012-08-23

Several obstacles prevent the adoption and use of personal health record (PHR) systems, including users' concerns regarding the privacy and security of their personal health information. To analyze the privacy and security characteristics of PHR privacy policies. It is hoped that identification of the strengths and weaknesses of the PHR systems will be useful for PHR users, health care professionals, decision makers, and designers. We conducted a systematic review using the principal databases related to health and computer science to discover the Web-based and free PHR systems mentioned in published articles. The privacy policy of each PHR system selected was reviewed to extract its main privacy and security characteristics. The search of databases and the myPHR website provided a total of 52 PHR systems, of which 24 met our inclusion criteria. Of these, 17 (71%) allowed users to manage their data and to control access to their health care information. Only 9 (38%) PHR systems permitted users to check who had accessed their data. The majority of PHR systems used information related to the users' accesses to monitor and analyze system use, 12 (50%) of them aggregated user information to publish trends, and 20 (83%) used diverse types of security measures. Finally, 15 (63%) PHR systems were based on regulations or principles such as the US Health Insurance Portability and Accountability Act (HIPAA) and the Health on the Net Foundation Code of Conduct (HONcode). Most privacy policies of PHR systems do not provide an in-depth description of the security measures that they use. Moreover, compliance with standards and regulations in PHR systems is still low.

Are Personal Health Records Safe? A Review of Free Web-Accessible Personal Health Record Privacy Policies

PubMed Central

Fernández-Alemán, José Luis; Toval, Ambrosio

2012-01-01

Background Several obstacles prevent the adoption and use of personal health record (PHR) systems, including users’ concerns regarding the privacy and security of their personal health information. Objective To analyze the privacy and security characteristics of PHR privacy policies. It is hoped that identification of the strengths and weaknesses of the PHR systems will be useful for PHR users, health care professionals, decision makers, and designers. Methods We conducted a systematic review using the principal databases related to health and computer science to discover the Web-based and free PHR systems mentioned in published articles. The privacy policy of each PHR system selected was reviewed to extract its main privacy and security characteristics. Results The search of databases and the myPHR website provided a total of 52 PHR systems, of which 24 met our inclusion criteria. Of these, 17 (71%) allowed users to manage their data and to control access to their health care information. Only 9 (38%) PHR systems permitted users to check who had accessed their data. The majority of PHR systems used information related to the users’ accesses to monitor and analyze system use, 12 (50%) of them aggregated user information to publish trends, and 20 (83%) used diverse types of security measures. Finally, 15 (63%) PHR systems were based on regulations or principles such as the US Health Insurance Portability and Accountability Act (HIPAA) and the Health on the Net Foundation Code of Conduct (HONcode). Conclusions Most privacy policies of PHR systems do not provide an in-depth description of the security measures that they use. Moreover, compliance with standards and regulations in PHR systems is still low. PMID:22917868

Never too old for anonymity: a statistical standard for demographic data sharing via the HIPAA Privacy Rule

PubMed Central

Benitez, Kathleen; Masys, Daniel

2010-01-01

Objective Healthcare organizations must de-identify patient records before sharing data. Many organizations rely on the Safe Harbor Standard of the HIPAA Privacy Rule, which enumerates 18 identifiers that must be suppressed (eg, ages over 89). An alternative model in the Privacy Rule, known as the Statistical Standard, can facilitate the sharing of more detailed data, but is rarely applied because of a lack of published methodologies. The authors propose an intuitive approach to de-identifying patient demographics in accordance with the Statistical Standard. Design The authors conduct an analysis of the demographics of patient cohorts in five medical centers developed for the NIH-sponsored Electronic Medical Records and Genomics network, with respect to the US census. They report the re-identification risk of patient demographics disclosed according to the Safe Harbor policy and the relative risk rate for sharing such information via alternative policies. Measurements The re-identification risk of Safe Harbor demographics ranged from 0.01% to 0.19%. The findings show alternative de-identification models can be created with risks no greater than Safe Harbor. The authors illustrate that the disclosure of patient ages over the age of 89 is possible when other features are reduced in granularity. Limitations The de-identification approach described in this paper was evaluated with demographic data only and should be evaluated with other potential identifiers. Conclusion Alternative de-identification policies to the Safe Harbor model can be derived for patient demographics to enable the disclosure of values that were previously suppressed. The method is generalizable to any environment in which population statistics are available. PMID:21169618

Regulation, Privacy and Security: Chairman's Opening Remarks

PubMed Central

Gabrieli, E.R.

1979-01-01

Medical privacy is a keystone of a free democratic society. To conserve the right of the patient to medical privacy, computerization of the medical data must be regulated. This paper enumerates some steps to be taken urgently for the protection of computerized sensitive medical data. A computer-oriented medical lexicon is urgently needed for accurate coding. Health industry standards should be drafted. The goals of various data centers must be sharply defined to avoid conflicts of interest. Medical privacy should be studied further, and medical data centers should consider cost-effectiveness. State boards for medical privacy should be created to monitor data security procedures. There is a need for purposeful decentralization. A national medical information policy should be drafted, and a national clinical information board should implement the nation's medical information policy.

Aligning the Effective Use of Student Data with Student Privacy and Security Laws

ERIC Educational Resources Information Center

Winnick, Steve; Coleman, Art; Palmer, Scott; Lipper, Kate; Neiditz, Jon

2011-01-01

This legal and policy guidance provides a summary framework for state policymakers as they work to use longitudinal data to improve student achievement while also protecting the privacy and security of individual student records. Summarizing relevant federal privacy and security laws, with a focus on the Family Educational Records and Privacy Act…

HIPAA Readiness Collaborative in Hawaii.

PubMed

Chun, Marva; Forbes, Susan; Gose, Steven; Kumabe, Brenda; Loo, Jeffrey; Nichols, Lorraine; Rosa, Luis; Sherrill, Laura; Turner, Jim

2002-01-01

The vision of Hawaii's HIPAA Readiness Collaborative (HRC) effort is to realize the positive potential of HIPAA through a collaborative process that engages the entire healthcare delivery system. Goals include reducing the cost of healthcare through streamlining, reducing the cost of HIPAA implementation for HRC participants, and improving the interoperability between facilities through use of standard technologies.

Panel: RFID Security and Privacy

NASA Astrophysics Data System (ADS)

Fu, Kevin

The panel on RFID security and privacy included Ross Anderson, Jon Callas, Yvo Desmedt, and Kevin Fu. Topics for discussion included the "chip and PIN" EMV payment systems, e-Passports, "mafia" attacks, and RFID-enabled credit cards. Position papers by the panelists appear in the following pages, and the RFID-enabled credit card work appears separately in these proceedings.

Biobanking Research and Privacy Laws in the United States.

PubMed

Harrell, Heather L; Rothstein, Mark A

2016-03-01

Privacy is protected in biobank-based research in the US primarily by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Federal Policy for Protection of Human Subjects (Common Rule). Neither rule, however, was created to function in the unique context of biobank research, and therefore neither applies to all biobank-based research. Not only is it challenging to determine when the HIPAA Privacy Rule or the Common Rule apply, but these laws apply different standards to protect privacy. In addition, many other federal and state laws may be applicable to a particular biobank, researcher, or project. US law also does not directly address international sharing of data or specimens outside of the EU-US Safe Harbor Agreement, which only applies to receipt of data by certain US entities from EU countries, and is in the process of revision. Although new rules would help clarify privacy protections in biobanking, any implemented changes should be studied to determine the sufficiency of the protections as well as its ability to facilitate or hinder international collaborations. © 2016 American Society of Law, Medicine & Ethics.

75 FR 55335 - Privacy Act of 1974; Privacy Act of 1974: Department of Homeland Security/ALL-031 Information...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-09-10

... in a system of records in the possession or under the control of DHS by complying with DHS Privacy... 1974; Privacy Act of 1974: Department of Homeland Security/ALL-031 Information Sharing Environment Suspicious Activity Reporting Initiative System of Records AGENCY: Privacy Office, DHS. ACTION: Notice of...

Security and privacy qualities of medical devices: an analysis of FDA postmarket surveillance.

PubMed

Kramer, Daniel B; Baker, Matthew; Ransford, Benjamin; Molina-Markham, Andres; Stewart, Quinn; Fu, Kevin; Reynolds, Matthew R

2012-01-01

Medical devices increasingly depend on computing functions such as wireless communication and Internet connectivity for software-based control of therapies and network-based transmission of patients' stored medical information. These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting. We used three comprehensive, publicly available databases maintained by the Food and Drug Administration (FDA) to evaluate recalls and adverse events related to security and privacy risks of medical devices. Review of weekly enforcement reports identified 1,845 recalls; 605 (32.8%) of these included computers, 35 (1.9%) stored patient data, and 31 (1.7%) were capable of wireless communication. Searches of databases specific to recalls and adverse events identified only one event with a specific connection to security or privacy. Software-related recalls were relatively common, and most (81.8%) mentioned the possibility of upgrades, though only half of these provided specific instructions for the update mechanism. Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms. To detect signals of security and privacy problems that adversely affect public health, federal postmarket surveillance strategies should rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware.

Zip it!

PubMed

Conde, Crystal

2012-07-01

When it comes to enforcing HIPAA data security and privacy standards, the federal government means business. In fact, the government is conducting a national pilot program to audit 150 physicians and others that HIPAA covers as the first phase of a concerted effort to crack down on HIPAA violations.

Users Do the Darndest Things: True Stories from the CyLab Usable Privacy and Security Laboratory

NASA Astrophysics Data System (ADS)

Cranor, Lorrie Faith

How can we make security and privacy software more usable? The first step is to study our users. Ideally, we would watch them interacting with security or privacy software in situations where they face actual risk. But everyday computer users don't sit around fiddling with security software, and subjecting users to actual security attacks raises ethical and legal concerns. Thus, it can be difficult to observe users interacting with security and privacy software in their natural habitat. At the CyLab Usable Privacy and Security Laboratory, we've conducted a wide variety of studies aimed at understanding how users think about security and privacy and how they interact with security and privacy software. In this talk I'll give a behind the scenes tour of some of the techniques we've used to study users both in the laboratory and in the wild. I'll discuss the trials and tribulations of designing and carrying out security and privacy user studies, and highlight some of our surprising observations. Find out what privacy-sensitive items you can actually get study participants to purchase, how you can observe users' responses to a man-in-the-middle attack without actually conducting such an attack, why it's hard to get people to use high tech cell phones even when you give them away, and what's actually in that box behind the couch in my office.

A compressive sensing based secure watermark detection and privacy preserving storage framework.

PubMed

Qia Wang; Wenjun Zeng; Jun Tian

2014-03-01

Privacy is a critical issue when the data owners outsource data storage or processing to a third party computing service, such as the cloud. In this paper, we identify a cloud computing application scenario that requires simultaneously performing secure watermark detection and privacy preserving multimedia data storage. We then propose a compressive sensing (CS)-based framework using secure multiparty computation (MPC) protocols to address such a requirement. In our framework, the multimedia data and secret watermark pattern are presented to the cloud for secure watermark detection in a CS domain to protect the privacy. During CS transformation, the privacy of the CS matrix and the watermark pattern is protected by the MPC protocols under the semi-honest security model. We derive the expected watermark detection performance in the CS domain, given the target image, watermark pattern, and the size of the CS matrix (but without the CS matrix itself). The correctness of the derived performance has been validated by our experiments. Our theoretical analysis and experimental results show that secure watermark detection in the CS domain is feasible. Our framework can also be extended to other collaborative secure signal processing and data-mining applications in the cloud.

Ownership, Privacy, Confidentiality, and Security Data.

ERIC Educational Resources Information Center

Staman, E. Michael

1986-01-01

One of the areas most often neglected by those responsible for information systems in colleges and universities relates to ownership, privacy, confidentiality, and security of data. Background information and definitions are provided, and a suggested environment is described. Model recommendations for institutional policy are offered. (MLW)

'Second generation' Internet e-health: the gladiator for HIPAA compliance?

PubMed

Korpman, R A; Rose, J S

2001-01-01

The Health Insurance Portability and Accountability Act (HIPAA) is intended to simplify administrative processes and improve health information security. There are a number of traditional ways to address the expense and complexities of simplification, but none of them are bargains or beauties to behold: (1) Do-it-yourself encryption; (2) new back-end system purchases; (3) legacy system re-programming; or (4) onerous paper documentation. The good news is that 'second generation' e-health solutions are emerging that act as internal "wrappers" for health plan or provider data systems. They provide both an interface for end-users and a layer of security for organizational information and allow detailed patient-related data to remain at the system owner's physical location. These second generation solutions don't just 'connect,' data, they actually 'understand' the information, and can use data elements to invoke necessary rules, processing pathways, or personalization for specific stakeholders as required by HIPAA.

Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance

PubMed Central

Kramer, Daniel B.; Baker, Matthew; Ransford, Benjamin; Molina-Markham, Andres; Stewart, Quinn; Fu, Kevin; Reynolds, Matthew R.

2012-01-01

Background Medical devices increasingly depend on computing functions such as wireless communication and Internet connectivity for software-based control of therapies and network-based transmission of patients’ stored medical information. These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting. Methods We used three comprehensive, publicly available databases maintained by the Food and Drug Administration (FDA) to evaluate recalls and adverse events related to security and privacy risks of medical devices. Results Review of weekly enforcement reports identified 1,845 recalls; 605 (32.8%) of these included computers, 35 (1.9%) stored patient data, and 31 (1.7%) were capable of wireless communication. Searches of databases specific to recalls and adverse events identified only one event with a specific connection to security or privacy. Software-related recalls were relatively common, and most (81.8%) mentioned the possibility of upgrades, though only half of these provided specific instructions for the update mechanism. Conclusions Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms. To detect signals of security and privacy problems that adversely affect public health, federal postmarket surveillance strategies should rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware. PMID:22829874

For telehealth to succeed, privacy and security risks must be identified and addressed.

PubMed

Hall, Joseph L; McGraw, Deven

2014-02-01

The success of telehealth could be undermined if serious privacy and security risks are not addressed. For example, sensors that are located in a patient's home or that interface with the patient's body to detect safety issues or medical emergencies may inadvertently transmit sensitive information about household activities. Similarly, routine data transmissions from an app or medical device, such as an insulin pump, may be shared with third-party advertisers. Without adequate security and privacy protections for underlying telehealth data and systems, providers and patients will lack trust in the use of telehealth solutions. Although some federal and state guidelines for telehealth security and privacy have been established, many gaps remain. No federal agency currently has authority to enact privacy and security requirements to cover the telehealth ecosystem. This article examines privacy risks and security threats to telehealth applications and summarizes the extent to which technical controls and federal law adequately address these risks. We argue for a comprehensive federal regulatory framework for telehealth, developed and enforced by a single federal entity, the Federal Trade Commission, to bolster trust and fully realize the benefits of telehealth.

76 FR 34650 - Announcing a Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2011-06-14

... The agenda is expected to include the following items: --Cloud Security and Privacy Panel discussion on addressing security and privacy for different types of cloud computing, --Presentation from...

75 FR 11191 - Privacy Act of 1974; Retirement of Department of Homeland Security Federal Emergency Management...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-03-10

... 20472. For privacy issues please contact: Mary Ellen Callahan (703-235- 0780), Chief Privacy Officer... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary Privacy Act of 1974; Retirement of Department of Homeland Security Federal Emergency Management Agency System of Records AGENCY: Privacy Office...

78 FR 25282 - Privacy Act of 1974; Department of Homeland Security Federal Emergency Management Agency-008...

Federal Register 2010, 2011, 2012, 2013, 2014

2013-04-30

... Assistance Files System of Records AGENCY: Privacy Office, Department of Homeland Security. ACTION: Notice of Privacy Act System of Records. SUMMARY: In accordance with the Privacy Act of 1974, the Department of Homeland Security proposes to update and reissue a current Department of Homeland Security system of...

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS). Final rule.

PubMed

2016-01-06

The Department of Health and Human Services (HHS or "the Department'') is issuing this final rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a Federal "mental health prohibitor'' that disqualifies them from shipping, transporting, possessing, or receiving a firearm. The NICS is a national system maintained by the Federal Bureau of Investigation (FBI) to conduct background checks on persons who may be disqualified from receiving firearms based on Federally prohibited categories or State law. Among the persons subject to the Federal mental health prohibitor established under the Gun Control Act of 1968 and implementing regulations issued by the Department of Justice (DOJ) are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs, as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease. Under this final rule, only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, are permitted to disclose the information needed for these purposes. The disclosure is restricted to limited demographic and certain other information needed for NICS purposes. The rule specifically prohibits the disclosure of diagnostic or clinical information, from medical records or other sources, and any mental health information beyond the indication that the individual

DQC Comments on the Posted Recommendations Regarding Data Security and Privacy Protections

ERIC Educational Resources Information Center

Data Quality Campaign, 2010

2010-01-01

The U.S. Department of Education is conducting several activities to address privacy and security issues related to education data. Earlier this year a contractor for the Department convened a group of privacy and security experts and produced a report with recommendations to the Department on ways they can address emerging challenges in…

Privacy and security issues in teleradiology.

PubMed

White, Peter

2004-10-01

Teleradiology is now well established within healthcare in the USA, but ethico-legal concepts surrounding this innovation remain unclear. New legislation, the Health Insurance Portability and Accountability Act, as well as ethical guidelines and common law demonstrate the importance being placed on security of electronic data and the protection of patients' personal data. Radiologists need to be aware of the security, privacy, and confidentiality issues which relate to teleradiology, so that they can safeguard not only their own interests but also the best interests of their patients.

75 FR 7979 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL-027 The...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-23

... privacy issues please contact: Mary Ellen Callahan (703-235-0780), Chief Privacy Officer, Privacy Office...] Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL-027 The History of the Department of Homeland Security System of Records AGENCY: Privacy Office, DHS. ACTION: Notice of...

75 FR 39920 - Announcing a Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2010-07-13

... will be open to the public. The ISPAB was established by the Computer Security Act of 1987 (Pub. L. 100... Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet Wednesday, August...

Security and privacy issues of personal health.

PubMed

Blobel, Bernd; Pharow, Peter

2007-01-01

While health systems in developed countries and increasingly also in developing countries are moving from organisation-centred to person-centred health service delivery, the supporting communication and information technology is faced with new risks regarding security and privacy of stakeholders involved. The comprehensively distributed environment puts special burden on guaranteeing communication security services, but even more on guaranteeing application security services dealing with privilege management, access control and audit regarding social implication and connected sensitivity of personal information recorded, processed, communicated and stored in an even internationally distributed environment.

The new ethical trilemma: Security, privacy and transparency

NASA Astrophysics Data System (ADS)

Ganascia, Jean-Gabriel

2011-09-01

Numerous ethical and societal issues are related to the development of nanotechnology. Among them, the risk for privacy has long been discussed. Some people say that technology is neutral and that it does not really change the nature of problems, which are mainly political, while others state that its contemporary developments considerably amplify them; there are even persons who assert that it will make privacy protection obsolete. This article discusses those different positions by making reference to the classical Panopticon that is an architecture for surveillance, which characterizes the total absence of privacy. It envisages the possible evolutions of the Panopticon due to the development of nanotechnologies. It shows that the influence of nanotechnology on privacy concerns cannot be dissociated from the influence of computers and biotechnologies, i.e. from what is currently called the NBIC convergence. Lastly, it concludes on the new ethical trade-off that has to be made between three contradictory requirements that are security, transparency and privacy.

78 FR 69861 - Privacy Act of 1974; Department of Homeland Security, Federal Emergency Management Agency...

Federal Register 2010, 2011, 2012, 2013, 2014

2013-11-21

... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [DHS-2013-0073] Privacy Act of 1974; Department of Homeland Security, Federal Emergency Management Agency, Federal Government--001 National Defense Executive Reserve System of Records AGENCY: Department of Homeland Security, Privacy Office...

A systematic literature review on security and privacy of electronic health record systems: technical perspectives.

PubMed

Rezaeibagha, Fatemeh; Win, Khin Than; Susilo, Willy

Even though many safeguards and policies for electronic health record (EHR) security have been implemented, barriers to the privacy and security protection of EHR systems persist. This article presents the results of a systematic literature review regarding frequently adopted security and privacy technical features of EHR systems. Our inclusion criteria were full articles that dealt with the security and privacy of technical implementations of EHR systems published in English in peer-reviewed journals and conference proceedings between 1998 and 2013; 55 selected studies were reviewed in detail. We analysed the review results using two International Organization for Standardization (ISO) standards (29100 and 27002) in order to consolidate the study findings. Using this process, we identified 13 features that are essential to security and privacy in EHRs. These included system and application access control, compliance with security requirements, interoperability, integration and sharing, consent and choice mechanism, policies and regulation, applicability and scalability and cryptography techniques. This review highlights the importance of technical features, including mandated access control policies and consent mechanisms, to provide patients' consent, scalability through proper architecture and frameworks, and interoperability of health information systems, to EHR security and privacy requirements.

Third-year medical students' knowledge of privacy and security issues concerning mobile devices.

PubMed

Whipple, Elizabeth C; Allgood, Kacy L; Larue, Elizabeth M

2012-01-01

The use of mobile devices are ubiquitous in medical-care professional settings, but information on privacy and security concerns of mobile devices for medical students is scarce. To gain baseline information about third-year medical students' mobile device use and knowledge of privacy and security issues concerning mobile devices. We surveyed 67 third-year medical students at a Midwestern university on their use of mobile devices and knowledge of how to protect information available through mobile devices. Students were also presented with clinical scenarios to rate their level of concern in regards to privacy and security of information. The most used features of mobile devices were: voice-to-voice (100%), text messaging (SMS) (94%), Internet (76.9%), and email (69.3%). For locking of one's personal mobile phone, 54.1% never physically lock their phone, and 58% never electronically lock their personal PDA. Scenarios considering definitely privacy concerns include emailing patient information intact (66.7%), and posting de-identified information on YouTube (45.2%) or Facebook (42.2%). As the ease of sharing data increases with the use of mobile devices, students need more education and training on possible privacy and security risks posed with mobile devices.

77 FR 25686 - Announcing an Open Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2012-05-01

... NIST Computer Security Division. Note that agenda items may change without notice because of possible... of the Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB...

78 FR 89 - Announcing an Open Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2013-01-02

... Management and Budget, and the Director of NIST on security and privacy issues pertaining to federal computer... Computer Security Division. Note that agenda items may change without notice because of possible unexpected... of the Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and...

Managing security and privacy concerns over data storage in healthcare research.

PubMed

Mackenzie, Isla S; Mantay, Brian J; McDonnell, Patrick G; Wei, Li; MacDonald, Thomas M

2011-08-01

Issues surrounding data security and privacy are of great importance when handling sensitive health-related data for research. The emphasis in the past has been on balancing the risks to individuals with the benefit to society of the use of databases for research. However, a new way of looking at such issues is that by optimising procedures and policies regarding security and privacy of data to the extent that there is no appreciable risk to the privacy of individuals, we can create a 'win-win' situation in which everyone benefits, and pharmacoepidemiological research can flourish with public support. We discuss holistic measures, involving both information technology and people, taken to improve the security and privacy of data storage. After an internal review, we commissioned an external audit by an independent consultant with a view to optimising our data storage and handling procedures. Improvements to our policies and procedures were implemented as a result of the audit. By optimising our storage of data, we hope to inspire public confidence and hence cooperation with the use of health care data in research. Copyright © 2011 John Wiley & Sons, Ltd.

Execution of a self-directed risk assessment methodology to address HIPAA data security requirements

NASA Astrophysics Data System (ADS)

Coleman, Johnathan

2003-05-01

This paper analyzes the method and training of a self directed risk assessment methodology entitled OCTAVE (Operationally Critical Threat Asset and Vulnerability Evaluation) at over 170 DOD medical treatment facilities. It focuses specifically on how OCTAVE built interdisciplinary, inter-hierarchical consensus and enhanced local capabilities to perform Health Information Assurance. The Risk Assessment Methodology was developed by the Software Engineering Institute at Carnegie Mellon University as part of the Defense Health Information Assurance Program (DHIAP). The basis for its success is the combination of analysis of organizational practices and technological vulnerabilities. Together, these areas address the core implications behind the HIPAA Security Rule and can be used to develop Organizational Protection Strategies and Technological Mitigation Plans. A key component of OCTAVE is the inter-disciplinary composition of the analysis team (Patient Administration, IT staff and Clinician). It is this unique composition of analysis team members, along with organizational and technical analysis of business practices, assets and threats, which enables facilities to create sound and effective security policies. The Risk Assessment is conducted in-house, and therefore the process, results and knowledge remain within the organization, helping to build consensus in an environment of differing organizational and disciplinary perspectives on Health Information Assurance.

Toward protocols for quantum-ensured privacy and secure voting

DOE Office of Scientific and Technical Information (OSTI.GOV)

Bonanome, Marianna; Buzek, Vladimir; Ziman, Mario

2011-08-15

We present a number of schemes that use quantum mechanics to preserve privacy, in particular, we show that entangled quantum states can be useful in maintaining privacy. We further develop our original proposal [see M. Hillery, M. Ziman, V. Buzek, and M. Bielikova, Phys. Lett. A 349, 75 (2006)] for protecting privacy in voting, and examine its security under certain types of attacks, in particular dishonest voters and external eavesdroppers. A variation of these quantum-based schemes can be used for multiparty function evaluation. We consider functions corresponding to group multiplication of N group elements, with each element chosen by amore » different party. We show how quantum mechanics can be useful in maintaining the privacy of the choices group elements.« less

Efficient Secure and Privacy-Preserving Route Reporting Scheme for VANETs

NASA Astrophysics Data System (ADS)

Zhang, Yuanfei; Pei, Qianwen; Dai, Feifei; Zhang, Lei

2017-10-01

Vehicular ad-hoc network (VANET) is a core component of intelligent traffic management system which could provide various of applications such as accident prediction, route reporting, etc. Due to the problems caused by traffic congestion, route reporting becomes a prospective application which can help a driver to get optimal route to save her travel time. Before enjoying the convenience of route reporting, security and privacy-preserving issues need to be concerned. In this paper, we propose a new secure and privacy-preserving route reporting scheme for VANETs. In our scheme, only an authenticated vehicle can use the route reporting service provided by the traffic management center. Further, a vehicle may receive the response from the traffic management center with low latency and without violating the privacy of the vehicle. Experiment results show that our scheme is much more efficiency than the existing one.

Information Security and Privacy in Network Environments.

ERIC Educational Resources Information Center

Congress of the U.S., Washington, DC. Office of Technology Assessment.

The use of information networks for business and government is expanding enormously. Government use of networks features prominently in plans to make government more efficient, effective, and responsive. But the transformation brought about by the networking also raises new concerns for the security and privacy of networked information. This…

Toward Proper Authentication Methods in Electronic Medical Record Access Compliant to HIPAA and C.I.A. Triangle.

PubMed

Tipton, Stephen J; Forkey, Sara; Choi, Young B

2016-04-01

This paper examines various methods encompassing the authentication of users in accessing Electronic Medical Records (EMRs). From a methodological perspective, multiple authentication methods have been researched from both a desktop and mobile accessibility perspective. Each method is investigated at a high level, along with comparative analyses, as well as real world examples. The projected outcome of this examination is a better understanding of the sophistication required in protecting the vital privacy constraints of an individual's Protected Health Information (PHI). In understanding the implications of protecting healthcare data in today's technological world, the scope of this paper is to grasp an overview of confidentiality as it pertains to information security. In addressing this topic, a high level overview of the three goals of information security are examined; in particular, the goal of confidentiality is the primary focus. Expanding upon the goal of confidentiality, healthcare accessibility legal aspects are considered, with a focus upon the Health Insurance Portability and Accountability Act of 1996 (HIPAA). With the primary focus of this examination being access to EMRs, the paper will consider two types of accessibility of concern: access from a physician, or group of physicians; and access from an individual patient.

HIPAA's Role in E-Mail Communications between Doctors and Patients: Privacy, Security, and Implications of the Bill

ERIC Educational Resources Information Center

Stephens, James H.; Parrillo, Anthony V.

2011-01-01

The confidentiality of a patient's information has been sacred since the days of Hippocrates, the Father of Medicine. Today, however, merely taking an oath to respect a patient's privacy has been overshadowed by regulations governing how certain healthcare establishments handle an individual's health information on the web. Consequently, if a…

75 FR 8088 - Privacy Act of 1974; Department of Homeland Security/ALL-023 Personnel Security Management System...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-23

... risk of harm to economic or property interests, identity theft or fraud, or harm to the security or... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2009-0041] Privacy Act of 1974; Department of Homeland Security/ALL--023 Personnel Security Management System of Records AGENCY...

Assessing Factors Affecting Physician's Intention to Adopt Biometric Authentication Technology in Electronic Medical Records

ERIC Educational Resources Information Center

Corazao, Cesar E.

2014-01-01

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulated the privacy and security of patient information. Since HIPPA became a law, hospital operators have struggled to comply fully with its security and privacy provisions. The proximity-based biometric authentication (PBBA) technology evolved in last decade to help…

Measuring and Modeling Security and Privacy Laws

ERIC Educational Resources Information Center

Romanosky, Sasha

2012-01-01

This manuscript presents empirical and analytical analysis and discussion of security and privacy laws. The introduction, together with the three substantive chapters each represent separate research papers written as partial fulfillment of my PhD dissertation in the Heinz College, Carnegie Mellon University. Chapter 2 is an abbreviated version of…

Balancing between two goods: Health Insurance Portability and Accountability Act and ethical compliancy considerations for privacy-sensitive materials in health sciences archival and historical special collections

PubMed Central

Gilliland, Anne T

2011-01-01

Objective: The investigation provides recommendations for establishing institutional collection guidelines and policies that protect the integrity of the historical record, while upholding the privacy and confidentiality of those who are protected by Health Insurance Portability and Accountability Act (HIPAA) or professional ethical standards. Methods: The authors completed a systematic historical investigation of the concepts of collection integrity, privacy, and confidentiality in the formal and informal legal and professional ethics literature and applied these standards to create best practices for institutional policies in these areas. Results: Through an in-depth examination of the historical concepts of privacy and confidentiality in the legal and professional ethics literature, the authors were able to create recommendations that would allow institutions to provide access to important, yet sensitive, materials, while complying with the standards set by HIPAA regulations and professional ethical expectations. Conclusion: With thoughtful planning, it is possible to balance the integrity of and access to the historical record of sensitive documents, while supporting the privacy protections of HIPAA and professional ethical standards. Although it is theorized that collection development polices of institutions have changed due to HIPAA legislation, additional research is suggested to see how various legal interpretations have affected the integrity of the historical record in actuality. PMID:21243051

Balancing between two goods: Health Insurance Portability and Accountability Act and ethical compliancy considerations for privacy-sensitive materials in health sciences archival and historical special collections.

PubMed

Wiener, Judith A; Gilliland, Anne T

2011-01-01

The investigation provides recommendations for establishing institutional collection guidelines and policies that protect the integrity of the historical record, while upholding the privacy and confidentiality of those who are protected by Health Insurance Portability and Accountability Act (HIPAA) or professional ethical standards. The authors completed a systematic historical investigation of the concepts of collection integrity, privacy, and confidentiality in the formal and informal legal and professional ethics literature and applied these standards to create best practices for institutional policies in these areas. Through an in-depth examination of the historical concepts of privacy and confidentiality in the legal and professional ethics literature, the authors were able to create recommendations that would allow institutions to provide access to important, yet sensitive, materials, while complying with the standards set by HIPAA regulations and professional ethical expectations. With thoughtful planning, it is possible to balance the integrity of and access to the historical record of sensitive documents, while supporting the privacy protections of HIPAA and professional ethical standards. Although it is theorized that collection development policies of institutions have changed due to HIPAA legislation, additional research is suggested to see how various legal interpretations have affected the integrity of the historical record in actuality.

SPECS: Secure and Privacy Enhancing Communications Schemes for VANETs

NASA Astrophysics Data System (ADS)

Chim, T. W.; Yiu, S. M.; Hui, L. C. K.; Jiang, Zoe L.; Li, Victor O. K.

Vehicular ad hoc network (VANET) is an emerging type of networks which facilitates vehicles on roads to communicate for driving safety. The basic idea is to allow arbitrary vehicles to broadcast ad hoc messages (e.g. traffic accidents) to other vehicles. However, this raises the concern of security and privacy. Messages should be signed and verified before they are trusted while the real identity of vehicles should not be revealed, but traceable by authorized party. Existing solutions either rely heavily on a tamper-proof hardware device, or cannot satisfy the privacy requirement and do not have an effective message verification scheme. In this paper, we provide a software-based solution which makes use of only two shared secrets to satisfy the privacy requirement and gives lower message overhead and at least 45% higher successful rate than previous solutions in the message verification phase using the bloom filter and the binary search techniques. We also provide the first group communication protocol to allow vehicles to authenticate and securely communicate with others in a group of known vehicles.

Privacy and Security Issues Surrounding the Protection of Data Generated by Continuous Glucose Monitors.

PubMed

Britton, Katherine E; Britton-Colonnese, Jennifer D

2017-03-01

Being able to track, analyze, and use data from continuous glucose monitors (CGMs) and through platforms and apps that communicate with CGMs helps achieve better outcomes and can advance the understanding of diabetes. The risks to patients' expectation of privacy are great, and their ability to control how their information is collected, stored, and used is virtually nonexistent. Patients' physical security is also at risk if adequate cybersecurity measures are not taken. Currently, data privacy and security protections are not robust enough to address the privacy and security risks and stymies the current and future benefits of CGM and the platforms and apps that communicate with them.

Privacy and Security Issues Surrounding the Protection of Data Generated by Continuous Glucose Monitors

PubMed Central

Britton, Katherine E.; Britton-Colonnese, Jennifer D.

2017-01-01

Being able to track, analyze, and use data from continuous glucose monitors (CGMs) and through platforms and apps that communicate with CGMs helps achieve better outcomes and can advance the understanding of diabetes. The risks to patients’ expectation of privacy are great, and their ability to control how their information is collected, stored, and used is virtually nonexistent. Patients’ physical security is also at risk if adequate cybersecurity measures are not taken. Currently, data privacy and security protections are not robust enough to address the privacy and security risks and stymies the current and future benefits of CGM and the platforms and apps that communicate with them. PMID:28264188

Supporting multi-state collaboration on privacy and security to foster health IT and health information exchange.

PubMed

Banger, Alison K; Alakoye, Amoke O; Rizk, Stephanie C

2008-11-06

As part of the HHS funded contract, Health Information Security and Privacy Collaboration, 41 states and territories have proposed collaborative projects to address cross-state privacy and security challenges related to health IT and health information exchange. Multi-state collaboration on privacy and security issues remains complicated, and resources to support collaboration around these topics are essential to the success of such collaboration. The resources outlined here offer an example of how to support multi-stakeholder, multi-state projects.

77 FR 70792 - Privacy Act of 1974; Retirement of Department of Homeland Security Transportation Security...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-11-27

... from its inventory of record systems. TSA will rely upon DHS/ALL-017 General Legal Records (November 23, 2011, 76 FR 72428) to cover its legal activities. Eliminating the system of records notice DHS/TSA-009... Department of Homeland Security Transportation Security Administration System of Records AGENCY: Privacy...

SecureMA: protecting participant privacy in genetic association meta-analysis.

PubMed

Xie, Wei; Kantarcioglu, Murat; Bush, William S; Crawford, Dana; Denny, Joshua C; Heatherly, Raymond; Malin, Bradley A

2014-12-01

Sharing genomic data is crucial to support scientific investigation such as genome-wide association studies. However, recent investigations suggest the privacy of the individual participants in these studies can be compromised, leading to serious concerns and consequences, such as overly restricted access to data. We introduce a novel cryptographic strategy to securely perform meta-analysis for genetic association studies in large consortia. Our methodology is useful for supporting joint studies among disparate data sites, where privacy or confidentiality is of concern. We validate our method using three multisite association studies. Our research shows that genetic associations can be analyzed efficiently and accurately across substudy sites, without leaking information on individual participants and site-level association summaries. Our software for secure meta-analysis of genetic association studies, SecureMA, is publicly available at http://github.com/XieConnect/SecureMA. Our customized secure computation framework is also publicly available at http://github.com/XieConnect/CircuitService. © The Author 2014. Published by Oxford University Press. All rights reserved. For Permissions, please e-mail: journals.permissions@oup.com.

Online Patron Records and Privacy: Service vs. Security.

ERIC Educational Resources Information Center

Fouty, Kathleen G.

1993-01-01

Examines issues regarding the privacy of information contained in patron databases that have resulted from online circulation systems. Topics discussed include library policies to protect information in patron records; ensuring compliance with policies; limiting the data collected; security authorizations; and creating and modifying patron…

Privacy and Security in Mobile Health: A Research Agenda

PubMed Central

Kotz, David; Gunter, Carl A.; Kumar, Santosh; Weiner, Jonathan P.

2017-01-01

Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges. PMID:28344359

Observer success rates for identification of 3D surface reconstructed facial images and implications for patient privacy and security

NASA Astrophysics Data System (ADS)

Chen, Joseph J.; Siddiqui, Khan M.; Fort, Leslie; Moffitt, Ryan; Juluru, Krishna; Kim, Woojin; Safdar, Nabile; Siegel, Eliot L.

2007-03-01

3D and multi-planar reconstruction of CT images have become indispensable in the routine practice of diagnostic imaging. These tools cannot only enhance our ability to diagnose diseases, but can also assist in therapeutic planning as well. The technology utilized to create these can also render surface reconstructions, which may have the undesired potential of providing sufficient detail to allow recognition of facial features and consequently patient identity, leading to violation of patient privacy rights as described in the HIPAA (Health Insurance Portability and Accountability Act) legislation. The purpose of this study is to evaluate whether 3D reconstructed images of a patient's facial features can indeed be used to reliably or confidently identify that specific patient. Surface reconstructed images of the study participants were created used as candidates for matching with digital photographs of participants. Data analysis was performed to determine the ability of observers to successfully match 3D surface reconstructed images of the face with facial photographs. The amount of time required to perform the match was recorded as well. We also plan to investigate the ability of digital masks or physical drapes to conceal patient identity. The recently expressed concerns over the inability to truly "anonymize" CT (and MRI) studies of the head/face/brain are yet to be tested in a prospective study. We believe that it is important to establish whether these reconstructed images are a "threat" to patient privacy/security and if so, whether minimal interventions from a clinical perspective can substantially reduce this possibility.

Privacy and Security in Mobile Health (mHealth) Research.

PubMed

Arora, Shifali; Yttri, Jennifer; Nilse, Wendy

2014-01-01

Research on the use of mobile technologies for alcohol use problems is a developing field. Rapid technological advances in mobile health (or mHealth) research generate both opportunities and challenges, including how to create scalable systems capable of collecting unprecedented amounts of data and conducting interventions-some in real time-while at the same time protecting the privacy and safety of research participants. Although the research literature in this area is sparse, lessons can be borrowed from other communities, such as cybersecurity or Internet security, which offer many techniques to reduce the potential risk of data breaches or tampering in mHealth. More research into measures to minimize risk to privacy and security effectively in mHealth is needed. Even so, progress in mHealth research should not stop while the field waits for perfect solutions.

Privacy and Security in Mobile Health (mHealth) Research

PubMed Central

Arora, Shifali; Yttri, Jennifer; Nilsen, Wendy

2014-01-01

Research on the use of mobile technologies for alcohol use problems is a developing field. Rapid technological advances in mobile health (or mHealth) research generate both opportunities and challenges, including how to create scalable systems capable of collecting unprecedented amounts of data and conducting interventions—some in real time—while at the same time protecting the privacy and safety of research participants. Although the research literature in this area is sparse, lessons can be borrowed from other communities, such as cybersecurity or Internet security, which offer many techniques to reduce the potential risk of data breaches or tampering in mHealth. More research into measures to minimize risk to privacy and security effectively in mHealth is needed. Even so, progress in mHealth research should not stop while the field waits for perfect solutions. PMID:26259009

28 CFR 20.24 - State laws on privacy and security.

Code of Federal Regulations, 2010 CFR

2010-07-01

... Local Criminal History Record Information Systems § 20.24 State laws on privacy and security. Where a State originating criminal history record information provides for sealing or purging thereof, nothing...

28 CFR 20.24 - State laws on privacy and security.

Code of Federal Regulations, 2012 CFR

2012-07-01

... Local Criminal History Record Information Systems § 20.24 State laws on privacy and security. Where a State originating criminal history record information provides for sealing or purging thereof, nothing...

28 CFR 20.24 - State laws on privacy and security.

Code of Federal Regulations, 2011 CFR

2011-07-01

... Local Criminal History Record Information Systems § 20.24 State laws on privacy and security. Where a State originating criminal history record information provides for sealing or purging thereof, nothing...

28 CFR 20.24 - State laws on privacy and security.

Code of Federal Regulations, 2014 CFR

2014-07-01

... Local Criminal History Record Information Systems § 20.24 State laws on privacy and security. Where a State originating criminal history record information provides for sealing or purging thereof, nothing...

28 CFR 20.24 - State laws on privacy and security.

Code of Federal Regulations, 2013 CFR

2013-07-01

... Local Criminal History Record Information Systems § 20.24 State laws on privacy and security. Where a State originating criminal history record information provides for sealing or purging thereof, nothing...

Security and Privacy in a DACS.

PubMed

Delgado, Jaime; Llorente, Silvia; Pàmies, Martí; Vilalta, Josep

2016-01-01

The management of electronic health records (EHR), in general, and clinical documents, in particular, is becoming a key issue in the daily work of Healthcare Organizations (HO). The need for providing secure and private access to, and storage for, clinical documents together with the need for HO to interoperate, raises a number of issues difficult to solve. Many systems are in place to manage EHR and documents. Some of these Healthcare Information Systems (HIS) follow standards in their document structure and communications protocols, but many do not. In fact, they are mostly proprietary and do not interoperate. Our proposal to solve the current situation is the use of a DACS (Document Archiving and Communication System) for providing security, privacy and standardized access to clinical documents.

Security and privacy requirements for a multi-institutional cancer research data grid: an interview-based study

PubMed Central

2009-01-01

Background Data protection is important for all information systems that deal with human-subjects data. Grid-based systems – such as the cancer Biomedical Informatics Grid (caBIG) – seek to develop new mechanisms to facilitate real-time federation of cancer-relevant data sources, including sources protected under a variety of regulatory laws, such as HIPAA and 21CFR11. These systems embody new models for data sharing, and hence pose new challenges to the regulatory community, and to those who would develop or adopt them. These challenges must be understood by both systems developers and system adopters. In this paper, we describe our work collecting policy statements, expectations, and requirements from regulatory decision makers at academic cancer centers in the United States. We use these statements to examine fundamental assumptions regarding data sharing using data federations and grid computing. Methods An interview-based study of key stakeholders from a sample of US cancer centers. Interviews were structured, and used an instrument that was developed for the purpose of this study. The instrument included a set of problem scenarios – difficult policy situations that were derived during a full-day discussion of potentially problematic issues by a set of project participants with diverse expertise. Each problem scenario included a set of open-ended questions that were designed to elucidate stakeholder opinions and concerns. Interviews were transcribed verbatim and used for both qualitative and quantitative analysis. For quantitative analysis, data was aggregated at the individual or institutional unit of analysis, depending on the specific interview question. Results Thirty-one (31) individuals at six cancer centers were contacted to participate. Twenty-four out of thirty-one (24/31) individuals responded to our request- yielding a total response rate of 77%. Respondents included IRB directors and policy-makers, privacy and security officers, directors of

Security and privacy requirements for a multi-institutional cancer research data grid: an interview-based study.

PubMed

Manion, Frank J; Robbins, Robert J; Weems, William A; Crowley, Rebecca S

2009-06-15

Data protection is important for all information systems that deal with human-subjects data. Grid-based systems--such as the cancer Biomedical Informatics Grid (caBIG)--seek to develop new mechanisms to facilitate real-time federation of cancer-relevant data sources, including sources protected under a variety of regulatory laws, such as HIPAA and 21CFR11. These systems embody new models for data sharing, and hence pose new challenges to the regulatory community, and to those who would develop or adopt them. These challenges must be understood by both systems developers and system adopters. In this paper, we describe our work collecting policy statements, expectations, and requirements from regulatory decision makers at academic cancer centers in the United States. We use these statements to examine fundamental assumptions regarding data sharing using data federations and grid computing. An interview-based study of key stakeholders from a sample of US cancer centers. Interviews were structured, and used an instrument that was developed for the purpose of this study. The instrument included a set of problem scenarios--difficult policy situations that were derived during a full-day discussion of potentially problematic issues by a set of project participants with diverse expertise. Each problem scenario included a set of open-ended questions that were designed to elucidate stakeholder opinions and concerns. Interviews were transcribed verbatim and used for both qualitative and quantitative analysis. For quantitative analysis, data was aggregated at the individual or institutional unit of analysis, depending on the specific interview question. Thirty-one (31) individuals at six cancer centers were contacted to participate. Twenty-four out of thirty-one (24/31) individuals responded to our request- yielding a total response rate of 77%. Respondents included IRB directors and policy-makers, privacy and security officers, directors of offices of research, information

Consumer Attitudes and Perceptions on mHealth Privacy and Security: Findings From a Mixed-Methods Study.

PubMed

Atienza, Audie A; Zarcadoolas, Christina; Vaughon, Wendy; Hughes, Penelope; Patel, Vaishali; Chou, Wen-Ying Sylvia; Pritts, Joy

2015-01-01

This study examined consumers' attitudes and perceptions regarding mobile health (mHealth) technology use in health care. Twenty-four focus groups with 256 participants were conducted in 5 geographically diverse locations. Participants were also diverse in age, education, race/ethnicity, gender, and rural versus urban settings. Several key themes emerged from the focus groups. Findings suggest that consumer attitudes regarding mHealth privacy/security are highly contextualized, with concerns depending on the type of information being communicated, where and when the information is being accessed, who is accessing or seeing the information, and for what reasons. Consumers frequently considered the tradeoffs between the privacy/security of using mHealth technologies and the potential benefits. Having control over mHealth privacy/security features and trust in providers were important issues for consumers. Overall, this study found significant diversity in attitudes regarding mHealth privacy/security both within and between traditional demographic groups. Thus, to address consumers' concerns regarding mHealth privacy and security, a one-size-fits-all approach may not be adequate. Health care providers and technology developers should consider tailoring mHealth technology according to how various types of information are communicated in the health care setting, as well as according to the comfort, skills, and concerns individuals may have with mHealth technology.

Potential impact of HITECH security regulations on medical imaging.

PubMed

Prior, Fred; Ingeholm, Mary Lou; Levine, Betty A; Tarbox, Lawrence

2009-01-01

Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act (ARRA) of 2009 [1] include a provision commonly referred to as the "Health Information Technology for Economic and Clinical Health Act" or "HITECH Act" that is intended to promote the electronic exchange of health information to improve the quality of health care. Subtitle D of the HITECH Act includes key amendments to strengthen the privacy and security regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The HITECH act also states that "the National Coordinator" must consult with the National Institute of Standards and Technology (NIST) in determining what standards are to be applied and enforced for compliance with HIPAA. This has led to speculation that NIST will recommend that the government impose the Federal Information Security Management Act (FISMA) [2], which was created by NIST for application within the federal government, as requirements to the public Electronic Health Records (EHR) community in the USA. In this paper we will describe potential impacts of FISMA on medical image sharing strategies such as teleradiology and outline how a strict application of FISMA or FISMA-based regulations could have significant negative impacts on information sharing between care providers.

75 FR 50846 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL-001...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-08-18

... INFORMATION CONTACT: For general questions and privacy issues please contact: Mary Ellen Callahan (703-235...] Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL--001 Freedom of Information Act and Privacy Act Records System of Records AGENCY: Privacy Office, DHS. ACTION: Final rule...

Security and privacy issues with health care information technology.

PubMed

Meingast, Marci; Roosta, Tanya; Sastry, Shankar

2006-01-01

The face of health care is changing as new technologies are being incorporated into the existing infrastructure. Electronic patient records and sensor networks for in-home patient monitoring are at the current forefront of new technologies. Paper-based patient records are being put in electronic format enabling patients to access their records via the Internet. Remote patient monitoring is becoming more feasible as specialized sensors can be placed inside homes. The combination of these technologies will improve the quality of health care by making it more personalized and reducing costs and medical errors. While there are benefits to technologies, associated privacy and security issues need to be analyzed to make these systems socially acceptable. In this paper we explore the privacy and security implications of these next-generation health care technologies. We describe existing methods for handling issues as well as discussing which issues need further consideration.

75 FR 69693 - Privacy Act of 1974; Department of Homeland Security National Protection and Programs Directorate...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-15

... system will be included in the Department of Homeland Security's inventory of record systems. DATES... FURTHER INFORMATION CONTACT: For general questions please contact: Emily Andrew (703-235-2182), Privacy.... Background In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Homeland Security...

The Influence of Security Statement, Technical Protection, and Privacy on Satisfaction and Loyalty; A Structural Equation Modeling

NASA Astrophysics Data System (ADS)

Peikari, Hamid Reza

Customer satisfaction and loyalty have been cited as the e-commerce critical success factors and various studies have been conducted to find the antecedent determinants of these concepts in the online transactions. One of the variables suggested by some studies is perceived security. However, these studies have referred to security from a broad general perspective and no attempts have been made to study the specific security related variables. This paper intends to study the influence on security statement and technical protection on satisfaction, loyalty and privacy. The data was collected from 337 respondents and after the reliability and validity tests, path analysis was applied to examine the hypotheses. The results suggest that loyalty is influenced by satisfaction and security statement and no empirical support was found for the influence on technical protection and privacy on loyalty. Moreover, it was found that security statement and technical protection have a positive significant influence on satisfaction while no significant effect was found for privacy. Furthermore, the analysis indicated that security statement have a positive significant influence on technical protection while technical protection was found to have a significant negative impact on perceived privacy.

77 FR 44642 - Privacy Act of 1974; Department of Homeland Security U.S. Customs and Border Protection-DHS/CBP...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-07-30

... 1974; Department of Homeland Security U.S. Customs and Border Protection-DHS/CBP-009 Electronic System for Travel Authorization (ESTA) System of Records AGENCY: Privacy Office, Department of Homeland Security. ACTION: Notice of Privacy Act system of records. SUMMARY: In accordance with the Privacy Act of...

An Analysis of Security and Privacy Issues in Smart Grid Software Architectures on Clouds

DOE Office of Scientific and Technical Information (OSTI.GOV)

Simmhan, Yogesh; Kumbhare, Alok; Cao, Baohua

2011-07-09

Power utilities globally are increasingly upgrading to Smart Grids that use bi-directional communication with the consumer to enable an information-driven approach to distributed energy management. Clouds offer features well suited for Smart Grid software platforms and applications, such as elastic resources and shared services. However, the security and privacy concerns inherent in an information rich Smart Grid environment are further exacerbated by their deployment on Clouds. Here, we present an analysis of security and privacy issues in a Smart Grids software architecture operating on different Cloud environments, in the form of a taxonomy. We use the Los Angeles Smart Gridmore » Project that is underway in the largest U.S. municipal utility to drive this analysis that will benefit both Cloud practitioners targeting Smart Grid applications, and Cloud researchers investigating security and privacy.« less

Creation of clinical research databases in the 21st century: a practical algorithm for HIPAA Compliance.

PubMed

Schell, Scott R

2006-02-01

Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) began in April, 2003. Designed as a law mandating health insurance availability when coverage was lost, HIPAA imposed sweeping and broad-reaching protections of patient privacy. These changes dramatically altered clinical research by placing sizeable regulatory burdens upon investigators with threat of severe and costly federal and civil penalties. This report describes development of an algorithmic approach to clinical research database design based upon a central key-shared data (CK-SD) model allowing researchers to easily analyze, distribute, and publish clinical research without disclosure of HIPAA Protected Health Information (PHI). Three clinical database formats (small clinical trial, operating room performance, and genetic microchip array datasets) were modeled using standard structured query language (SQL)-compliant databases. The CK database was created to contain PHI data, whereas a shareable SD database was generated in real-time containing relevant clinical outcome information while protecting PHI items. Small (< 100 records), medium (< 50,000 records), and large (> 10(8) records) model databases were created, and the resultant data models were evaluated in consultation with an HIPAA compliance officer. The SD database models complied fully with HIPAA regulations, and resulting "shared" data could be distributed freely. Unique patient identifiers were not required for treatment or outcome analysis. Age data were resolved to single-integer years, grouping patients aged > 89 years. Admission, discharge, treatment, and follow-up dates were replaced with enrollment year, and follow-up/outcome intervals calculated eliminating original data. Two additional data fields identified as PHI (treating physician and facility) were replaced with integer values, and the original data corresponding to these values were stored in the CK database. Use of the algorithm at the time of database

76 FR 7818 - Announcing a Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2011-02-11

... will be open to the public. The ISPAB was established by the Computer Security Act of 1987 (Pub. L. 100..., --Presentation on Science of Security relating to computer security research, --Presentation on Access of..., --A panel of Inspector Generals regarding privacy and security, and --Update on NIST Computer Security...

Secure and Privacy-Preserving Body Sensor Data Collection and Query Scheme.

PubMed

Zhu, Hui; Gao, Lijuan; Li, Hui

2016-02-01

With the development of body sensor networks and the pervasiveness of smart phones, different types of personal data can be collected in real time by body sensors, and the potential value of massive personal data has attracted considerable interest recently. However, the privacy issues of sensitive personal data are still challenging today. Aiming at these challenges, in this paper, we focus on the threats from telemetry interface and present a secure and privacy-preserving body sensor data collection and query scheme, named SPCQ, for outsourced computing. In the proposed SPCQ scheme, users' personal information is collected by body sensors in different types and converted into multi-dimension data, and each dimension is converted into the form of a number and uploaded to the cloud server, which provides a secure, efficient and accurate data query service, while the privacy of sensitive personal information and users' query data is guaranteed. Specifically, based on an improved homomorphic encryption technology over composite order group, we propose a special weighted Euclidean distance contrast algorithm (WEDC) for multi-dimension vectors over encrypted data. With the SPCQ scheme, the confidentiality of sensitive personal data, the privacy of data users' queries and accurate query service can be achieved in the cloud server. Detailed analysis shows that SPCQ can resist various security threats from telemetry interface. In addition, we also implement SPCQ on an embedded device, smart phone and laptop with a real medical database, and extensive simulation results demonstrate that our proposed SPCQ scheme is highly efficient in terms of computation and communication costs.

Secure and Privacy-Preserving Body Sensor Data Collection and Query Scheme

PubMed Central

Zhu, Hui; Gao, Lijuan; Li, Hui

2016-01-01

With the development of body sensor networks and the pervasiveness of smart phones, different types of personal data can be collected in real time by body sensors, and the potential value of massive personal data has attracted considerable interest recently. However, the privacy issues of sensitive personal data are still challenging today. Aiming at these challenges, in this paper, we focus on the threats from telemetry interface and present a secure and privacy-preserving body sensor data collection and query scheme, named SPCQ, for outsourced computing. In the proposed SPCQ scheme, users’ personal information is collected by body sensors in different types and converted into multi-dimension data, and each dimension is converted into the form of a number and uploaded to the cloud server, which provides a secure, efficient and accurate data query service, while the privacy of sensitive personal information and users’ query data is guaranteed. Specifically, based on an improved homomorphic encryption technology over composite order group, we propose a special weighted Euclidean distance contrast algorithm (WEDC) for multi-dimension vectors over encrypted data. With the SPCQ scheme, the confidentiality of sensitive personal data, the privacy of data users’ queries and accurate query service can be achieved in the cloud server. Detailed analysis shows that SPCQ can resist various security threats from telemetry interface. In addition, we also implement SPCQ on an embedded device, smart phone and laptop with a real medical database, and extensive simulation results demonstrate that our proposed SPCQ scheme is highly efficient in terms of computation and communication costs. PMID:26840319

Practical security and privacy attacks against biometric hashing using sparse recovery

NASA Astrophysics Data System (ADS)

Topcu, Berkay; Karabat, Cagatay; Azadmanesh, Matin; Erdogan, Hakan

2016-12-01

Biometric hashing is a cancelable biometric verification method that has received research interest recently. This method can be considered as a two-factor authentication method which combines a personal password (or secret key) with a biometric to obtain a secure binary template which is used for authentication. We present novel practical security and privacy attacks against biometric hashing when the attacker is assumed to know the user's password in order to quantify the additional protection due to biometrics when the password is compromised. We present four methods that can reconstruct a biometric feature and/or the image from a hash and one method which can find the closest biometric data (i.e., face image) from a database. Two of the reconstruction methods are based on 1-bit compressed sensing signal reconstruction for which the data acquisition scenario is very similar to biometric hashing. Previous literature introduced simple attack methods, but we show that we can achieve higher level of security threats using compressed sensing recovery techniques. In addition, we present privacy attacks which reconstruct a biometric image which resembles the original image. We quantify the performance of the attacks using detection error tradeoff curves and equal error rates under advanced attack scenarios. We show that conventional biometric hashing methods suffer from high security and privacy leaks under practical attacks, and we believe more advanced hash generation methods are necessary to avoid these attacks.

Federal Privacy Laws That Apply to Children and Education. Safeguarding Data

ERIC Educational Resources Information Center

Data Quality Campaign, 2014

2014-01-01

This table identifies and briefly describes the following federal policies that safeguard and protect the confidentiality of personal information: (1) Family Educational Rights and Privacy Act (FERPA); (2) Protection of Pupil Rights Amendment (PPRA); (3) Health Insurance Portability and Accountability Act (HIPAA); (4) Children's Online Privacy…

76 FR 49494 - Privacy Act of 1974; Department of Homeland Security United States Coast Guard DHS/USCG-027...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-08-10

... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2011-0062] Privacy Act of 1974; Department of Homeland Security United States Coast Guard DHS/USCG-027 Recruiting Files System of... accordance with the Privacy Act of 1974 the Department of Homeland Security proposes to update and reissue an...

The Privacy and Security Implications of Open Data in Healthcare.

PubMed

Kobayashi, Shinji; Kane, Thomas B; Paton, Chris

2018-04-22

 The International Medical Informatics Association (IMIA) Open Source Working Group (OSWG) initiated a group discussion to discuss current privacy and security issues in the open data movement in the healthcare domain from the perspective of the OSWG membership.  Working group members independently reviewed the recent academic and grey literature and sampled a number of current large-scale open data projects to inform the working group discussion.  This paper presents an overview of open data repositories and a series of short case reports to highlight relevant issues present in the recent literature concerning the adoption of open approaches to sharing healthcare datasets. Important themes that emerged included data standardisation, the inter-connected nature of the open source and open data movements, and how publishing open data can impact on the ethics, security, and privacy of informatics projects.  The open data and open source movements in healthcare share many common philosophies and approaches including developing international collaborations across multiple organisations and domains of expertise. Both movements aim to reduce the costs of advancing scientific research and improving healthcare provision for people around the world by adopting open intellectual property licence agreements and codes of practice. Implications of the increased adoption of open data in healthcare include the need to balance the security and privacy challenges of opening data sources with the potential benefits of open data for improving research and healthcare delivery. Georg Thieme Verlag KG Stuttgart.

The Role of Health Care Experience and Consumer Information Efficacy in Shaping Privacy and Security Perceptions of Medical Records: National Consumer Survey Results

PubMed Central

Beckjord, Ellen; Moser, Richard P; Hughes, Penelope; Hesse, Bradford W

2015-01-01

Background Providers’ adoption of electronic health records (EHRs) is increasing and consumers have expressed concerns about the potential effects of EHRs on privacy and security. Yet, we lack a comprehensive understanding regarding factors that affect individuals’ perceptions regarding the privacy and security of their medical information. Objective The aim of this study was to describe national perceptions regarding the privacy and security of medical records and identify a comprehensive set of factors associated with these perceptions. Methods Using a nationally representative 2011-2012 survey, we reported on adults’ perceptions regarding privacy and security of medical records and sharing of health information between providers, and whether adults withheld information from a health care provider due to privacy or security concerns. We used multivariable models to examine the association between these outcomes and sociodemographic characteristics, health and health care experience, information efficacy, and technology-related variables. Results Approximately one-quarter of American adults (weighted n=235,217,323; unweighted n=3959) indicated they were very confident (n=989) and approximately half indicated they were somewhat confident (n=1597) in the privacy of their medical records; we found similar results regarding adults’ confidence in the security of medical records (very confident: n=828; somewhat confident: n=1742). In all, 12.33% (520/3904) withheld information from a health care provider and 59.06% (2100/3459) expressed concerns about the security of both faxed and electronic health information. Adjusting for other characteristics, adults who reported higher quality of care had significantly greater confidence in the privacy and security of their medical records and were less likely to withhold information from their health care provider due to privacy or security concerns. Adults with higher information efficacy had significantly greater

The role of health care experience and consumer information efficacy in shaping privacy and security perceptions of medical records: national consumer survey results.

PubMed

Patel, Vaishali; Beckjord, Ellen; Moser, Richard P; Hughes, Penelope; Hesse, Bradford W

2015-04-02

Providers' adoption of electronic health records (EHRs) is increasing and consumers have expressed concerns about the potential effects of EHRs on privacy and security. Yet, we lack a comprehensive understanding regarding factors that affect individuals' perceptions regarding the privacy and security of their medical information. The aim of this study was to describe national perceptions regarding the privacy and security of medical records and identify a comprehensive set of factors associated with these perceptions. Using a nationally representative 2011-2012 survey, we reported on adults' perceptions regarding privacy and security of medical records and sharing of health information between providers, and whether adults withheld information from a health care provider due to privacy or security concerns. We used multivariable models to examine the association between these outcomes and sociodemographic characteristics, health and health care experience, information efficacy, and technology-related variables. Approximately one-quarter of American adults (weighted n=235,217,323; unweighted n=3959) indicated they were very confident (n=989) and approximately half indicated they were somewhat confident (n=1597) in the privacy of their medical records; we found similar results regarding adults' confidence in the security of medical records (very confident: n=828; somewhat confident: n=1742). In all, 12.33% (520/3904) withheld information from a health care provider and 59.06% (2100/3459) expressed concerns about the security of both faxed and electronic health information. Adjusting for other characteristics, adults who reported higher quality of care had significantly greater confidence in the privacy and security of their medical records and were less likely to withhold information from their health care provider due to privacy or security concerns. Adults with higher information efficacy had significantly greater confidence in the privacy and security of medical

Privacy Protection by Masking Moving Objects for Security Cameras

NASA Astrophysics Data System (ADS)

Yabuta, Kenichi; Kitazawa, Hitoshi; Tanaka, Toshihisa

Because of an increasing number of security cameras, it is crucial to establish a system that protects the privacy of objects in the recorded images. To this end, we propose a framework of image processing and data hiding for security monitoring and privacy protection. First, we state the requirements of the proposed monitoring systems and suggest possible implementation that satisfies those requirements. The underlying concept of our proposed framework is as follows: (1) in the recorded images, the objects whose privacy should be protected are deteriorated by appropriate image processing; (2) the original objects are encrypted and watermarked into the output image, which is encoded using an image compression standard; (3) real-time processing is performed such that no future frame is required to generate on output bitstream. It should be noted that in this framework, anyone can observe the decoded image that includes the deteriorated objects that are unrecognizable or invisible. On the other hand, for crime investigation, this system allows a limited number of users to observe the original objects by using a special viewer that decrypts and decodes the watermarked objects with a decoding password. Moreover, the special viewer allows us to select the objects to be decoded and displayed. We provide an implementation example, experimental results, and performance evaluations to support our proposed framework.

Driving toward guiding principles: a goal for privacy, confidentiality, and security of health information.

PubMed

Buckovich, S A; Rippen, H E; Rozen, M J

1999-01-01

As health care moves from paper to electronic data collection, providing easier access and dissemination of health information, the development of guiding privacy, confidentiality, and security principles is necessary to help balance the protection of patients' privacy interests against appropriate information access. A comparative review and analysis was done, based on a compilation of privacy, confidentiality, and security principles from many sources. Principles derived from ten identified sources were compared with each of the compiled principles to assess support level, uniformity, and inconsistencies. Of 28 compiled principles, 23 were supported by at least 50 percent of the sources. Technology could address at least 12 of the principles. Notable consistencies among the principles could provide a basis for consensus for further legislative and organizational work. It is imperative that all participants in our health care system work actively toward a viable resolution of this information privacy debate.

The Relationship of HIPAA to Special Education

ERIC Educational Resources Information Center

Benitz, Catherine, Comp.

2006-01-01

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes important, but limited, protections for millions of working Americans and their families around the ability to obtain and keep health coverage. Among its specific protections, HIPAA: (1) Limits the use of preexisting condition exclusions; (2) Prohibits group health…

Are participants concerned about privacy and security when using short message service to report product adherence in a rectal microbicide trial?

PubMed

Giguere, Rebecca; Brown, William; Balán, Ivan C; Dolezal, Curtis; Ho, Titcha; Sheinfil, Alan; Ibitoye, Mobolaji; Lama, Javier R; McGowan, Ian; Cranston, Ross D; Carballo-Diéguez, Alex

2018-04-01

During a Phase 2 rectal microbicide trial, men who have sex with men and transgender women (n = 187) in 4 countries (Peru, South Africa, Thailand, United States) reported product use daily via short message service (SMS). To prevent disclosure of study participation, the SMS system program included privacy and security features. We evaluated participants' perceptions of privacy while using the system and acceptability of privacy/security features. To protect privacy, the SMS system: (1) confirmed participant availability before sending the study questions, (2) required a password, and (3) did not reveal product name or study participation. To ensure security, the system reminded participants to lock phone/delete messages. A computer-assisted self-interview (CASI), administered at the final visit, measured burden of privacy and security features and SMS privacy concerns. A subsample of 33 participants underwent an in-depth interview (IDI). Based on CASI, 85% had no privacy concerns; only 5% were very concerned. Most were not bothered by the need for a password (73%) or instructions to delete messages (82%). Based on IDI, reasons for low privacy concerns included sending SMS in private or feeling that texting would not draw attention. A few IDI participants found the password unnecessary and more than half did not delete messages. Most participants were not concerned that the SMS system would compromise their confidentiality. SMS privacy and security features were effective and not burdensome. Short ID-related passwords, ambiguous language, and reminders to implement privacy and security-enhancing behaviors are recommended for SMS systems.

Privacy Practices of Health Social Networking Sites: Implications for Privacy and Data Security in Online Cancer Communities.

PubMed

Charbonneau, Deborah H

2016-08-01

While online communities for social support continue to grow, little is known about the state of privacy practices of health social networking sites. This article reports on a structured content analysis of privacy policies and disclosure practices for 25 online ovarian cancer communities. All of the health social networking sites in the study sample provided privacy statements to users, yet privacy practices varied considerably across the sites. The majority of sites informed users that personal information was collected about participants and shared with third parties (96%, n = 24). Furthermore, more than half of the sites (56%, n = 14) stated that cookies technology was used to track user behaviors. Despite these disclosures, only 36% (n = 9) offered opt-out choices for sharing data with third parties. In addition, very few of the sites (28%, n = 7) allowed individuals to delete their personal information. Discussions about specific security measures used to protect personal information were largely missing. Implications for privacy, confidentiality, consumer choice, and data safety in online environments are discussed. Overall, nurses and other health professionals can utilize these findings to encourage individuals seeking online support and participating in social networking sites to build awareness of privacy risks to better protect their personal health information in the digital age.

Privacy and Data Security under Cloud Computing Arrangements: The Legal Framework and Practical Do's and Don'ts

ERIC Educational Resources Information Center

Buckman, Joel; Gold, Stephanie

2012-01-01

This article outlines privacy and data security compliance issues facing postsecondary education institutions when they utilize cloud computing and concludes with a practical list of do's and dont's. Cloud computing does not change an institution's privacy and data security obligations. It does involve reliance on a third party, which requires an…

75 FR 50845 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL-027 The...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-08-18

... Policy, Department of Homeland Security, Washington, DC 20528. For privacy issues please contact: Mary...;Prices of new books are listed in the first FEDERAL REGISTER issue of each #0;week. #0; #0; #0; #0;#0...] Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/ALL--027 The History of...

Securing the data economy: translating privacy and enacting security in the development of DataSHIELD.

PubMed

Murtagh, M J; Demir, I; Jenkings, K N; Wallace, S E; Murtagh, B; Boniol, M; Bota, M; Laflamme, P; Boffetta, P; Ferretti, V; Burton, P R

2012-01-01

Contemporary bioscience is seeing the emergence of a new data economy: with data as its fundamental unit of exchange. While sharing data within this new 'economy' provides many potential advantages, the sharing of individual data raises important social and ethical concerns. We examine ongoing development of one technology, DataSHIELD, which appears to elide privacy concerns about sharing data by enabling shared analysis while not actually sharing any individual-level data. We combine presentation of the development of DataSHIELD with presentation of an ethnographic study of a workshop to test the technology. DataSHIELD produced an application of the norm of privacy that was practical, flexible and operationalizable in researchers' everyday activities, and one which fulfilled the requirements of ethics committees. We demonstrated that an analysis run via DataSHIELD could precisely replicate results produced by a standard analysis where all data are physically pooled and analyzed together. In developing DataSHIELD, the ethical concept of privacy was transformed into an issue of security. Development of DataSHIELD was based on social practices as well as scientific and ethical motivations. Therefore, the 'success' of DataSHIELD would, likewise, be dependent on more than just the mathematics and the security of the technology. Copyright © 2012 S. Karger AG, Basel.

Locking it down: The privacy and security of mobile medication apps.

PubMed

Grindrod, Kelly; Boersema, Jonathan; Waked, Khrystine; Smith, Vivian; Yang, Jilan; Gebotys, Catherine

2017-01-01

To explore the privacy and security of free medication applications (apps) available to Canadian consumers. The authors searched the Canadian iTunes store for iOS apps and the Canadian Google Play store for Android apps related to medication use and management. Using an Apple iPad Air 2 and a Google Nexus 7 tablet, 2 reviewers generated a list of apps that met the following inclusion criteria: free, available in English, intended for consumer use and related to medication management. Using a standard data collection form, 2 reviewers independently coded each app for the presence/absence of passwords, the storage of personal health information, a privacy statement, encryption, remote wipe and third-party sharing. A Cohen's Kappa statistic was used to measure interrater agreement. Of the 184 apps evaluated, 70.1% had no password protection or sign-in system. Personal information, including name, date of birth and gender, was requested by 41.8% (77/184) of apps. Contact information, such as address, phone number and email, was requested by 25% (46/184) of apps. Finally, personal health information, other than medication name, was requested by 89.1% (164/184) of apps. Only 34.2% (63/184) of apps had a privacy policy in place. Most free medication apps offer very limited authentication and privacy protocols. As a result, the onus currently falls on patients to input information in these apps selectively and to be aware of the potential privacy issues. Until more secure systems are built, health care practitioners cannot fully support patients wanting to use such apps.

Conceptual Privacy Framework for Health Information on Wearable Device

PubMed Central

Safavi, Seyedmostafa; Shukur, Zarina

2014-01-01

Wearable health tech provides doctors with the ability to remotely supervise their patients' wellness. It also makes it much easier to authorize someone else to take appropriate actions to ensure the person's wellness than ever before. Information Technology may soon change the way medicine is practiced, improving the performance, while reducing the price of healthcare. We analyzed the secrecy demands of wearable devices, including Smartphone, smart watch and their computing techniques, that can soon change the way healthcare is provided. However, before this is adopted in practice, all devices must be equipped with sufficient privacy capabilities related to healthcare service. In this paper, we formulated a new improved conceptual framework for wearable healthcare systems. This framework consists of ten principles and nine checklists, capable of providing complete privacy protection package to wearable device owners. We constructed this framework based on the analysis of existing mobile technology, the results of which are combined with the existing security standards. The approach also incorporates the market share percentage level of every app and its respective OS. This framework is evaluated based on the stringent CIA and HIPAA principles for information security. This evaluation is followed by testing the capability to revoke rights of subjects to access objects and ability to determine the set of available permissions for a particular subject for all models Finally, as the last step, we examine the complexity of the required initial setup. PMID:25478915

Conceptual privacy framework for health information on wearable device.

PubMed

Safavi, Seyedmostafa; Shukur, Zarina

2014-01-01

Wearable health tech provides doctors with the ability to remotely supervise their patients' wellness. It also makes it much easier to authorize someone else to take appropriate actions to ensure the person's wellness than ever before. Information Technology may soon change the way medicine is practiced, improving the performance, while reducing the price of healthcare. We analyzed the secrecy demands of wearable devices, including Smartphone, smart watch and their computing techniques, that can soon change the way healthcare is provided. However, before this is adopted in practice, all devices must be equipped with sufficient privacy capabilities related to healthcare service. In this paper, we formulated a new improved conceptual framework for wearable healthcare systems. This framework consists of ten principles and nine checklists, capable of providing complete privacy protection package to wearable device owners. We constructed this framework based on the analysis of existing mobile technology, the results of which are combined with the existing security standards. The approach also incorporates the market share percentage level of every app and its respective OS. This framework is evaluated based on the stringent CIA and HIPAA principles for information security. This evaluation is followed by testing the capability to revoke rights of subjects to access objects and ability to determine the set of available permissions for a particular subject for all models Finally, as the last step, we examine the complexity of the required initial setup.

Secure open cloud in data transmission using reference pattern and identity with enhanced remote privacy checking

NASA Astrophysics Data System (ADS)

Vijay Singh, Ran; Agilandeeswari, L.

2017-11-01

To handle the large amount of client’s data in open cloud lots of security issues need to be address. Client’s privacy should not be known to other group members without data owner’s valid permission. Sometime clients are fended to have accessing with open cloud servers due to some restrictions. To overcome the security issues and these restrictions related to storing, data sharing in an inter domain network and privacy checking, we propose a model in this paper which is based on an identity based cryptography in data transmission and intermediate entity which have client’s reference with identity that will take control handling of data transmission in an open cloud environment and an extended remote privacy checking technique which will work at admin side. On behalf of data owner’s authority this proposed model will give best options to have secure cryptography in data transmission and remote privacy checking either as private or public or instructed. The hardness of Computational Diffie-Hellman assumption algorithm for key exchange makes this proposed model more secure than existing models which are being used for public cloud environment.

Quantum Privacy Amplification and the Security of Quantum Cryptography over Noisy Channels

DOE Office of Scientific and Technical Information (OSTI.GOV)

Deutsch, D.; Ekert, A.; Jozsa, R.

1996-09-01

Existing quantum cryptographic schemes are not, as they stand, operable in the presence of noise on the quantum communication channel. Although they become operable if they are supplemented by classical privacy-amplification techniques, the resulting schemes are difficult to analyze and have not been proved secure. We introduce the concept of quantum privacy amplification and a cryptographic scheme incorporating it which is provably secure over a noisy channel. The scheme uses an {open_quote}{open_quote}entanglement purification{close_quote}{close_quote} procedure which, because it requires only a few quantum controlled-not and single-qubit operations, could be implemented using technology that is currently being developed. {copyright} {ital 1996 Themore » American Physical Society.}« less

HIPAA Business Associate Contracts: the value of contracts for case managers.

PubMed

Muller, Lynn S

2003-01-01

Case Managers are in the middle of the upcoming HIPAA regulation changes, with the issuance of the Final Privacy Rule. Every case obliges case managers to work with Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI). The purpose of this article is to provide case managers in all practice settings with a clear understanding of a "Business Associate," of a "Covered Entity," and of the specifics of a Business Associate Contract. This information will demonstrate how case managers can benefit from the use of these contracts in their business life. As an essential component of an organization's compliance plan, Business Associate Contracts can become a sword or a shield. This article is particularly helpful to case managers in independent practice, as well as those who work for Covered Entities.

75 FR 5166 - Privacy Act of 1974, as Amended; Computer Matching Program (Social Security Administration...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-01

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA 2009-0043] Privacy Act of 1974, as Amended; Computer Matching Program (Social Security Administration/Railroad Retirement Board (SSA/RRB))-- Match Number 1308 AGENCY: Social Security Administration (SSA). ACTION: Notice of renewal of an existing...

76 FR 81477 - Announcing an Open Meeting of the Information Security and Privacy Advisory Board

Federal Register 2010, 2011, 2012, 2013, 2014

2011-12-28

... sessions will be open to the public. The ISPAB was established by the Computer Security Act of 1987 (Pub. L... Secure Mobile Devices, --Panel Discussion on cyber R&D Strategy, and --Update of NIST Computer Security... of the Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and...

Online Privacy, Security and Ethical Dilemma: A Recent Study.

ERIC Educational Resources Information Center

Karmakar, Nitya L.

The Internet remains as a wonder for the 21st century and its growth is phenomenon. According to a recent survey, the online population is now about 500 million globally and if this trend continues, it should reach 700 million by the end of 2002. This exponential growth of the Internet has given rise to several security, privacy and ethical…

Radio frequency identification (RFID) in health care: privacy and security concerns limiting adoption.

PubMed

Rosenbaum, Benjamin P

2014-03-01

Radio frequency identification (RFID) technology has been implemented in a wide variety of industries. Health care is no exception. This article explores implementations and limitations of RFID in several health care domains: authentication, medication safety, patient tracking, and blood transfusion medicine. Each domain has seen increasing utilization of unique applications of RFID technology. Given the importance of protecting patient and data privacy, potential privacy and security concerns in each domain are discussed. Such concerns, some of which are inherent to existing RFID hardware and software technology, may limit ubiquitous adoption. In addition, an apparent lack of security standards within the RFID domain and specifically health care may also hinder the growth and utility of RFID within health care for the foreseeable future. Safeguarding the privacy of patient data may be the most important obstacle to overcome to allow the health care industry to take advantage of the numerous benefits RFID technology affords.

75 FR 5487 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/U.S. Customs...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-03

...The Department of Homeland Security is issuing a final rule to amend its regulations to exempt portions of a Department of Homeland Security/U.S. Customs and Border Protection system of records entitled the, ``Department of Homeland Security/U.S. Customs and Border Protection--006 Automated Targeting System of Records'' from certain provisions of the Privacy Act. Specifically, the Department exempts portions of the Department of Homeland Security/U.S. Customs and Border Protection--006 Automated Targeting system of records from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.

Governance Through Privacy, Fairness, and Respect for Individuals

PubMed Central

Baker, Dixie B.; Kaye, Jane; Terry, Sharon F.

2016-01-01

Introduction: Individuals have a moral claim to be involved in the governance of their personal data. Individuals’ rights include privacy, autonomy, and the ability to choose for themselves how they want to manage risk, consistent with their own personal values and life situations. The Fair Information Practices principles (FIPPs) offer a framework for governance. Privacy-enhancing technology that complies with applicable law and FIPPs offers a dynamic governance tool for enabling the fair and open use of individual’s personal data. Perceptions of Risk: Any governance model must protect against the risks posed by data misuse. Individual perceptions of risks are a subjective function involving individuals’ values toward self, family, and society, their perceptions of trust, and their cognitive decision-making skills. The HIPAA Privacy Rule Puts Some Governance in the Hands of Individuals: Individual privacy protections and individuals’ right to choose are codified in the HIPAA Privacy Rule, which attempts to strike a balance between the dual goals of information flow and privacy protection. The choices most commonly given individuals regarding the use of their health information are binary (“yes” or “no”) and immutable. Recent federal recommendations and law recognize the need for granular, dynamic choices. Building a Governance Framework Based in Trust: Avoiding Surprises: Individuals expect that they will govern the use of their own health and genomic data. Failure to build and maintain individuals’ trust increases the likelihood that they will refuse to grant permission to access or use their data. The “no surprises principle” asserts that an individual’s personal information should never be collected, used, transmitted, or disclosed in a way that would surprise the individual were she to learn about it. Fair Information Practices Principles: The FIPPs provide a powerful framework for enabling data sharing and use, while maintaining trust

75 FR 69603 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security National...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-15

... FURTHER INFORMATION CONTACT: For general questions please contact: Emily Andrew (703-235-2182), Privacy...: Background In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Homeland Security... Nation's 18 critical infrastructures and key resources (CIKR) sectors during normal operations and...

Secure and Privacy Enhanced Gait Authentication on Smart Phone

PubMed Central

Choi, Deokjai

2014-01-01

Smart environments established by the development of mobile technology have brought vast benefits to human being. However, authentication mechanisms on portable smart devices, particularly conventional biometric based approaches, still remain security and privacy concerns. These traditional systems are mostly based on pattern recognition and machine learning algorithms, wherein original biometric templates or extracted features are stored under unconcealed form for performing matching with a new biometric sample in the authentication phase. In this paper, we propose a novel gait based authentication using biometric cryptosystem to enhance the system security and user privacy on the smart phone. Extracted gait features are merely used to biometrically encrypt a cryptographic key which is acted as the authentication factor. Gait signals are acquired by using an inertial sensor named accelerometer in the mobile device and error correcting codes are adopted to deal with the natural variation of gait measurements. We evaluate our proposed system on a dataset consisting of gait samples of 34 volunteers. We achieved the lowest false acceptance rate (FAR) and false rejection rate (FRR) of 3.92% and 11.76%, respectively, in terms of key length of 50 bits. PMID:24955403

HIPAA and the military health system: organizing technological and organizational reform in large enterprises

NASA Astrophysics Data System (ADS)

Collmann, Jeff R.

2001-08-01

The global scale, multiple units, diverse operating scenarios and complex authority structure of the Department of Defense Military Health System (MHS) create social boundaries that tend to reduce communication and collaboration about data security. Under auspices of the Defense Health Information Assurance Program (DHIAP), the Telemedicine and Advanced Technology Research Center (TATRC) is contributing to the MHS's efforts to prepare for and comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 through organizational and technological innovations that bridge such boundaries. Building interdisciplinary (clinical, administrative and information technology) medical information security readiness teams (MISRT) at each military treatment facility (MTF) constitutes the heart of this process. DHIAP is equipping and training MISRTs to use new tools including 'OCTAVE', a self-directed risk assessment instrument and 'RIMR', a web-enabled Risk Information Management Resource. DHIAP sponsors an interdisciplinary, triservice workgroup for review and revision of relevant DoD and service policies and participates in formal DoD health information assurance activities. These activities help promote a community of proponents across the MHS supportive of improved health information assurance. The MHS HIPAA-compliance effort teaches important general lessons about organizational reform in large civilian or military enterprises.

Security controls in an integrated Biobank to protect privacy in data sharing: rationale and study design.

PubMed

Takai-Igarashi, Takako; Kinoshita, Kengo; Nagasaki, Masao; Ogishima, Soichi; Nakamura, Naoki; Nagase, Sachiko; Nagaie, Satoshi; Saito, Tomo; Nagami, Fuji; Minegishi, Naoko; Suzuki, Yoichi; Suzuki, Kichiya; Hashizume, Hiroaki; Kuriyama, Shinichi; Hozawa, Atsushi; Yaegashi, Nobuo; Kure, Shigeo; Tamiya, Gen; Kawaguchi, Yoshio; Tanaka, Hiroshi; Yamamoto, Masayuki

2017-07-06

With the goal of realizing genome-based personalized healthcare, we have developed a biobank that integrates personal health, genome, and omics data along with biospecimens donated by volunteers of 150,000. Such a large-scale of data integration involves obvious risks of privacy violation. The research use of personal genome and health information is a topic of global discussion with regard to the protection of privacy while promoting scientific advancement. The present paper reports on our plans, current attempts, and accomplishments in addressing security problems involved in data sharing to ensure donor privacy while promoting scientific advancement. Biospecimens and data have been collected in prospective cohort studies with the comprehensive agreement. The sample size of 150,000 participants was required for multiple researches including genome-wide screening of gene by environment interactions, haplotype phasing, and parametric linkage analysis. We established the T ohoku M edical M egabank (TMM) data sharing policy: a privacy protection rule that requires physical, personnel, and technological safeguards against privacy violation regarding the use and sharing of data. The proposed policy refers to that of NCBI and that of the Sanger Institute. The proposed policy classifies shared data according to the strength of re-identification risks. Local committees organized by TMM evaluate re-identification risk and assign a security category to a dataset. Every dataset is stored in an assigned segment of a supercomputer in accordance with its security category. A security manager should be designated to handle all security problems at individual data use locations. The proposed policy requires closed networks and IP-VPN remote connections. The mission of the biobank is to distribute biological resources most productively. This mission motivated us to collect biospecimens and health data and simultaneously analyze genome/omics data in-house. The biobank also has the

Inter-organizational future proof EHR systems. A review of the security and privacy related issues.

PubMed

van der Linden, Helma; Kalra, Dipak; Hasman, Arie; Talmon, Jan

2009-03-01

Identification and analysis of privacy and security related issues that occur when health information is exchanged between health care organizations. Based on a generic scenario questions were formulated to reveal the occurring issues. Possible answers were verified in literature. Ensuring secure health information exchange across organizations requires a standardization of security measures that goes beyond organizational boundaries, such as global definitions of professional roles, global standards for patient consent and semantic interoperable audit logs. As to be able to fully address the privacy and security issues in interoperable EHRs and the long-life virtual EHR it is necessary to realize a paradigm shift from storing all incoming information in a local system to retrieving information from external systems whenever that information is deemed necessary for the care of the patient.

Banking on privacy. Hospitals must protect patient information--and their own liability--as banks balk at HIPAA.

PubMed

Haugh, Richard

2004-02-01

Thanks to HIPAA, banks stand to earn billions of dollars in new business by processing electronic claims for health care providers and payers. And the health care industry could realize $35 billion a year in efficiency gains and cost savings. But overshadowing it all is the question of how protected patient information will be--and how liable hospitals will be for any breach of that information by their business partners.

77 FR 74913 - Privacy Act of 1974, as Amended; Computer Matching Program (Social Security Administration (SSA...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-12-18

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA 2012-0055] Privacy Act of 1974, as Amended; Computer Matching Program (Social Security Administration (SSA)/Office of Personnel Management (OPM))--Match Number 1307 AGENCY: Social Security Administration. ACTION: Notice of a renewal of an existing...

Collaborative eHealth Meets Security: Privacy-Enhancing Patient Profile Management.

PubMed

Sanchez-Guerrero, Rosa; Mendoza, Florina Almenarez; Diaz-Sanchez, Daniel; Cabarcos, Patricia Arias; Lopez, Andres Marin

2017-11-01

Collaborative healthcare environments offer potential benefits, including enhancing the healthcare quality delivered to patients and reducing costs. As a direct consequence, sharing of electronic health records (EHRs) among healthcare providers has experienced a noteworthy growth in the last years, since it enables physicians to remotely monitor patients' health and enables individuals to manage their own health data more easily. However, these scenarios face significant challenges regarding security and privacy of the extremely sensitive information contained in EHRs. Thus, a flexible, efficient, and standards-based solution is indispensable to guarantee selective identity information disclosure and preserve patient's privacy. We propose a privacy-aware profile management approach that empowers the patient role, enabling him to bring together various healthcare providers as well as user-generated claims into an unique credential. User profiles are represented through an adaptive Merkle Tree, for which we formalize the underlying mathematical model. Furthermore, performance of the proposed solution is empirically validated through simulation experiments.

A Secure and Privacy-Preserving Navigation Scheme Using Spatial Crowdsourcing in Fog-Based VANETs

PubMed Central

Wang, Lingling; Liu, Guozhu; Sun, Lijun

2017-01-01

Fog-based VANETs (Vehicular ad hoc networks) is a new paradigm of vehicular ad hoc networks with the advantages of both vehicular cloud and fog computing. Real-time navigation schemes based on fog-based VANETs can promote the scheme performance efficiently. In this paper, we propose a secure and privacy-preserving navigation scheme by using vehicular spatial crowdsourcing based on fog-based VANETs. Fog nodes are used to generate and release the crowdsourcing tasks, and cooperatively find the optimal route according to the real-time traffic information collected by vehicles in their coverage areas. Meanwhile, the vehicle performing the crowdsourcing task can get a reasonable reward. The querying vehicle can retrieve the navigation results from each fog node successively when entering its coverage area, and follow the optimal route to the next fog node until it reaches the desired destination. Our scheme fulfills the security and privacy requirements of authentication, confidentiality and conditional privacy preservation. Some cryptographic primitives, including the Elgamal encryption algorithm, AES, randomized anonymous credentials and group signatures, are adopted to achieve this goal. Finally, we analyze the security and the efficiency of the proposed scheme. PMID:28338620

A Secure and Privacy-Preserving Navigation Scheme Using Spatial Crowdsourcing in Fog-Based VANETs.

PubMed

Wang, Lingling; Liu, Guozhu; Sun, Lijun

2017-03-24

Fog-based VANETs (Vehicular ad hoc networks) is a new paradigm of vehicular ad hoc networks with the advantages of both vehicular cloud and fog computing. Real-time navigation schemes based on fog-based VANETs can promote the scheme performance efficiently. In this paper, we propose a secure and privacy-preserving navigation scheme by using vehicular spatial crowdsourcing based on fog-based VANETs. Fog nodes are used to generate and release the crowdsourcing tasks, and cooperatively find the optimal route according to the real-time traffic information collected by vehicles in their coverage areas. Meanwhile, the vehicle performing the crowdsourcing task can get a reasonable reward. The querying vehicle can retrieve the navigation results from each fog node successively when entering its coverage area, and follow the optimal route to the next fog node until it reaches the desired destination. Our scheme fulfills the security and privacy requirements of authentication, confidentiality and conditional privacy preservation. Some cryptographic primitives, including the Elgamal encryption algorithm, AES, randomized anonymous credentials and group signatures, are adopted to achieve this goal. Finally, we analyze the security and the efficiency of the proposed scheme.

Exploring the Far Side of Mobile Health: Information Security and Privacy of Mobile Health Apps on iOS and Android.

PubMed

Dehling, Tobias; Gao, Fangjian; Schneider, Stephan; Sunyaev, Ali

2015-01-19

Mobile health (mHealth) apps aim at providing seamless access to tailored health information technology and have the potential to alleviate global health burdens. Yet, they bear risks to information security and privacy because users need to reveal private, sensitive medical information to redeem certain benefits. Due to the plethora and diversity of available mHealth apps, implications for information security and privacy are unclear and complex. The objective of this study was to establish an overview of mHealth apps offered on iOS and Android with a special focus on potential damage to users through information security and privacy infringements. We assessed apps available in English and offered in the categories "Medical" and "Health & Fitness" in the iOS and Android App Stores. Based on the information retrievable from the app stores, we established an overview of available mHealth apps, tagged apps to make offered information machine-readable, and clustered the discovered apps to identify and group similar apps. Subsequently, information security and privacy implications were assessed based on health specificity of information available to apps, potential damage through information leaks, potential damage through information manipulation, potential damage through information loss, and potential value of information to third parties. We discovered 24,405 health-related apps (iOS; 21,953; Android; 2452). Absence or scarceness of ratings for 81.36% (17,860/21,953) of iOS and 76.14% (1867/2452) of Android apps indicates that less than a quarter of mHealth apps are in more or less widespread use. Clustering resulted in 245 distinct clusters, which were consolidated into 12 app archetypes grouping clusters with similar assessments of potential damage through information security and privacy infringements. There were 6426 apps that were excluded during clustering. The majority of apps (95.63%, 17,193/17,979; of apps) pose at least some potential damage through

75 FR 23274 - Privacy Act of 1974; Department of Homeland Security United States Immigration Customs and...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-03

... is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2010-0031] Privacy Act of 1974; Department of Homeland Security United States Immigration Customs and Enforcement--011...

A Systematic Review of Research Studies Examining Telehealth Privacy and Security Practices used by Healthcare Providers.

PubMed

Watzlaf, Valerie J M; Zhou, Leming; Dealmeida, Dilhari R; Hartman, Linda M

2017-01-01

The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 - 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen's kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions.

76 FR 67621 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security U.S. Customs...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-11-02

...The Department of Homeland Security is giving concurrent notice of a newly established system of records pursuant to the Privacy Act of 1974 for the ``Department of Homeland Security/U.S. Customs and Border Protection-003 Credit/Debit Care Data System of Records'' and this proposed rulemaking. In this proposed rulemaking, the Department proposes to exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.

45 CFR 155.260 - Privacy and security of personally identifiable information.

Code of Federal Regulations, 2012 CFR

2012-10-01

... AFFORDABLE CARE ACT General Functions of an Exchange § 155.260 Privacy and security of personally... information to the extent such information is necessary to carry out the functions described in § 155.200 of...: (1) Gain access to personally identifiable information submitted to an Exchange; or (2) Collect, use...

Personal computer security: part 1. Firewalls, antivirus software, and Internet security suites.

PubMed

Caruso, Ronald D

2003-01-01

Personal computer (PC) security in the era of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involves two interrelated elements: safeguarding the basic computer system itself and protecting the information it contains and transmits, including personal files. HIPAA regulations have toughened the requirements for securing patient information, requiring every radiologist with such data to take further precautions. Security starts with physically securing the computer. Account passwords and a password-protected screen saver should also be set up. A modern antivirus program can easily be installed and configured. File scanning and updating of virus definitions are simple processes that can largely be automated and should be performed at least weekly. A software firewall is also essential for protection from outside intrusion, and an inexpensive hardware firewall can provide yet another layer of protection. An Internet security suite yields additional safety. Regular updating of the security features of installed programs is important. Obtaining a moderate degree of PC safety and security is somewhat inconvenient but is necessary and well worth the effort. Copyright RSNA, 2003

A privacy protection for an mHealth messaging system

NASA Astrophysics Data System (ADS)

Aaleswara, Lakshmipathi; Akopian, David; Chronopoulos, Anthony T.

2015-03-01

In this paper, we propose a new software system that employs features that help the organization to comply with USA HIPAA regulations. The system uses SMS as the primary way of communication to transfer information. Lack of knowledge about some diseases is still a major reason for some harmful diseases spreading. The developed system includes different features that may help to communicate amongst low income people who don't even have access to the internet. Since the software system deals with Personal Health Information (PHI) it is equipped with an access control authentication system mechanism to protect privacy. The system is analyzed for performance to identify how much overhead the privacy rules impose.

75 FR 7978 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security Transportation...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-02-23

...; Department of Homeland Security Transportation Security Administration-023 Workplace Violence Prevention... Administration-023 Workplace Violence Prevention Program System of Records and this proposed rulemaking. In this... Privacy Act (5 U.S.C. 552a) titled, DHS/TSA-023 Workplace Violence Prevention Program System of Records...

Privacy-Preserving and Secure Sharing of PHR in the Cloud.

PubMed

Zhang, Leyou; Wu, Qing; Mu, Yi; Zhang, Jingxia

2016-12-01

As a new summarized record of an individual's medical data and information, Personal Health Record (PHR) can be accessible online. The owner can control fully his/her PHR files to be shared with different users such as doctors, clinic agents, and friends. However, in an open network environment like in the Cloud, these sensitive privacy information may be gotten by those unauthorized parties and users. In this paper, we consider how to achieve PHR data confidentiality and provide fine-grained access control of PHR files in the public Cloud based on Attribute Based Encryption(ABE). Differing from previous works, we also consider the privacy preserving of the receivers since the attributes of the receivers relate to their identity or medical information, which would make some sensitive data exposed to third services. Anonymous ABE(AABE) not only enforces the security of PHR of the owners but also preserves the privacy of the receivers. But a normal AABE with a single private key generation(PKG) center may not match a PHR system in the hierarchical architecture. Therefore, we discuss not only the construction of the PHR sharing system base on AABE but also how to construct the PHR sharing system based on the hierarchical AABE. The proposed schemes(especially based on hierarchical AABE) have many advantages over the available such as short public keys, constant-size private keys, which overcome the weaknesses in the existing works. In the standard model, the introduced schemes achieve compact security in the prime order groups.

Exploring the Far Side of Mobile Health: Information Security and Privacy of Mobile Health Apps on iOS and Android

PubMed Central

Dehling, Tobias; Gao, Fangjian; Schneider, Stephan

2015-01-01

Background Mobile health (mHealth) apps aim at providing seamless access to tailored health information technology and have the potential to alleviate global health burdens. Yet, they bear risks to information security and privacy because users need to reveal private, sensitive medical information to redeem certain benefits. Due to the plethora and diversity of available mHealth apps, implications for information security and privacy are unclear and complex. Objective The objective of this study was to establish an overview of mHealth apps offered on iOS and Android with a special focus on potential damage to users through information security and privacy infringements. Methods We assessed apps available in English and offered in the categories “Medical” and “Health & Fitness” in the iOS and Android App Stores. Based on the information retrievable from the app stores, we established an overview of available mHealth apps, tagged apps to make offered information machine-readable, and clustered the discovered apps to identify and group similar apps. Subsequently, information security and privacy implications were assessed based on health specificity of information available to apps, potential damage through information leaks, potential damage through information manipulation, potential damage through information loss, and potential value of information to third parties. Results We discovered 24,405 health-related apps (iOS; 21,953; Android; 2452). Absence or scarceness of ratings for 81.36% (17,860/21,953) of iOS and 76.14% (1867/2452) of Android apps indicates that less than a quarter of mHealth apps are in more or less widespread use. Clustering resulted in 245 distinct clusters, which were consolidated into 12 app archetypes grouping clusters with similar assessments of potential damage through information security and privacy infringements. There were 6426 apps that were excluded during clustering. The majority of apps (95.63%, 17,193/17,979; of apps) pose

Obfuscatable multi-recipient re-encryption for secure privacy-preserving personal health record services.

PubMed

Shi, Yang; Fan, Hongfei; Xiong, Guoyue

2015-01-01

With the rapid development of cloud computing techniques, it is attractive for personal health record (PHR) service providers to deploy their PHR applications and store the personal health data in the cloud. However, there could be a serious privacy leakage if the cloud-based system is intruded by attackers, which makes it necessary for the PHR service provider to encrypt all patients' health data on cloud servers. Existing techniques are insufficiently secure under circumstances where advanced threats are considered, or being inefficient when many recipients are involved. Therefore, the objectives of our solution are (1) providing a secure implementation of re-encryption in white-box attack contexts and (2) assuring the efficiency of the implementation even in multi-recipient cases. We designed the multi-recipient re-encryption functionality by randomness-reusing and protecting the implementation by obfuscation. The proposed solution is secure even in white-box attack contexts. Furthermore, a comparison with other related work shows that the computational cost of the proposed solution is lower. The proposed technique can serve as a building block for supporting secure, efficient and privacy-preserving personal health record service systems.

45 CFR 155.260 - Privacy and security of personally identifiable information.

Code of Federal Regulations, 2014 CFR

2014-10-01

... AFFORDABLE CARE ACT General Functions of an Exchange § 155.260 Privacy and security of personally... information to the extent such information is necessary: (i) For the Exchange to carry out the functions described in § 155.200; (ii) For the Exchange to carry out other functions not described in paragraph (a)(1...

Analysis of the Security and Privacy Requirements of Cloud-Based Electronic Health Records Systems

PubMed Central

Fernández, Gonzalo; López-Coronado, Miguel

2013-01-01

Background The Cloud Computing paradigm offers eHealth systems the opportunity to enhance the features and functionality that they offer. However, moving patients’ medical information to the Cloud implies several risks in terms of the security and privacy of sensitive health records. In this paper, the risks of hosting Electronic Health Records (EHRs) on the servers of third-party Cloud service providers are reviewed. To protect the confidentiality of patient information and facilitate the process, some suggestions for health care providers are made. Moreover, security issues that Cloud service providers should address in their platforms are considered. Objective To show that, before moving patient health records to the Cloud, security and privacy concerns must be considered by both health care providers and Cloud service providers. Security requirements of a generic Cloud service provider are analyzed. Methods To study the latest in Cloud-based computing solutions, bibliographic material was obtained mainly from Medline sources. Furthermore, direct contact was made with several Cloud service providers. Results Some of the security issues that should be considered by both Cloud service providers and their health care customers are role-based access, network security mechanisms, data encryption, digital signatures, and access monitoring. Furthermore, to guarantee the safety of the information and comply with privacy policies, the Cloud service provider must be compliant with various certifications and third-party requirements, such as SAS70 Type II, PCI DSS Level 1, ISO 27001, and the US Federal Information Security Management Act (FISMA). Conclusions Storing sensitive information such as EHRs in the Cloud means that precautions must be taken to ensure the safety and confidentiality of the data. A relationship built on trust with the Cloud service provider is essential to ensure a transparent process. Cloud service providers must make certain that all security

Analysis of the security and privacy requirements of cloud-based electronic health records systems.

PubMed

Rodrigues, Joel J P C; de la Torre, Isabel; Fernández, Gonzalo; López-Coronado, Miguel

2013-08-21

The Cloud Computing paradigm offers eHealth systems the opportunity to enhance the features and functionality that they offer. However, moving patients' medical information to the Cloud implies several risks in terms of the security and privacy of sensitive health records. In this paper, the risks of hosting Electronic Health Records (EHRs) on the servers of third-party Cloud service providers are reviewed. To protect the confidentiality of patient information and facilitate the process, some suggestions for health care providers are made. Moreover, security issues that Cloud service providers should address in their platforms are considered. To show that, before moving patient health records to the Cloud, security and privacy concerns must be considered by both health care providers and Cloud service providers. Security requirements of a generic Cloud service provider are analyzed. To study the latest in Cloud-based computing solutions, bibliographic material was obtained mainly from Medline sources. Furthermore, direct contact was made with several Cloud service providers. Some of the security issues that should be considered by both Cloud service providers and their health care customers are role-based access, network security mechanisms, data encryption, digital signatures, and access monitoring. Furthermore, to guarantee the safety of the information and comply with privacy policies, the Cloud service provider must be compliant with various certifications and third-party requirements, such as SAS70 Type II, PCI DSS Level 1, ISO 27001, and the US Federal Information Security Management Act (FISMA). Storing sensitive information such as EHRs in the Cloud means that precautions must be taken to ensure the safety and confidentiality of the data. A relationship built on trust with the Cloud service provider is essential to ensure a transparent process. Cloud service providers must make certain that all security mechanisms are in place to avoid unauthorized access

77 FR 32709 - Privacy Act of 1974, as Amended; Computer Matching Program (SSA/Department of Homeland Security...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-06-01

... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA 2011-0089] Privacy Act of 1974, as Amended; Computer Matching Program (SSA/ Department of Homeland Security (DHS))--Match Number 1010 AGENCY: Social Security Administration (SSA). ACTION: Notice of a renewal of an existing computer matching program that...

A Secure RFID Tag Authentication Protocol with Privacy Preserving in Telecare Medicine Information System.

PubMed

Li, Chun-Ta; Weng, Chi-Yao; Lee, Cheng-Chi

2015-08-01

Radio Frequency Identification (RFID) based solutions are widely used for providing many healthcare applications include patient monitoring, object traceability, drug administration system and telecare medicine information system (TMIS) etc. In order to reduce malpractices and ensure patient privacy, in 2015, Srivastava et al. proposed a hash based RFID tag authentication protocol in TMIS. Their protocol uses lightweight hash operation and synchronized secret value shared between back-end server and tag, which is more secure and efficient than other related RFID authentication protocols. Unfortunately, in this paper, we demonstrate that Srivastava et al.'s tag authentication protocol has a serious security problem in that an adversary may use the stolen/lost reader to connect to the medical back-end server that store information associated with tagged objects and this privacy damage causing the adversary could reveal medical data obtained from stolen/lost readers in a malicious way. Therefore, we propose a secure and efficient RFID tag authentication protocol to overcome security flaws and improve the system efficiency. Compared with Srivastava et al.'s protocol, the proposed protocol not only inherits the advantages of Srivastava et al.'s authentication protocol for TMIS but also provides better security with high system efficiency.

An analysis of the management and leadership roles of nurses relative to the health insurance portability and accountability act.

PubMed

Kiel, Joan M

2015-01-01

Nurses have a great deal of interaction with patients. Given this, nurses play a vital role in conveying to patients knowledge of their privacy, security, and confidentiality of patient health information rights under the Health Insurance Portability and Accountability Act (HIPAA). Nurses also can be "at the head of the table" in their own organization and professional organizations in regard to facilitating the implementation of the HIPAA and making access to patient information more "consumer friendly." This article discusses the role that nurses can develop into concerning HIPAA implementation in an ever-burgeoning arena of consumer advocacy and consumer information.

Privacy, security, and the public health researcher in the era of electronic health record research

PubMed Central

Sarwate, Anand D.

2016-01-01

Health data derived from electronic health records are increasingly utilized in large-scale population health analyses. Going hand in hand with this increase in data is an increasing number of data breaches. Ensuring privacy and security of these data is a shared responsibility between the public health researcher, collaborators, and their institutions. In this article, we review the requirements of data privacy and security and discuss epidemiologic implications of emerging technologies from the computer science community that can be used for health data. In order to ensure that our needs as researchers are captured in these technologies, we must engage in the dialogue surrounding the development of these tools. PMID:28210428

Privacy, security, and the public health researcher in the era of electronic health record research.

PubMed

Goldstein, Neal D; Sarwate, Anand D

2016-01-01

Health data derived from electronic health records are increasingly utilized in large-scale population health analyses. Going hand in hand with this increase in data is an increasing number of data breaches. Ensuring privacy and security of these data is a shared responsibility between the public health researcher, collaborators, and their institutions. In this article, we review the requirements of data privacy and security and discuss epidemiologic implications of emerging technologies from the computer science community that can be used for health data. In order to ensure that our needs as researchers are captured in these technologies, we must engage in the dialogue surrounding the development of these tools.

HIPAA Compliance with Mobile Devices Among ACGME Programs.

PubMed

McKnight, Randall; Franko, Orrin

2016-05-01

To analyze self-reported HIPAA compliance with mobile technologies among residents, fellows, and attendings at ACGME training programs. A digital survey was sent to 678 academic institutions over a 1-month period. 2427 responses were analyzed using Chi-squared tests for independence. Post-hoc Bonferroni correction was applied for all comparisons between training levels, clinical setting, and specialty. 58 % of all residents self-report violating HIPAA by sharing protected health information (PHI) via text messaging with 27 % reporting they do it "often" or "routinely" compared to 15-19 % of attendings. For all specialties, 35 % of residents use text messaging photo or video sharing with PHI. Overall, 5 % of respondents "often" or "routinely" used HIPAA compliant (HCApps) with no significant differences related to training level. 20 % of residents admitted to using non-encrypted email at some point. 53 % of attendings and 41 % of residents utilized encrypted email routinely. Physicians from surgical specialties compared to non-surgical specialties demonstrated higher rates of HIPAA violations with SMS use (35 % vs. 17.7 %), standard photo/video messages (16.3 % vs. 4.7 %), HCApps (10.9 % vs. 4.9 %), and non-HCApps (5.6 % vs 1.5 %). The most significant barriers to complying with HIPAA were inconvenience (58 %), lack of knowledge (37 %), unfamiliarity (34 %), inaccessible (29 %) and habit (24 %). Medical professionals must acknowledge that despite laws to protect patient confidentiality in the era of mobile technology, over 50 % of current medical trainees knowingly violate these rules regularly despite the threat of severe consequences. The medical community must further examine the reason for these inconsistencies and work towards possible solutions.

77 FR 47767 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security U.S. Customs...

Federal Register 2010, 2011, 2012, 2013, 2014

2012-08-10

... Protection, DHS/CBP--017 Analytical Framework for Intelligence (AFI) System of Records AGENCY: Privacy Office... Homeland Security/U.S. Customs and Border Protection, DHS/CBP--017 Analytical Framework for Intelligence... Analytical Framework for Intelligence (AFI) System of Records'' from one or more provisions of the Privacy...

A Systematic Review of Research Studies Examining Telehealth Privacy and Security Practices used by Healthcare Providers

PubMed Central

WATZLAF, VALERIE J. M.; ZHOU, LEMING; DEALMEIDA, DILHARI R.; HARTMAN, LINDA M.

2017-01-01

The objective of this systematic review was to systematically review papers in the United States that examine current practices in privacy and security when telehealth technologies are used by healthcare providers. A literature search was conducted using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses Protocols (PRISMA-P). PubMed, CINAHL and INSPEC from 2003 – 2016 were searched and returned 25,404 papers (after duplications were removed). Inclusion and exclusion criteria were strictly followed to examine title, abstract, and full text for 21 published papers which reported on privacy and security practices used by healthcare providers using telehealth. Data on confidentiality, integrity, privacy, informed consent, access control, availability, retention, encryption, and authentication were all searched and retrieved from the papers examined. Papers were selected by two independent reviewers, first per inclusion/exclusion criteria and, where there was disagreement, a third reviewer was consulted. The percentage of agreement and Cohen’s kappa was 99.04% and 0.7331 respectively. The papers reviewed ranged from 2004 to 2016 and included several types of telehealth specialties. Sixty-seven percent were policy type studies, and 14 percent were survey/interview studies. There were no randomized controlled trials. Based upon the results, we conclude that it is necessary to have more studies with specific information about the use of privacy and security practices when using telehealth technologies as well as studies that examine patient and provider preferences on how data is kept private and secure during and after telehealth sessions. PMID:29238448

Privacy, Security, & Compliance: Strange Bedfellows or a Marriage Made in Heaven?

ERIC Educational Resources Information Center

Corn, Michael; Rosenthal, Jane

2013-01-01

Where does privacy belong in the college/university ecosystem, and what should its relationship be with security and compliance? Are the three areas best kept separate and distinct? Should there be some overlap? Or would a single office, officer, and/or reporting line enable a big picture of the whole? This article examines several of the campus…

Public Perspectives of Mobile Phones' Effects on Healthcare Quality and Medical Data Security and Privacy: A 2-Year Nationwide Survey.

PubMed

Richardson, Joshua E; Ancker, Jessica S

2015-01-01

Given growing interest in mobile phones for health management (mHealth), we surveyed consumer perceptions of mHealth in security, privacy, and healthcare quality using national random-digit-dial telephone surveys in 2013 and 2014. In 2013, 48% thought that using a mobile phone to communicate data with a physician's electronic health record (EHR) would improve the quality of health care. By 2014, the proportion rose to 57% (p < .001). There were no similar changes in privacy concerns yet nearly two-thirds expressed privacy concerns. In 2013 alone, respondents were more likely to express privacy concerns about medical data on mobile phones than they were to endorse similar concerns with EHRs or health information exchange (HIE). Consumers increasingly believe that mHealth improves healthcare quality, but security and privacy concerns need to be addressed for quality improvement to be fully realized.

Security and privacy in molecular communication and networking: opportunities and challenges.

PubMed

Loscrí, Valeria; Marchal, César; Mitton, Nathalie; Fortino, Giancarlo; Vasilakos, Athanasios V

2014-09-01

Molecular Communication (MC) is an emerging and promising communication paradigm for several multi-disciplinary domains like bio-medical, industry and military. Differently to the traditional communication paradigm, the information is encoded on the molecules, that are then used as carriers of information. Novel approaches related to this new communication paradigm have been proposed, mainly focusing on architectural aspects and categorization of potential applications. So far, security and privacy aspects related to the molecular communication systems have not been investigated at all and represent an open question that need to be addressed. The main motivation of this paper lies on providing some first insights about security and privacy aspects of MC systems, by highlighting the open issues and challenges and above all by outlining some specific directions of potential solutions. Existing cryptographic methods and security approaches are not suitable for MC systems since do not consider the pecific issues and challenges, that need ad-hoc solutions. We will discuss directions in terms of potential solutions by trying to highlight the main advantages and potential drawbacks for each direction considered. We will try to answer to the main questions: 1) why this solution can be exploited in the MC field to safeguard the system and its reliability? 2) which are the main issues related to the specific approach?

Privacy-preserving microbiome analysis using secure computation.

PubMed

Wagner, Justin; Paulson, Joseph N; Wang, Xiao; Bhattacharjee, Bobby; Corrada Bravo, Héctor

2016-06-15

Developing targeted therapeutics and identifying biomarkers relies on large amounts of research participant data. Beyond human DNA, scientists now investigate the DNA of micro-organisms inhabiting the human body. Recent work shows that an individual's collection of microbial DNA consistently identifies that person and could be used to link a real-world identity to a sensitive attribute in a research dataset. Unfortunately, the current suite of DNA-specific privacy-preserving analysis tools does not meet the requirements for microbiome sequencing studies. To address privacy concerns around microbiome sequencing, we implement metagenomic analyses using secure computation. Our implementation allows comparative analysis over combined data without revealing the feature counts for any individual sample. We focus on three analyses and perform an evaluation on datasets currently used by the microbiome research community. We use our implementation to simulate sharing data between four policy-domains. Additionally, we describe an application of our implementation for patients to combine data that allows drug developers to query against and compensate patients for the analysis. The software is freely available for download at: http://cbcb.umd.edu/∼hcorrada/projects/secureseq.html Supplementary data are available at Bioinformatics online. hcorrada@umiacs.umd.edu. © The Author 2016. Published by Oxford University Press.

Privacy and Security within Biobanking: The Role of Information Technology.

PubMed

Heatherly, Raymond

2016-03-01

Along with technical issues, biobanking frequently raises important privacy and security issues that must be resolved as biobanks continue to grow in scale and scope. Consent mechanisms currently in use range from fine-grained to very broad, and in some cases participants are offered very few privacy protections. However, developments in information technology are bringing improvements. New programs and systems are being developed to allow researchers to conduct analyses without distributing the data itself offsite, either by allowing the investigator to communicate with a central computer, or by having each site participate in meta-analysis that results in a shared statistic or final significance result. The implementation of security protocols into the research biobanking setting requires three key elements: authentication, authorization, and auditing. Authentication is the process of making sure individuals are who they claim to be, frequently through the use of a password, a key fob, or a physical (i.e., retinal or fingerprint) scan. Authorization involves ensuring that every individual who attempts an action has permission to do that action. Finally, auditing allows for actions to be logged so that inappropriate or unethical actions can later be traced back to their source. © 2016 American Society of Law, Medicine & Ethics.

75 FR 67909 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security Office of the...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-04

... facsimile (202) 254-4299. For privacy issues please contact: Mary Ellen Callahan (703-235-0780), Chief...;Prices of new books are listed in the first FEDERAL REGISTER issue of each #0;week. #0; #0; #0; #0;#0...] Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security Office of the Inspector...

Advances and current state of the security and privacy in electronic health records: survey from a social perspective.

PubMed

Tejero, Antonio; de la Torre, Isabel

2012-10-01

E-Health systems are experiencing an impulse in these last years, when many medical agencies began to include digital solutions into their platforms. Electronic Health Records (EHRs) are one of the most important improvements, being in its most part a patient-oriented tool. To achieve a completely operational EHR platform, security and privacy problems have to be resolved, due to the importance of the data included within these records. But given all the different methods to address security and privacy, they still remain in most cases as an open issue. This paper studies existing and proposed solutions included in different scenarios, in order to offer an overview of the current state in EHR systems. Bibliographic material has been obtained mainly from MEDLINE and SCOPUS sources, and over 30 publications have been analyzed. Many EHR platforms are being developed, but most of them present weaknesses when they are opened to the public. These architectures gain significance when they cover all the requisites related to security and privacy.

Public Perspectives of Mobile Phones’ Effects on Healthcare Quality and Medical Data Security and Privacy: A 2-Year Nationwide Survey

PubMed Central

Richardson, Joshua E.; Ancker, Jessica S.

2015-01-01

Given growing interest in mobile phones for health management (mHealth), we surveyed consumer perceptions of mHealth in security, privacy, and healthcare quality using national random-digit-dial telephone surveys in 2013 and 2014. In 2013, 48% thought that using a mobile phone to communicate data with a physician’s electronic health record (EHR) would improve the quality of health care. By 2014, the proportion rose to 57% (p < .001). There were no similar changes in privacy concerns yet nearly two-thirds expressed privacy concerns. In 2013 alone, respondents were more likely to express privacy concerns about medical data on mobile phones than they were to endorse similar concerns with EHRs or health information exchange (HIE). Consumers increasingly believe that mHealth improves healthcare quality, but security and privacy concerns need to be addressed for quality improvement to be fully realized. PMID:26958246

Location Privacy in RFID Applications

NASA Astrophysics Data System (ADS)

Sadeghi, Ahmad-Reza; Visconti, Ivan; Wachsmann, Christian

RFID-enabled systems allow fully automatic wireless identification of objects and are rapidly becoming a pervasive technology with various applications. However, despite their benefits, RFID-based systems also pose challenging risks, in particular concerning user privacy. Indeed, improvident use of RFID can disclose sensitive information about users and their locations allowing detailed user profiles. Hence, it is crucial to identify and to enforce appropriate security and privacy requirements of RFID applications (that are also compliant to legislation). This chapter first discusses security and privacy requirements for RFID-enabled systems, focusing in particular on location privacy issues. Then it explores the advances in RFID applications, stressing the security and privacy shortcomings of existing proposals. Finally, it presents new promising directions for privacy-preserving RFID systems, where as a case study we focus electronic tickets (e-tickets) for public transportation.

Hacking Facebook Privacy and Security

DTIC Science & Technology

2012-08-28

that their information is somehow protected. However, practically this is not always the case and privacy on social networking sites has received...fraudsters target Facebook and other social networking sites to harvest information about you. Here’s how we recommend you set your Facebook privacy

Implementation of data security and data privacy provisions will bring sweeping changes to laboratory service providers.

PubMed

Boothe, J F

2000-01-01

The Health Insurance Portability and Accountability Act included substantial changes involving handling of health information by establishing national standards for electronic transactions, data privacy, and data security. The first final rule for electronic transaction standards was published August 17, 2000. The remaining final rules are expected to be published in Winter 2000. Providers, such as clinical laboratories, will have 26 months from the data of publication to comply. The civil monetary fines for noncompliance are substantial. This article will review the key provisions of the data security and data privacy proposed rules. These provisions will touch virtually every aspect of electronic claims submissions, electronic data transactions, and the electronic storage of medical information. The proposed rules will require a coordinated approach by providers to develop the policies and procedures, and the technical and physical infrastructure to protect health information. Moreover, providers will need to identify a privacy officer, to review existing privacy policies to compare the proposed rule with any existing state laws to determine which may be more stringent, and to develop new policies to address the particular requirements of the final rule.

Security and privacy issues in implantable medical devices: A comprehensive survey.

PubMed

Camara, Carmen; Peris-Lopez, Pedro; Tapiador, Juan E

2015-06-01

Bioengineering is a field in expansion. New technologies are appearing to provide a more efficient treatment of diseases or human deficiencies. Implantable Medical Devices (IMDs) constitute one example, these being devices with more computing, decision making and communication capabilities. Several research works in the computer security field have identified serious security and privacy risks in IMDs that could compromise the implant and even the health of the patient who carries it. This article surveys the main security goals for the next generation of IMDs and analyzes the most relevant protection mechanisms proposed so far. On the one hand, the security proposals must have into consideration the inherent constraints of these small and implanted devices: energy, storage and computing power. On the other hand, proposed solutions must achieve an adequate balance between the safety of the patient and the security level offered, with the battery lifetime being another critical parameter in the design phase. Copyright © 2015 Elsevier Inc. All rights reserved.

A Survey on Security and Privacy in Emerging Sensor Networks: From Viewpoint of Close-Loop.

PubMed

Zhang, Lifu; Zhang, Heng

2016-03-26

Nowadays, as the next generation sensor networks, Cyber-Physical Systems (CPSs) refer to the complex networked systems that have both physical subsystems and cyber components, and the information flow between different subsystems and components is across a communication network, which forms a closed-loop. New generation sensor networks are found in a growing number of applications and have received increasing attention from many inter-disciplines. Opportunities and challenges in the design, analysis, verification and validation of sensor networks co-exists, among which security and privacy are two important ingredients. This paper presents a survey on some recent results in the security and privacy aspects of emerging sensor networks from the viewpoint of the closed-loop. This paper also discusses several future research directions under these two umbrellas.

17 CFR 160.8 - Revised privacy notices.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 1 2011-04-01 2011-04-01 false Revised privacy notices. 160.8 Section 160.8 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.8 Revised privacy notices. (a) General rule. Except...

17 CFR 160.8 - Revised privacy notices.

Code of Federal Regulations, 2010 CFR

2010-04-01

... 17 Commodity and Securities Exchanges 1 2010-04-01 2010-04-01 false Revised privacy notices. 160.8 Section 160.8 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.8 Revised privacy notices. (a) General rule. Except...

Developing genetic privacy legislation: the South Carolina experience.

PubMed

Edwards, J G; Young, S R; Brooks, K A; Aiken, J H; Patterson, E D; Pritchett, S T

1998-01-01

The availability of presymptomatic and predisposition genetic testing has spawned the need for legislation prohibiting health insurance discrimination on the basis of genetic information. The federal effort, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, falls short by protecting only those who access insurance through group plans. A committee of University of South Carolina professionals convened in 1996 to develop legislation in support of genetic privacy for the state of South Carolina. The legislation prevents health insurance companies from denying coverage or setting insurance rates on the basis of genetic information. It also protects the privacy of genetic information and prohibits performance of genetic tests without specific informed consent. In preparing the bill, genetic privacy laws from other states were reviewed, and a modified version of the Virginia law adopted. The South Carolina Committee for the Protection of Genetic Privacy version went a step further by including enforcement language and excluding Virginia's sunset clause. The definition of genetic information encompassed genetic test results, and importantly, includes family history of genetic disease. Our experience in navigating through the state legislature and working through opposition from the health insurance lobby is detailed herein.

77 FR 35336 - Privacy and Security of Information Stored on Mobile Communications Devices

Federal Register 2010, 2011, 2012, 2013, 2014

2012-06-13

.... ACTION: Proposed rule. SUMMARY: This document seeks comment on the privacy and data security practices of... Practice and Procedure and Part 0 Rules of Commission Organization, Notice of Proposed Rulemaking, 25 FCC... practices of mobile wireless service providers with respect to customer information stored on their users...

The role of privacy protection in healthcare information systems adoption.

PubMed

Hsu, Chien-Lung; Lee, Ming-Ren; Su, Chien-Hui

2013-10-01

Privacy protection is an important issue and challenge in healthcare information systems (HISs). Recently, some privacy-enhanced HISs are proposed. Users' privacy perception, intention, and attitude might affect the adoption of such systems. This paper aims to propose a privacy-enhanced HIS framework and investigate the role of privacy protection in HISs adoption. In the proposed framework, privacy protection, access control, and secure transmission modules are designed to enhance the privacy protection of a HIS. An experimental privacy-enhanced HIS is also implemented. Furthermore, we proposed a research model extending the unified theory of acceptance and use of technology by considering perceived security and information security literacy and then investigate user adoption of a privacy-enhanced HIS. The experimental results and analyses showed that user adoption of a privacy-enhanced HIS is directly affected by social influence, performance expectancy, facilitating conditions, and perceived security. Perceived security has a mediating effect between information security literacy and user adoption. This study proposes several implications for research and practice to improve designing, development, and promotion of a good healthcare information system with privacy protection.

75 FR 28051 - Public Workshop: Pieces of Privacy

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-19

... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary Public Workshop: Pieces of Privacy AGENCY: Privacy Office, DHS. ACTION: Notice announcing public workshop. SUMMARY: The Department of Homeland Security Privacy Office will host a public workshop, ``Pieces of Privacy.'' DATES: The workshop will be...

Evaluating Common Privacy Vulnerabilities in Internet Service Providers

NASA Astrophysics Data System (ADS)

Kotzanikolaou, Panayiotis; Maniatis, Sotirios; Nikolouzou, Eugenia; Stathopoulos, Vassilios

Privacy in electronic communications receives increased attention in both research and industry forums, stemming from both the users' needs and from legal and regulatory requirements in national or international context. Privacy in internet-based communications heavily relies on the level of security of the Internet Service Providers (ISPs), as well as on the security awareness of the end users. This paper discusses the role of the ISP in the privacy of the communications. Based on real security audits performed in national-wide ISPs, we illustrate privacy-specific threats and vulnerabilities that many providers fail to address when implementing their security policies. We subsequently provide and discuss specific security measures that the ISPs can implement, in order to fine-tune their security policies in the context of privacy protection.

6 CFR 1002.3 - Privacy Act requests.

Code of Federal Regulations, 2014 CFR

2014-01-01

... 6 Domestic Security 1 2014-01-01 2014-01-01 false Privacy Act requests. 1002.3 Section 1002.3 Domestic Security PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD IMPLEMENTATION OF THE PRIVACY ACT OF 1974 § 1002.3 Privacy Act requests. (a) Requests to determine if you are the subject of a record. You may...

Privacy, consent, and the electronic mental health record: The Person vs. the System.

PubMed

Clemens, Norman A

2012-01-01

As electronic health record systems become widely adopted and proposals are advanced to integrate mental health with general health systems, there is mounting pressure to include mental health information on the same basis as general health information without any requirement for active, individual patient consent to do so. A prime example is the current effort to change the Mental Health Information Act of the District of Columbia, which has, up till now, stood as a model for protection of the privacy of patients with mental illness, the requirement of informed consent for disclosure of health information, and delimitation of minimum necessary disclosure. Mental health information is exceptionally sensitive and potentially damaging if privacy is breached, which makes patients reluctant to seek treatment if they cannot be assured of confidentiality. In addition, there have been spectacular breaches of the security of large electronic health record databases. A subtle but more likely threat is the possibility that mental health information in networks could be fully accessible to all of the patient's providers in a network, not just those for whom it would be necessary to the patient's care. In the 1996 Supreme Court decision in Jaffee v. Redmond, the high court recognized that confidentiality is essential for patients to engage in effective psychotherapy, and HIPAA maintains that special status in the protection of psychotherapy notes as well as explicitly stating that it defers to state laws that are more protective of confidentiality than is HIPAA itself. Highly sensitive information also exists in mental health records aside from psychotherapy notes. Any change in the laws that govern informed consent for disclosure of mental health information must take these factors into account. Specifically, the author opposes any change that would assume tacit consent to release mental health information through an electronic health information exchange in the absence of a

A Survey on Security and Privacy in Emerging Sensor Networks: From Viewpoint of Close-Loop

PubMed Central

Zhang, Lifu; Zhang, Heng

2016-01-01

Nowadays, as the next generation sensor networks, Cyber-Physical Systems (CPSs) refer to the complex networked systems that have both physical subsystems and cyber components, and the information flow between different subsystems and components is across a communication network, which forms a closed-loop. New generation sensor networks are found in a growing number of applications and have received increasing attention from many inter-disciplines. Opportunities and challenges in the design, analysis, verification and validation of sensor networks co-exists, among which security and privacy are two important ingredients. This paper presents a survey on some recent results in the security and privacy aspects of emerging sensor networks from the viewpoint of the closed-loop. This paper also discusses several future research directions under these two umbrellas. PMID:27023559

Securing SIFT: Privacy-preserving Outsourcing Computation of Feature Extractions Over Encrypted Image Data.

PubMed

Hu, Shengshan; Wang, Qian; Wang, Jingjun; Qin, Zhan; Ren, Kui

2016-05-13

Advances in cloud computing have greatly motivated data owners to outsource their huge amount of personal multimedia data and/or computationally expensive tasks onto the cloud by leveraging its abundant resources for cost saving and flexibility. Despite the tremendous benefits, the outsourced multimedia data and its originated applications may reveal the data owner's private information, such as the personal identity, locations or even financial profiles. This observation has recently aroused new research interest on privacy-preserving computations over outsourced multimedia data. In this paper, we propose an effective and practical privacy-preserving computation outsourcing protocol for the prevailing scale-invariant feature transform (SIFT) over massive encrypted image data. We first show that previous solutions to this problem have either efficiency/security or practicality issues, and none can well preserve the important characteristics of the original SIFT in terms of distinctiveness and robustness. We then present a new scheme design that achieves efficiency and security requirements simultaneously with the preservation of its key characteristics, by randomly splitting the original image data, designing two novel efficient protocols for secure multiplication and comparison, and carefully distributing the feature extraction computations onto two independent cloud servers. We both carefully analyze and extensively evaluate the security and effectiveness of our design. The results show that our solution is practically secure, outperforms the state-of-theart, and performs comparably to the original SIFT in terms of various characteristics, including rotation invariance, image scale invariance, robust matching across affine distortion, addition of noise and change in 3D viewpoint and illumination.

HIPAA and talking with family caregivers: what does the law really say?

PubMed

Levine, Carol

2006-08-01

The Health Insurance Portability and Accountability Act of 1996 (PL 104-191), known as HIPAA, has confused and unnecessarily alarmed many conscientious health care providers. Nurses in particular are likely to be on the front line of family caregivers' inquiries, because physicians are often difficult to reach and because family caregivers look to nurses as sources of reliable information. A major retraining of health care providers at all levels is needed to dampen the "HIPAA scare" and clarify what HIPAA does and does not say about communication with family caregivers.

Electronic Health Records: An Enhanced Security Paradigm to Preserve Patient's Privacy

NASA Astrophysics Data System (ADS)

Slamanig, Daniel; Stingl, Christian

In recent years, demographic change and increasing treatment costs demand the adoption of more cost efficient, highly qualitative and integrated health care processes. The rapid growth and availability of the Internet facilitate the development of eHealth services and especially of electronic health records (EHRs) which are promising solutions to meet the aforementioned requirements. Considering actual web-based EHR systems, patient-centric and patient moderated approaches are widely deployed. Besides, there is an emerging market of so called personal health record platforms, e.g. Google Health. Both concepts provide a central and web-based access to highly sensitive medical data. Additionally, the fact that these systems may be hosted by not fully trustworthy providers necessitates to thoroughly consider privacy issues. In this paper we define security and privacy objectives that play an important role in context of web-based EHRs. Furthermore, we discuss deployed solutions as well as concepts proposed in the literature with respect to this objectives and point out several weaknesses. Finally, we introduce a system which overcomes the drawbacks of existing solutions by considering an holistic approach to preserve patient's privacy and discuss the applied methods.

Market Reactions to Publicly Announced Privacy and Security Breaches Suffered by Companies Listed on the United States Stock Exchanges: A Comparative Empirical Investigation

ERIC Educational Resources Information Center

Coronado, Adolfo S.

2012-01-01

Using a sample of security and privacy breaches the present research examines the comparative announcement impact between the two types of events. The first part of the dissertation analyzes the impact of publicly announced security and privacy breaches on abnormal stock returns, the change in firm risk, and abnormal trading volume are measured.…

A privacy preserving secure and efficient authentication scheme for telecare medical information systems.

PubMed

Mishra, Raghavendra; Barnwal, Amit Kumar

2015-05-01

The Telecare medical information system (TMIS) presents effective healthcare delivery services by employing information and communication technologies. The emerging privacy and security are always a matter of great concern in TMIS. Recently, Chen at al. presented a password based authentication schemes to address the privacy and security. Later on, it is proved insecure against various active and passive attacks. To erase the drawbacks of Chen et al.'s anonymous authentication scheme, several password based authentication schemes have been proposed using public key cryptosystem. However, most of them do not present pre-smart card authentication which leads to inefficient login and password change phases. To present an authentication scheme with pre-smart card authentication, we present an improved anonymous smart card based authentication scheme for TMIS. The proposed scheme protects user anonymity and satisfies all the desirable security attributes. Moreover, the proposed scheme presents efficient login and password change phases where incorrect input can be quickly detected and a user can freely change his password without server assistance. Moreover, we demonstrate the validity of the proposed scheme by utilizing the widely-accepted BAN (Burrows, Abadi, and Needham) logic. The proposed scheme is also comparable in terms of computational overheads with relevant schemes.

Protecting Privacy and Securing the Gathering of Location Proofs - The Secure Location Verification Proof Gathering Protocol

NASA Astrophysics Data System (ADS)

Graham, Michelle; Gray, David

As wireless networks become increasingly ubiquitous, the demand for a method of locating a device has increased dramatically. Location Based Services are now commonplace but there are few methods of verifying or guaranteeing a location provided by a user without some specialised hardware, especially in larger scale networks. We propose a system for the verification of location claims, using proof gathered from neighbouring devices. In this paper we introduce a protocol to protect this proof gathering process, protecting the privacy of all involved parties and securing it from intruders and malicious claiming devices. We present the protocol in stages, extending the security of this protocol to allow for flexibility within its application. The Secure Location Verification Proof Gathering Protocol (SLVPGP) has been designed to function within the area of Vehicular Networks, although its application could be extended to any device with wireless & cryptographic capabilities.

A security and privacy preserving e-prescription system based on smart cards.

PubMed

Hsu, Chien-Lung; Lu, Chung-Fu

2012-12-01

In 2002, Ateniese and Medeiros proposed an e-prescription system, in which the patient can store e-prescription and related information using smart card. Latter, Yang et al. proposed a novel smart-card based e-prescription system based on Ateniese and Medeiros's system in 2004. Yang et al. considered the privacy issues of prescription data and adopted the concept of a group signature to provide patient's privacy protection. To make the e-prescription system more realistic, they further applied a proxy signature to allow a patient to delegate his signing capability to other people. This paper proposed a novel security and privacy preserving e-prescription system model based on smart cards. A new role, chemist, is included in the system model for settling the medicine dispute. We further presented a concrete identity-based (ID-based) group signature scheme and an ID-based proxy signature scheme to realize the proposed model. Main property of an ID-based system is that public key is simple user's identity and can be verified without extra public key certificates. Our ID-based group signature scheme can allow doctors to sign e-prescription anonymously. In a case of a medical dispute, identities of the doctors can be identified. The proposed ID-based proxy signature scheme can improve signing delegation and allows a delegation chain. The proposed e-prescription system based on our proposed two cryptographic schemes is more practical and efficient than Yang et al.'s system in terms of security, communication overheads, computational costs, practical considerations.

6 CFR 1002.4 - Responses to Privacy Act requests.

Code of Federal Regulations, 2014 CFR

2014-01-01

... 6 Domestic Security 1 2014-01-01 2014-01-01 false Responses to Privacy Act requests. 1002.4 Section 1002.4 Domestic Security PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD IMPLEMENTATION OF THE PRIVACY ACT OF 1974 § 1002.4 Responses to Privacy Act requests. (a) Acknowledgement. The Privacy Act Officer...

Development of a privacy and security policy framework for a multistate comparative effectiveness research network.

PubMed

Kim, Katherine K; McGraw, Deven; Mamo, Laura; Ohno-Machado, Lucila

2013-08-01

Comparative effectiveness research (CER) conducted in distributed research networks (DRNs) is subject to different state laws and regulations as well as institution-specific policies intended to protect privacy and security of health information. The goal of the Scalable National Network for Effectiveness Research (SCANNER) project is to develop and demonstrate a scalable, flexible technical infrastructure for DRNs that enables near real-time CER consistent with privacy and security laws and best practices. This investigation began with an analysis of privacy and security laws and state health information exchange (HIE) guidelines applicable to SCANNER participants from California, Illinois, Massachusetts, and the Federal Veteran's Administration. A 7-member expert panel of policy and technical experts reviewed the analysis and gave input into the framework during 5 meetings held in 2011-2012. The state/federal guidelines were applied to 3 CER use cases: safety of new oral hematologic medications; medication therapy management for patients with diabetes and hypertension; and informational interventions for providers in the treatment of acute respiratory infections. The policy framework provides flexibility, beginning with a use-case approach rather than a one-size-fits-all approach. The policies may vary depending on the type of patient data shared (aggregate counts, deidentified, limited, and fully identified datasets) and the flow of data. The types of agreements necessary for a DRN may include a network-level and data use agreements. The need for flexibility in the development and implementation of policies must be balanced with responsibilities of data stewardship.

17 CFR 160.8 - Revised privacy notices.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 2 2014-04-01 2014-04-01 false Revised privacy notices. 160.8 Section 160.8 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out...

De-identification of unstructured paper-based health records for privacy-preserving secondary use.

PubMed

Fenz, Stefan; Heurix, Johannes; Neubauer, Thomas; Rella, Antonio

2014-07-01

Abstract Whenever personal data is processed, privacy is a serious issue. Especially in the document-centric e-health area, the patients' privacy must be preserved in order to prevent any negative repercussions for the patient. Clinical research, for example, demands structured health records to carry out efficient clinical trials, whereas legislation (e.g. HIPAA) regulates that only de-identified health records may be used for research. However, unstructured and often paper-based data dominates information technology, especially in the healthcare sector. Existing approaches are geared towards data in English-language documents only and have not been designed to handle the recognition of erroneous personal data which is the result of the OCR-based digitization of paper-based health records.

76 FR 3098 - Privacy Act of 1974; Systems of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2011-01-19

...: National Security Agency/Central Security Service, Freedom of Information Act and Privacy Act Office, 9800..., Privacy Act and Mandatory Declassification Review Records. System Location: National Security Agency... Information Act; 5 U.S.C. 552a, The Privacy Act of 1974 (as amended); E.O. 13526, Classified National Security...

17 CFR 160.8 - Revised privacy notices.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 1 2012-04-01 2012-04-01 false Revised privacy notices. 160.8 Section 160.8 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.8...

17 CFR 160.8 - Revised privacy notices.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 1 2013-04-01 2013-04-01 false Revised privacy notices. 160.8 Section 160.8 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.8...

Query Monitoring and Analysis for Database Privacy - A Security Automata Model Approach.

PubMed

Kumar, Anand; Ligatti, Jay; Tu, Yi-Cheng

2015-11-01

Privacy and usage restriction issues are important when valuable data are exchanged or acquired by different organizations. Standard access control mechanisms either restrict or completely grant access to valuable data. On the other hand, data obfuscation limits the overall usability and may result in loss of total value. There are no standard policy enforcement mechanisms for data acquired through mutual and copyright agreements. In practice, many different types of policies can be enforced in protecting data privacy. Hence there is the need for an unified framework that encapsulates multiple suites of policies to protect the data. We present our vision of an architecture named security automata model (SAM) to enforce privacy-preserving policies and usage restrictions. SAM analyzes the input queries and their outputs to enforce various policies, liberating data owners from the burden of monitoring data access. SAM allows administrators to specify various policies and enforces them to monitor queries and control the data access. Our goal is to address the problems of data usage control and protection through privacy policies that can be defined, enforced, and integrated with the existing access control mechanisms using SAM. In this paper, we lay out the theoretical foundation of SAM, which is based on an automata named Mandatory Result Automata. We also discuss the major challenges of implementing SAM in a real-world database environment as well as ideas to meet such challenges.

75 FR 25904 - Privacy Act of 1974; as Amended; Proposed Alteration to an Existing Privacy Act System of Records...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-05-10

... SOCIAL SECURITY ADMINISTRATION Privacy Act of 1974; as Amended; Proposed Alteration to an Existing Privacy Act System of Records, Housekeeping Changes, and New Routine Uses AGENCY: Social Security..., Social Security number (SSN), date of birth, address, and other relevant information about persons who...

76 FR 34616 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security/National...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-06-14

... questions please contact: Emily Andrew (703-235-2182), Privacy Officer, National Protection and Programs... U.S.C. 552a, the Department of Homeland Security (DHS)/National Protection and Programs Directorate... Screening Database (TSDB). The TSDB is the Federal government's consolidated and integrated terrorist...

Privacy preservation and authentication on secure geographical routing in VANET

NASA Astrophysics Data System (ADS)

Punitha, A.; Manickam, J. Martin Leo

2017-05-01

Vehicular Ad hoc Networks (VANETs) play an important role in vehicle-to-vehicle communication as it offers a high level of safety and convenience to drivers. In order to increase the level of security and safety in VANETs, in this paper, we propose a Privacy Preservation and Authentication on Secure Geographical Routing Protocol (PPASGR) for VANET. It provides security by detecting and preventing malicious nodes through two directional antennas such as forward (f-antenna) and backward (b-antenna). The malicious nodes are detected by direction detection, consistency detection and conflict detection. The location of the trusted neighbour is identified using TNT-based location verification scheme after the implementation of the Vehicle Tamper Proof Device (VTPD), Trusted Authority (TA) is generated that produces the anonymous credentials. Finally, VTPD generates pseudo-identity using TA which retrieves the real identity of the sender. Through this approach, the authentication, integrity and confidentiality for routing packets can be achieved. The simulation results show that the proposed approach reduces the packet drop due to attack and improves the packet delivery ratio.

Business Model for the Security of a Large-Scale PACS, Compliance with ISO/27002:2013 Standard.

PubMed

Gutiérrez-Martínez, Josefina; Núñez-Gaona, Marco Antonio; Aguirre-Meneses, Heriberto

2015-08-01

Data security is a critical issue in an organization; a proper information security management (ISM) is an ongoing process that seeks to build and maintain programs, policies, and controls for protecting information. A hospital is one of the most complex organizations, where patient information has not only legal and economic implications but, more importantly, an impact on the patient's health. Imaging studies include medical images, patient identification data, and proprietary information of the study; these data are contained in the storage device of a PACS. This system must preserve the confidentiality, integrity, and availability of patient information. There are techniques such as firewalls, encryption, and data encapsulation that contribute to the protection of information. In addition, the Digital Imaging and Communications in Medicine (DICOM) standard and the requirements of the Health Insurance Portability and Accountability Act (HIPAA) regulations are also used to protect the patient clinical data. However, these techniques are not systematically applied to the picture and archiving and communication system (PACS) in most cases and are not sufficient to ensure the integrity of the images and associated data during transmission. The ISO/IEC 27001:2013 standard has been developed to improve the ISM. Currently, health institutions lack effective ISM processes that enable reliable interorganizational activities. In this paper, we present a business model that accomplishes the controls of ISO/IEC 27002:2013 standard and criteria of security and privacy from DICOM and HIPAA to improve the ISM of a large-scale PACS. The methodology associated with the model can monitor the flow of data in a PACS, facilitating the detection of unauthorized access to images and other abnormal activities.

76 FR 72428 - Privacy Act of 1974; Department of Homeland Security/ALL-017 General Legal Records System of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2011-11-23

... 1974; Department of Homeland Security/ALL--017 General Legal Records System of Records AGENCY: Privacy... of records notice titled, ``Department of Homeland Security/ ALL--017 General Legal Records System of Records.'' This system will assist attorneys in providing legal advice to the Department of Homeland...

Secure and scalable deduplication of horizontally partitioned health data for privacy-preserving distributed statistical computation.

PubMed

Yigzaw, Kassaye Yitbarek; Michalas, Antonis; Bellika, Johan Gustav

2017-01-03

Techniques have been developed to compute statistics on distributed datasets without revealing private information except the statistical results. However, duplicate records in a distributed dataset may lead to incorrect statistical results. Therefore, to increase the accuracy of the statistical analysis of a distributed dataset, secure deduplication is an important preprocessing step. We designed a secure protocol for the deduplication of horizontally partitioned datasets with deterministic record linkage algorithms. We provided a formal security analysis of the protocol in the presence of semi-honest adversaries. The protocol was implemented and deployed across three microbiology laboratories located in Norway, and we ran experiments on the datasets in which the number of records for each laboratory varied. Experiments were also performed on simulated microbiology datasets and data custodians connected through a local area network. The security analysis demonstrated that the protocol protects the privacy of individuals and data custodians under a semi-honest adversarial model. More precisely, the protocol remains secure with the collusion of up to N - 2 corrupt data custodians. The total runtime for the protocol scales linearly with the addition of data custodians and records. One million simulated records distributed across 20 data custodians were deduplicated within 45 s. The experimental results showed that the protocol is more efficient and scalable than previous protocols for the same problem. The proposed deduplication protocol is efficient and scalable for practical uses while protecting the privacy of patients and data custodians.

Query Monitoring and Analysis for Database Privacy - A Security Automata Model Approach

PubMed Central

Kumar, Anand; Ligatti, Jay; Tu, Yi-Cheng

2015-01-01

Privacy and usage restriction issues are important when valuable data are exchanged or acquired by different organizations. Standard access control mechanisms either restrict or completely grant access to valuable data. On the other hand, data obfuscation limits the overall usability and may result in loss of total value. There are no standard policy enforcement mechanisms for data acquired through mutual and copyright agreements. In practice, many different types of policies can be enforced in protecting data privacy. Hence there is the need for an unified framework that encapsulates multiple suites of policies to protect the data. We present our vision of an architecture named security automata model (SAM) to enforce privacy-preserving policies and usage restrictions. SAM analyzes the input queries and their outputs to enforce various policies, liberating data owners from the burden of monitoring data access. SAM allows administrators to specify various policies and enforces them to monitor queries and control the data access. Our goal is to address the problems of data usage control and protection through privacy policies that can be defined, enforced, and integrated with the existing access control mechanisms using SAM. In this paper, we lay out the theoretical foundation of SAM, which is based on an automata named Mandatory Result Automata. We also discuss the major challenges of implementing SAM in a real-world database environment as well as ideas to meet such challenges. PMID:26997936

Privacy-enhanced electronic mail

NASA Astrophysics Data System (ADS)

Bishop, Matt

1990-06-01

The security of electronic mail sent through the Internet may be described in exactly three words: there is none. The Privacy and Security Research Group has recommended implementing mechanisms designed to provide security enhancements. The first set of mechanisms provides a protocol to provide privacy, integrity, and authentication for electronic mail; the second provides a certificate-based key management infrastructure to support key distribution throughout the internet, to support the first set of mechanisms. These mechanisms are described, as well as the reasons behind their selection and how these mechanisms can be used to provide some measure of security in the exchange of electronic mail.

From Hippocrates to HIPAA: privacy and confidentiality in emergency medicine--Part II: Challenges in the emergency department.

PubMed

Moskop, John C; Marco, Catherine A; Larkin, Gregory Luke; Geiderman, Joel M; Derse, Arthur R

2005-01-01

Part I of this article reviewed the concepts of privacy and confidentiality and described the moral and legal foundations and limits of these values in health care. Part II highlights specific privacy and confidentiality issues encountered in the emergency department (ED). Discussed first are physical privacy issues in the ED, including problems of ED design and crowding, issues of patient and staff safety, the presence of visitors, law enforcement officers, students, and other observers, and filming activities. The article then examines confidentiality issues in the ED, including protecting medical records, the duty to warn, reportable conditions, telephone inquiries, media requests, communication among health care professionals, habitual patient files, the use of patient images, electronic communication, and information about minor patients.

Impact of the Health Insurance Portability and Accountability Act on participant recruitment and retention.

PubMed

Wipke-Tevis, Deidre D; Pickett, Melissa A

2008-02-01

Recruiting and retaining an adequate sample is critical to the success of any research project involving humans. Recent reports indicate that the Health Insurance Portability and Accountability Act (HIPAA) privacy rule has adversely affected research. Few resources are available to help researchers navigate the challenges to recruitment and retention after HIPAA privacy rule implementation. This article addresses obstacles to recruitment in prospective clinical research studies related to the HIPAA privacy rule, as well as HIPAA-compliant strategies to enhance recruitment and retention. Recruitment challenges discussed include evolving interpretations of the HIPAA regulations, inability to directly contact potential participants, complexity of HIPAA-required documents, increased costs of recruitment, and an expanding administrative burden. Among the strategies addressed are preparatory research reviews, using clinical collaborators and staff liaisons, prescreening potential participants, minimizing participant burden during the consent process, enhancing participant follow-up, facilitating recruitment for future studies, and streamlining compliance training for staff.

A Secure and Privacy-Preserving Targeted Ad-System

NASA Astrophysics Data System (ADS)

Androulaki, Elli; Bellovin, Steven M.

Thanks to its low product-promotion cost and its efficiency, targeted online advertising has become very popular. Unfortunately, being profile-based, online advertising methods violate consumers' privacy, which has engendered resistance to the ads. However, protecting privacy through anonymity seems to encourage click-fraud. In this paper, we define consumer's privacy and present a privacy-preserving, targeted ad system (PPOAd) which is resistant towards click fraud. Our scheme is structured to provide financial incentives to all entities involved.

78 FR 57402 - Privacy Act of 1974; Department of Homeland Security/U.S. Customs and Border Protection-019 Air...

Federal Register 2010, 2011, 2012, 2013, 2014

2013-09-18

... forth in this system of records notice. AMOSS also has users from the Department of Defense (DOD... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2013-0021] Privacy Act of 1974; Department of Homeland Security/U.S. Customs and Border Protection--019 Air and Marine Operations...

76 FR 58786 - Privacy Act of 1974; Systems of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2011-09-22

... National Security Agency/Central Security System systems of records notices subject to the Privacy Act of... inquiries to the National Security Agency/Central Security Service, Freedom of Information Act/Privacy Act...; Systems of Records AGENCY: National Security Agency/Central Security Service, Department of Defense (DoD...

78 FR 45913 - Privacy Act of 1974; Systems of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2013-07-30

... National Security Agency/Central Security Service systems of records subject to the Privacy Act of 1974 (5... National Security Agency/Central Security Service, Freedom of Information Act/Privacy Act Office, 9800...; Systems of Records AGENCY: National Security Agency/Central Security Service, DoD. ACTION: Notice to alter...

Access and privacy rights using web security standards to increase patient empowerment.

PubMed

Falcão-Reis, Filipa; Costa-Pereira, Altamiro; Correia, Manuel E

2008-01-01

Electronic Health Record (EHR) systems are becoming more and more sophisticated and include nowadays numerous applications, which are not only accessed by medical professionals, but also by accounting and administrative personnel. This could represent a problem concerning basic rights such as privacy and confidentiality. The principles, guidelines and recommendations compiled by the OECD protection of privacy and trans-border flow of personal data are described and considered within health information system development. Granting access to an EHR should be dependent upon the owner of the record; the patient: he must be entitled to define who is allowed to access his EHRs, besides the access control scheme each health organization may have implemented. In this way, it's not only up to health professionals to decide who have access to what, but the patient himself. Implementing such a policy is walking towards patient empowerment which society should encourage and governments should promote. The paper then introduces a technical solution based on web security standards. This would give patients the ability to monitor and control which entities have access to their personal EHRs, thus empowering them with the knowledge of how much of his medical history is known and by whom. It is necessary to create standard data access protocols, mechanisms and policies to protect the privacy rights and furthermore, to enable patients, to automatically track the movement (flow) of their personal data and information in the context of health information systems. This solution must be functional and, above all, user-friendly and the interface should take in consideration some heuristics of usability in order to provide the user with the best tools. The current official standards on confidentiality and privacy in health care, currently being developed within the EU, are explained, in order to achieve a consensual idea of the guidelines that all member states should follow to transfer

Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education.

PubMed

Henriksen, Eva; Burkow, Tatjana M; Johnsen, Elin; Vognild, Lars K

2013-08-09

Privacy and information security are important for all healthcare services, including home-based services. We have designed and implemented a prototype technology platform for providing home-based healthcare services. It supports a personal electronic health diary and enables secure and reliable communication and interaction with peers and healthcare personnel. The platform runs on a small computer with a dedicated remote control. It is connected to the patient's TV and to a broadband Internet. The platform has been tested with home-based rehabilitation and education programs for chronic obstructive pulmonary disease and diabetes. As part of our work, a risk assessment of privacy and security aspects has been performed, to reveal actual risks and to ensure adequate information security in this technical platform. Risk assessment was performed in an iterative manner during the development process. Thus, security solutions have been incorporated into the design from an early stage instead of being included as an add-on to a nearly completed system. We have adapted existing risk management methods to our own environment, thus creating our own method. Our method conforms to ISO's standard for information security risk management. A total of approximately 50 threats and possible unwanted incidents were identified and analysed. Among the threats to the four information security aspects: confidentiality, integrity, availability, and quality; confidentiality threats were identified as most serious, with one threat given an unacceptable level of High risk. This is because health-related personal information is regarded as sensitive. Availability threats were analysed as low risk, as the aim of the home programmes is to provide education and rehabilitation services; not for use in acute situations or for continuous health monitoring. Most of the identified threats are applicable for healthcare services intended for patients or citizens in their own homes. Confidentiality

Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education

PubMed Central

2013-01-01

Background Privacy and information security are important for all healthcare services, including home-based services. We have designed and implemented a prototype technology platform for providing home-based healthcare services. It supports a personal electronic health diary and enables secure and reliable communication and interaction with peers and healthcare personnel. The platform runs on a small computer with a dedicated remote control. It is connected to the patient’s TV and to a broadband Internet. The platform has been tested with home-based rehabilitation and education programs for chronic obstructive pulmonary disease and diabetes. As part of our work, a risk assessment of privacy and security aspects has been performed, to reveal actual risks and to ensure adequate information security in this technical platform. Methods Risk assessment was performed in an iterative manner during the development process. Thus, security solutions have been incorporated into the design from an early stage instead of being included as an add-on to a nearly completed system. We have adapted existing risk management methods to our own environment, thus creating our own method. Our method conforms to ISO’s standard for information security risk management. Results A total of approximately 50 threats and possible unwanted incidents were identified and analysed. Among the threats to the four information security aspects: confidentiality, integrity, availability, and quality; confidentiality threats were identified as most serious, with one threat given an unacceptable level of High risk. This is because health-related personal information is regarded as sensitive. Availability threats were analysed as low risk, as the aim of the home programmes is to provide education and rehabilitation services; not for use in acute situations or for continuous health monitoring. Conclusions Most of the identified threats are applicable for healthcare services intended for patients or

Privacy preserving index for encrypted electronic medical records.

PubMed

Chen, Yu-Chi; Horng, Gwoboa; Lin, Yi-Jheng; Chen, Kuo-Chang

2013-12-01

With the development of electronic systems, privacy has become an important security issue in real-life. In medical systems, privacy of patients' electronic medical records (EMRs) must be fully protected. However, to combine the efficiency and privacy, privacy preserving index is introduced to preserve the privacy, where the EMR can be efficiently accessed by this patient or specific doctor. In the literature, Goh first proposed a secure index scheme with keyword search over encrypted data based on a well-known primitive, Bloom filter. In this paper, we propose a new privacy preserving index scheme, called position index (P-index), with keyword search over the encrypted data. The proposed index scheme is semantically secure against the adaptive chosen keyword attack, and it also provides flexible space, lower false positive rate, and search privacy. Moreover, it does not rely on pairing, a complicate computation, and thus can search over encrypted electronic medical records from the cloud server efficiently.

The Health Insurance Portability and Accountability Act Privacy Rule: a practical guide for researchers.

PubMed

Gunn, Patrick P; Fremont, Allen M; Bottrell, Melissa; Shugarman, Lisa R; Galegher, Jolene; Bikson, Tora

2004-04-01

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, intended to address potential threats to patient privacy posed by the computerization and standardization of medical records, provides a new floor level of federal protection for health information in all 50 states. In most cases, compliance with the Privacy Rule was required as of April 2003. Yet considerable confusion and concern remain about the Privacy Rule and the specific changes it requires in the way healthcare providers, health plans, and others use, maintain, and disclose health information. Researchers worry that the Privacy Rule could hinder their access to health information needed to conduct their research. In this article, we explain how the final version of the Privacy Rule governs disclosure of health information, assess implications of the Privacy Rule for research, and offer practical suggestions for researchers who require access to health information. The Privacy Rule is fundamentally changing the way that healthcare providers, health plans, and others use, maintain, and disclose health information and the steps that researchers must take to obtain health data. The Privacy Rule requires researchers who seek access to identifiable health information to obtain written authorization from subjects, or, alternatively, to demonstrate that their research protocols meet certain Privacy Rule requirements that permit access without written authorization. To ensure continued access to data, researchers will need to work more closely than before with healthcare providers, health plans, and other institutions that generate and maintain health information.

The secret to health information technology's success within the diabetes patient population: a comprehensive privacy and security framework.

PubMed

Pandya, Sheel M

2010-05-01

Congress made an unprecedented investment in health information technology (IT) when it passed the American Recovery and Reinvestment Act in February 2009. Health IT provides enormous opportunities to improve health care quality, reduce costs, and engage patients in their own care. But the potential payoff for use of health IT for diabetes care is magnified given the prevalence, cost, and complexity of the disease. However, without proper privacy and security protections in place, diabetes patient data are at risk of misuse, and patient trust in the system is undermined. We need a comprehensive privacy and security framework that articulates clear parameters for access, use, and disclosure of diabetes patient data for all entities storing and exchanging electronic data. (c) 2010 Diabetes Technology Society.

The Effectiveness of Health Care Information Technologies: Evaluation of Trust, Security Beliefs, and Privacy as Determinants of Health Care Outcomes

PubMed Central

2018-01-01

Background The diffusion of health information technologies (HITs) within the health care sector continues to grow. However, there is no theory explaining how success of HITs influences patient care outcomes. With the increase in data breaches, HITs’ success now hinges on the effectiveness of data protection solutions. Still, empirical research has only addressed privacy concerns, with little regard for other factors of information assurance. Objective The objective of this study was to study the effectiveness of HITs using the DeLone and McLean Information Systems Success Model (DMISSM). We examined the role of information assurance constructs (ie, the role of information security beliefs, privacy concerns, and trust in health information) as measures of HIT effectiveness. We also investigated the relationships between information assurance and three aspects of system success: attitude toward health information exchange (HIE), patient access to health records, and perceived patient care quality. Methods Using structural equation modeling, we analyzed the data from a sample of 3677 cancer patients from a public dataset. We used R software (R Project for Statistical Computing) and the Lavaan package to test the hypothesized relationships. Results Our extension of the DMISSM to health care was supported. We found that increased privacy concerns reduce the frequency of patient access to health records use, positive attitudes toward HIE, and perceptions of patient care quality. Also, belief in the effectiveness of information security increases the frequency of patient access to health records and positive attitude toward HIE. Trust in health information had a positive association with attitudes toward HIE and perceived patient care quality. Trust in health information had no direct effect on patient access to health records; however, it had an indirect relationship through privacy concerns. Conclusions Trust in health information and belief in the effectiveness of

The Effectiveness of Health Care Information Technologies: Evaluation of Trust, Security Beliefs, and Privacy as Determinants of Health Care Outcomes.

PubMed

Kisekka, Victoria; Giboney, Justin Scott

2018-04-11

The diffusion of health information technologies (HITs) within the health care sector continues to grow. However, there is no theory explaining how success of HITs influences patient care outcomes. With the increase in data breaches, HITs' success now hinges on the effectiveness of data protection solutions. Still, empirical research has only addressed privacy concerns, with little regard for other factors of information assurance. The objective of this study was to study the effectiveness of HITs using the DeLone and McLean Information Systems Success Model (DMISSM). We examined the role of information assurance constructs (ie, the role of information security beliefs, privacy concerns, and trust in health information) as measures of HIT effectiveness. We also investigated the relationships between information assurance and three aspects of system success: attitude toward health information exchange (HIE), patient access to health records, and perceived patient care quality. Using structural equation modeling, we analyzed the data from a sample of 3677 cancer patients from a public dataset. We used R software (R Project for Statistical Computing) and the Lavaan package to test the hypothesized relationships. Our extension of the DMISSM to health care was supported. We found that increased privacy concerns reduce the frequency of patient access to health records use, positive attitudes toward HIE, and perceptions of patient care quality. Also, belief in the effectiveness of information security increases the frequency of patient access to health records and positive attitude toward HIE. Trust in health information had a positive association with attitudes toward HIE and perceived patient care quality. Trust in health information had no direct effect on patient access to health records; however, it had an indirect relationship through privacy concerns. Trust in health information and belief in the effectiveness of information security safeguards increases

A new concept of real-time security camera monitoring with privacy protection by masking moving objects

NASA Astrophysics Data System (ADS)

Yabuta, Kenichi; Kitazawa, Hitoshi; Tanaka, Toshihisa

2006-02-01

Recently, monitoring cameras for security have been extensively increasing. However, it is normally difficult to know when and where we are monitored by these cameras and how the recorded images are stored and/or used. Therefore, how to protect privacy in the recorded images is a crucial issue. In this paper, we address this problem and introduce a framework for security monitoring systems considering the privacy protection. We state requirements for monitoring systems in this framework. We propose a possible implementation that satisfies the requirements. To protect privacy of recorded objects, they are made invisible by appropriate image processing techniques. Moreover, the original objects are encrypted and watermarked into the image with the "invisible" objects, which is coded by the JPEG standard. Therefore, the image decoded by a normal JPEG viewer includes the objects that are unrecognized or invisible. We also introduce in this paper a so-called "special viewer" in order to decrypt and display the original objects. This special viewer can be used by limited users when necessary for crime investigation, etc. The special viewer allows us to choose objects to be decoded and displayed. Moreover, in this proposed system, real-time processing can be performed, since no future frame is needed to generate a bitstream.

75 FR 69604 - Privacy Act of 1974: Implementation of Exemptions; Department of Homeland Security Office of...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-15

... System of Records AGENCY: Privacy Office, DHS. ACTION: Notice of proposed rulemaking. SUMMARY: The Department of Homeland Security is giving concurrent notice of a newly established system of records pursuant... System of Records and this proposed rulemaking. In this proposed rulemaking, the Department proposes to...

75 FR 43494 - Privacy Act of 1974; System of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2010-07-26

... National Security Agency's record system notices for records systems subject to the Privacy Act of 1974 (5... National Security Agency/Central Security Service, Freedom of Information Act and Privacy Act Office, 9800...; System of Records AGENCY: National Security Agency/Central Security Service, DoD. ACTION: Notice to...

77 FR 15596 - Privacy Act; Implementation

Federal Register 2010, 2011, 2012, 2013, 2014

2012-03-16

... DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID DoD-2012-OS-0032] 32 CFR Part 322 Privacy... levels of government. List of Subjects in 32 CFR Part 322 Privacy. Accordingly, 32 CFR part 322 is amended as follows: PART 322--NATIONAL SECURITY AGENCY/CENTRAL SECURITY SERVICE 0 1. The authority...

Assuring the privacy and security of transmitting sensitive electronic health information.

PubMed

Peng, Charlie; Kesarinath, Gautam; Brinks, Tom; Young, James; Groves, David

2009-11-14

The interchange of electronic health records between healthcare providers and public health organizations has become an increasingly desirable tool in reducing healthcare costs, improving healthcare quality, and protecting population health. Assuring privacy and security in nationwide sharing of Electronic Health Records (EHR) in an environment such as GRID has become a top challenge and concern. The Centers for Disease Control and Prevention's (CDC) and The Science Application International Corporation (SAIC) have jointly conducted a proof of concept study to find and build a common secure and reliable messaging platform (the SRM Platform) to handle this challenge. The SRM Platform is built on the open standards of OASIS, World Wide Web Consortium (W3C) web-services standards, and Web Services Interoperability (WS-I) specifications to provide the secure transport of sensitive EHR or electronic medical records (EMR). Transmitted data may be in any digital form including text, data, and binary files, such as images. This paper identifies the business use cases, architecture, test results, and new connectivity options for disparate health networks among PHIN, NHIN, Grid, and others.

75 FR 67697 - Privacy Act of 1974; Systems of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2010-11-03

... National Security Agency's record system notices for records systems subject to the Privacy Act of 1974 (5... National Security Agency/Central Security Service, Freedom of Information Act (FOIA)/Privacy Act Office...; Systems of Records AGENCY: National Security Agency/Central Security Service, DoD. ACTION: Notice to add a...

RBAC-Matrix-based EMR right management system to improve HIPAA compliance.

PubMed

Lee, Hung-Chang; Chang, Shih-Hsin

2012-10-01

Security control of Electronic Medical Record (EMR) is a mechanism used to manage electronic medical records files and protect sensitive medical records document from information leakage. Researches proposed the Role-Based Access Control(RBAC). However, with the increasing scale of medical institutions, the access control behavior is difficult to have a detailed declaration among roles in RBAC. Furthermore, with the stringent specifications such as the U.S. HIPAA and Canada PIPEDA etc., patients are encouraged to have the right in regulating the access control of his EMR. In response to these problems, we propose an EMR digital rights management system, which is a RBAC-based extension to a matrix organization of medical institutions, known as RBAC-Matrix. With the aim of authorizing the EMR among roles in the organization, RBAC-Matrix also allow patients to be involved in defining access rights of his records. RBAC-Matrix authorizes access control declaration among matrix organizations of medical institutions by using XrML file in association with each EMR. It processes XrML rights declaration file-based authorization of behavior in the two-stage design, called master & servant stage, thus makes the associated EMR to be better protected. RBAC-Matrix will also make medical record file and its associated XrML declaration to two different EMRA(EMR Authorization)roles, namely, the medical records Document Creator (DC) and the medical records Document Right Setting (DRS). Access right setting, determined by the DRS, is cosigned by the patient, thus make the declaration of rights and the use of EMR to comply with HIPAA specifications.

Balancing access to health data and privacy: a review of the issues and approaches for the future.

PubMed

Lane, Julia; Schur, Claudia

2010-10-01

There has been a dramatic increase in the types of microdata, and this holds great promise for health services research. However, legislative efforts to protect individual privacy have reduced the flow of health care data for research purposes and increased costs and delays, affecting the quality of analysis. This paper provides an overview of the challenges raised by concerns about data confidentiality in the context of health services research, the current methodologies used to ensure data security, and a description of one successful approach to balancing access and privacy. Materials and Methods. We analyze the issues of access and privacy using a conceptual framework based on balancing the risk of reidentification with the utility associated with data analysis. The guiding principle should be to generate released data that are as close to the maximum acceptable risk as possible. HIPAA and other privacy measures can perhaps be seen as having had the effect of lowering the "maximum acceptable risk" level and rendering some data unreleasable. We discuss the levels of risk and utility associated with different types of data used in health services research and the ability to link data from multiple sources as well as current models of data sharing and their limitations. One particularly compelling approach is to establish a remote access "data enclave," where statistical protections are applied to the data, technical protections ensure compliance with data-sharing requirements, and operational controls limit researchers' access to the data they need for their specific research questions. We recommend reducing delays in access to data for research, increasing the use of remote access data enclaves, and disseminating knowledge and promulgating standards for best practices related to data protection. © Health Research and Educational Trust.

Backward Channel Protection Based on Randomized Tree-Walking Algorithm and Its Analysis for Securing RFID Tag Information and Privacy

NASA Astrophysics Data System (ADS)

Choi, Wonjoon; Yoon, Myungchul; Roh, Byeong-Hee

Eavesdropping on backward channels in RFID environments may cause severe privacy problems because it means the exposure of personal information related to tags that each person has. However, most existing RFID tag security schemes are focused on the forward channel protections. In this paper, we propose a simple but effective method to solve the backward channel eavesdropping problem based on Randomized-tree walking algorithm for securing tag ID information and privacy in RFID-based applications. In order to show the efficiency of the proposed scheme, we derive two performance models for the cases when CRC is used and not used. It is shown that the proposed method can lower the probability of eavesdropping on backward channels near to ‘0.’

76 FR 66933 - Privacy Act of 1974; Department of Homeland Security U.S. Coast Guard DHS/USCG-014 Military Pay...

Federal Register 2010, 2011, 2012, 2013, 2014

2011-10-28

... purpose of health and life insurance requests and eligibility and to the Department of Defense (DoD) for... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2011-0072] Privacy Act of 1974; Department of Homeland Security U.S. Coast Guard DHS/USCG--014 Military Pay and Personnel System...

78 FR 25414 - Privacy Act of 1974, System of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2013-05-01

..., Chief Information Security Officer--Chief Privacy Officer. USAID-008 System name: Personnel Security and... inquires in writing to the USAID Chief Privacy Officer, 2733 Crystal Drive, 11th Floor, Arlington, VA 22202... alterations. ADDRESSES: You may submit comments: Paper Comments Fax: (703) 666-1466. Mail: Chief Privacy...

A Progress Report on Information Privacy and Data Security.

ERIC Educational Resources Information Center

Salton, Gerard

1980-01-01

Describes the role of information privacy in modern society, examines recent legal cases to illustrate how privacy cases are adjudicated and to identify the limits of available privacy protection, and raises issues regarding techniques for insuring data confidentiality. (FM)

Network security vulnerabilities and personal privacy issues in Healthcare Information Systems: a case study in a private hospital in Turkey.

PubMed

Namoğlu, Nihan; Ulgen, Yekta

2013-01-01

Healthcare industry has become widely dependent on information technology and internet as it moves from paper to electronic records. Healthcare Information System has to provide a high quality service to patients and a productive knowledge share between healthcare staff by means of patient data. With the internet being commonly used across hospitals, healthcare industry got its own share from cyber threats like other industries in the world. The challenge is allowing knowledge transfer to hospital staff while still ensuring compliance with security mandates. Working in collaboration with a private hospital in Turkey; this study aims to reveal the essential elements of a 21st century business continuity plan for hospitals while presenting the security vulnerabilities in the current hospital information systems and personal privacy auditing standards proposed by regulations and laws. We will survey the accreditation criteria in Turkey and counterparts in US and EU. We will also interview with medical staff in the hospital to understand the needs for personal privacy and the technical staff to perceive the technical requirements in terms of network security configuration and deployment. As hospitals are adopting electronic transactions, it should be considered a must to protect these electronic health records in terms of personal privacy aspects.

17 CFR 248.8 - Revised privacy notices.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 3 2012-04-01 2012-04-01 false Revised privacy notices. 248.8...) REGULATIONS S-P AND S-AM Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Privacy and Opt Out Notices § 248.8 Revised privacy notices. (a) General rule. Except as otherwise...

17 CFR 248.8 - Revised privacy notices.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 4 2014-04-01 2014-04-01 false Revised privacy notices. 248.8...) REGULATIONS S-P, S-AM, AND S-ID Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Privacy and Opt Out Notices § 248.8 Revised privacy notices. (a) General rule. Except...

17 CFR 248.8 - Revised privacy notices.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 3 2013-04-01 2013-04-01 false Revised privacy notices. 248.8...) REGULATIONS S-P AND S-AM Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Privacy and Opt Out Notices § 248.8 Revised privacy notices. (a) General rule. Except as otherwise...

17 CFR 248.8 - Revised privacy notices.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 3 2011-04-01 2011-04-01 false Revised privacy notices. 248.8...) REGULATIONS S-P AND S-AM Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Privacy and Opt Out Notices § 248.8 Revised privacy notices. (a) General rule. Except as otherwise...

17 CFR 248.8 - Revised privacy notices.

Code of Federal Regulations, 2010 CFR

2010-04-01

... 17 Commodity and Securities Exchanges 3 2010-04-01 2010-04-01 false Revised privacy notices. 248.8...) REGULATIONS S-P AND S-AM Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Privacy and Opt Out Notices § 248.8 Revised privacy notices. (a) General rule. Except as otherwise...

Single Logon: balancing security and healthcare productivity.

PubMed

Sapp, Margaret J; Behrens, Terrence L

2004-01-01

Mayo Single Logon (MSL) has faced the traditional dilemma that is painful to all IT organizations because it forces the tradeoff between user productivity and security. Recent regulatory initiatives, such as HIPAA, have caused the issue of security to take on more importance, forcing organizations to revisit the balance of security and productivity. MSL is a security application that brokers user credentials and facilitates desktop security. The simple design, functionality and stability have allowed MSL to speed up user productivity, keep satisfaction high and help solve many security initiatives.

49 CFR 1560.103 - Privacy notice.

Code of Federal Regulations, 2012 CFR

2012-10-01

... 49 Transportation 9 2012-10-01 2012-10-01 false Privacy notice. 1560.103 Section 1560.103... Secure Flight Passenger Data for Watch List Matching § 1560.103 Privacy notice. (a) Electronic collection... with § 1560.101(a), a covered aircraft operator must make available the complete privacy notice set...

49 CFR 1560.103 - Privacy notice.

Code of Federal Regulations, 2013 CFR

2013-10-01

... 49 Transportation 9 2013-10-01 2013-10-01 false Privacy notice. 1560.103 Section 1560.103... Secure Flight Passenger Data for Watch List Matching § 1560.103 Privacy notice. (a) Electronic collection... with § 1560.101(a), a covered aircraft operator must make available the complete privacy notice set...

49 CFR 1560.103 - Privacy notice.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 49 Transportation 9 2014-10-01 2014-10-01 false Privacy notice. 1560.103 Section 1560.103... Secure Flight Passenger Data for Watch List Matching § 1560.103 Privacy notice. (a) Electronic collection... with § 1560.101(a), a covered aircraft operator must make available the complete privacy notice set...

49 CFR 1560.103 - Privacy notice.

Code of Federal Regulations, 2011 CFR

2011-10-01

... 49 Transportation 9 2011-10-01 2011-10-01 false Privacy notice. 1560.103 Section 1560.103... Secure Flight Passenger Data for Watch List Matching § 1560.103 Privacy notice. (a) Electronic collection... with § 1560.101(a), a covered aircraft operator must make available the complete privacy notice set...

Automated Detection of Privacy Sensitive Conditions in C-CDAs: Security Labeling Services at the Department of Veterans Affairs

PubMed Central

Bouhaddou, Omar; Davis, Mike; Donahue, Margaret; Mallia, Anthony; Griffin, Stephania; Teal, Jennifer; Nebeker, Jonathan

2016-01-01

Care coordination across healthcare organizations depends upon health information exchange. Various policies and laws govern permissible exchange, particularly when the information includes privacy sensitive conditions. The Department of Veterans Affairs (VA) privacy policy has required either blanket consent or manual sensitivity review prior to exchanging any health information. The VA experience has been an expensive, administratively demanding burden on staffand Veterans alike, particularly for patients without privacy sensitive conditions. Until recently, automatic sensitivity determination has not been feasible. This paper proposes a policy-driven algorithmic approach (Security Labeling Service or SLS) to health information exchange that automatically detects the presence or absence of specific privacy sensitive conditions and then, to only require a Veteran signed consent for release when actually present. The SLS was applied successfully to a sample of real patient Consolidated-Clinical Document Architecture(C-CDA) documents. The SLS identified standard terminology codes by both parsing structured entries and analyzing textual information using Natural Language Processing (NLP). PMID:28269828

Automated Detection of Privacy Sensitive Conditions in C-CDAs: Security Labeling Services at the Department of Veterans Affairs.

PubMed

Bouhaddou, Omar; Davis, Mike; Donahue, Margaret; Mallia, Anthony; Griffin, Stephania; Teal, Jennifer; Nebeker, Jonathan

2016-01-01

Care coordination across healthcare organizations depends upon health information exchange. Various policies and laws govern permissible exchange, particularly when the information includes privacy sensitive conditions. The Department of Veterans Affairs (VA) privacy policy has required either blanket consent or manual sensitivity review prior to exchanging any health information. The VA experience has been an expensive, administratively demanding burden on staffand Veterans alike, particularly for patients without privacy sensitive conditions. Until recently, automatic sensitivity determination has not been feasible. This paper proposes a policy-driven algorithmic approach (Security Labeling Service or SLS) to health information exchange that automatically detects the presence or absence of specific privacy sensitive conditions and then, to only require a Veteran signed consent for release when actually present. The SLS was applied successfully to a sample of real patient Consolidated-Clinical Document Architecture(C-CDA) documents. The SLS identified standard terminology codes by both parsing structured entries and analyzing textual information using Natural Language Processing (NLP).

Privacy Act

EPA Pesticide Factsheets

Learn about the Privacy Act of 1974, the Electronic Government Act of 2002, the Federal Information Security Management Act, and other information about the Environmental Protection Agency maintains its records.

Privacy-preserving self-helped medical diagnosis scheme based on secure two-party computation in wireless sensor networks.

PubMed

Sun, Yi; Wen, Qiaoyan; Zhang, Yudong; Li, Wenmin

2014-01-01

With the continuing growth of wireless sensor networks in pervasive medical care, people pay more and more attention to privacy in medical monitoring, diagnosis, treatment, and patient care. On one hand, we expect the public health institutions to provide us with better service. On the other hand, we would not like to leak our personal health information to them. In order to balance this contradiction, in this paper we design a privacy-preserving self-helped medical diagnosis scheme based on secure two-party computation in wireless sensor networks so that patients can privately diagnose themselves by inputting a health card into a self-helped medical diagnosis ATM to obtain a diagnostic report just like drawing money from a bank ATM without revealing patients' health information and doctors' diagnostic skill. It makes secure self-helped disease diagnosis feasible and greatly benefits patients as well as relieving the heavy pressure of public health institutions.

Privacy-Preserving Self-Helped Medical Diagnosis Scheme Based on Secure Two-Party Computation in Wireless Sensor Networks

PubMed Central

Wen, Qiaoyan; Zhang, Yudong; Li, Wenmin

2014-01-01

With the continuing growth of wireless sensor networks in pervasive medical care, people pay more and more attention to privacy in medical monitoring, diagnosis, treatment, and patient care. On one hand, we expect the public health institutions to provide us with better service. On the other hand, we would not like to leak our personal health information to them. In order to balance this contradiction, in this paper we design a privacy-preserving self-helped medical diagnosis scheme based on secure two-party computation in wireless sensor networks so that patients can privately diagnose themselves by inputting a health card into a self-helped medical diagnosis ATM to obtain a diagnostic report just like drawing money from a bank ATM without revealing patients' health information and doctors' diagnostic skill. It makes secure self-helped disease diagnosis feasible and greatly benefits patients as well as relieving the heavy pressure of public health institutions. PMID:25126107

77 FR 32655 - DHS Data Privacy and Integrity Advisory Committee

Federal Register 2010, 2011, 2012, 2013, 2014

2012-06-01

... Officer, Data Privacy and Integrity Advisory Committee, Department of Homeland Security, 245 Murray Lane..., DHS Data Privacy and Integrity Advisory Committee, Department of Homeland Security, 245 Murray Lane SW... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2012-0029] DHS Data...

Security and privacy issues in wireless sensor networks for healthcare applications.

PubMed

Al Ameen, Moshaddique; Liu, Jingwei; Kwak, Kyungsup

2012-02-01

The use of wireless sensor networks (WSN) in healthcare applications is growing in a fast pace. Numerous applications such as heart rate monitor, blood pressure monitor and endoscopic capsule are already in use. To address the growing use of sensor technology in this area, a new field known as wireless body area networks (WBAN or simply BAN) has emerged. As most devices and their applications are wireless in nature, security and privacy concerns are among major areas of concern. Due to direct involvement of humans also increases the sensitivity. Whether the data gathered from patients or individuals are obtained with the consent of the person or without it due to the need by the system, misuse or privacy concerns may restrict people from taking advantage of the full benefits from the system. People may not see these devices safe for daily use. There may also possibility of serious social unrest due to the fear that such devices may be used for monitoring and tracking individuals by government agencies or other private organizations. In this paper we discuss these issues and analyze in detail the problems and their possible measures.

Quantifying the Correctness, Computational Complexity, and Security of Privacy-Preserving String Comparators for Record Linkage

PubMed Central

Durham, Elizabeth; Xue, Yuan; Kantarcioglu, Murat; Malin, Bradley

2011-01-01

Record linkage is the task of identifying records from disparate data sources that refer to the same entity. It is an integral component of data processing in distributed settings, where the integration of information from multiple sources can prevent duplication and enrich overall data quality, thus enabling more detailed and correct analysis. Privacy-preserving record linkage (PPRL) is a variant of the task in which data owners wish to perform linkage without revealing identifiers associated with the records. This task is desirable in various domains, including healthcare, where it may not be possible to reveal patient identity due to confidentiality requirements, and in business, where it could be disadvantageous to divulge customers' identities. To perform PPRL, it is necessary to apply string comparators that function in the privacy-preserving space. A number of privacy-preserving string comparators (PPSCs) have been proposed, but little research has compared them in the context of a real record linkage application. This paper performs a principled and comprehensive evaluation of six PPSCs in terms of three key properties: 1) correctness of record linkage predictions, 2) computational complexity, and 3) security. We utilize a real publicly-available dataset, derived from the North Carolina voter registration database, to evaluate the tradeoffs between the aforementioned properties. Among our results, we find that PPSCs that partition, encode, and compare strings yield highly accurate record linkage results. However, as a tradeoff, we observe that such PPSCs are less secure than those that map and compare strings in a reduced dimensional space. PMID:22904698

Quantifying the Correctness, Computational Complexity, and Security of Privacy-Preserving String Comparators for Record Linkage.

PubMed

Durham, Elizabeth; Xue, Yuan; Kantarcioglu, Murat; Malin, Bradley

2012-10-01

Record linkage is the task of identifying records from disparate data sources that refer to the same entity. It is an integral component of data processing in distributed settings, where the integration of information from multiple sources can prevent duplication and enrich overall data quality, thus enabling more detailed and correct analysis. Privacy-preserving record linkage (PPRL) is a variant of the task in which data owners wish to perform linkage without revealing identifiers associated with the records. This task is desirable in various domains, including healthcare, where it may not be possible to reveal patient identity due to confidentiality requirements, and in business, where it could be disadvantageous to divulge customers' identities. To perform PPRL, it is necessary to apply string comparators that function in the privacy-preserving space. A number of privacy-preserving string comparators (PPSCs) have been proposed, but little research has compared them in the context of a real record linkage application. This paper performs a principled and comprehensive evaluation of six PPSCs in terms of three key properties: 1) correctness of record linkage predictions, 2) computational complexity, and 3) security. We utilize a real publicly-available dataset, derived from the North Carolina voter registration database, to evaluate the tradeoffs between the aforementioned properties. Among our results, we find that PPSCs that partition, encode, and compare strings yield highly accurate record linkage results. However, as a tradeoff, we observe that such PPSCs are less secure than those that map and compare strings in a reduced dimensional space.

Safe teleradiology: information assurance as project planning methodology.

PubMed

Collmann, Jeff; Alaoui, Adil; Nguyen, Dan; Lindisch, David

2005-01-01

The Georgetown University Medical Center Department of Radiology used a tailored version of OCTAVE, a self-directed information security risk assessment method, to design a teleradiology system that complied with the regulation implementing the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The system addressed threats to and vulnerabilities in the privacy and security of protected health information. By using OCTAVE, Georgetown identified the teleradiology program's critical assets, described threats to the assurance of those assets, developed and ran vulnerability scans of a system pilot, evaluated the consequences of security breaches, and developed a risk management plan to mitigate threats to program assets, thereby implementing good information assurance practices. This case study illustrates the basic point that prospective, comprehensive planning to protect the privacy and security of an information system strategically benefits program management as well as system security.

78 FR 23872 - HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS)

Federal Register 2010, 2011, 2012, 2013, 2014

2013-04-23

... any unintended adverse consequences for individuals seeking needed mental health services that may be... Check System (NICS) to help enforce these prohibitions.\\4\\ The NICS Index, a database administered by... to the NICS. Such an amendment might produce clarity regarding the Privacy Rule and help make it as...

The study on privacy preserving data mining for information security

NASA Astrophysics Data System (ADS)

Li, Xiaohui

2012-04-01

Privacy preserving data mining have a rapid development in a short year. But it still faces many challenges in the future. Firstly, the level of privacy has different definitions in different filed. Therefore, the measure of privacy preserving data mining technology protecting private information is not the same. So, it's an urgent issue to present a unified privacy definition and measure. Secondly, the most of research in privacy preserving data mining is presently confined to the theory study.

Exemption of certain systems of records under the Privacy Act. Proposed rule.

PubMed

2007-05-25

This proposed rule would exempt the four system of records from subsections (c)(3), (d)(1) through (d)(4),(e)(4)(G) and (H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a (k)(2): The Automated Survey Processing Environment (ASPEN) Complaint/Incidents Tracking System ("ACTS"), HHS/CMS, System No. 09-70-0565; the Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System ("HITS"), HHS/CMS, System No. 09-70-0544; the Organ Procurement Organizations System ("OPOS"), HHS/CMS, System No. 09-70-0575; and the Fraud Investigation Database ("FID"), HHS/CMS, System No. 09-70-0527.

Exemption of certain systems of records under the Privacy Act. Final rule.

PubMed

2008-09-26

This final rule exempts four systems of records (SORs) from subsections (c)(3), (d)(1) through (d)(4), (e)(4)(G) and (H), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2): The Automated Survey Processing Environment (ASPEN) Complaint/ Incidents Tracking System (ACTS), HHS/CMS, System No. 09-70-0565; the Health Insurance Portability and Accountability Act (HIPAA) Information Tracking System (HITS), HHS/CMS, System No. 09-70-0544; the Organ Procurement Organizations System (OPOS), HHS/CMS, System No. 09-70- 0575; and the Fraud Investigation Database (FID), HHS/CMS, System No. 09-70-0527.

Fourier domain asymmetric cryptosystem for privacy protected multimodal biometric security

NASA Astrophysics Data System (ADS)

Choudhury, Debesh

2016-04-01

We propose a Fourier domain asymmetric cryptosystem for multimodal biometric security. One modality of biometrics (such as face) is used as the plaintext, which is encrypted by another modality of biometrics (such as fingerprint). A private key is synthesized from the encrypted biometric signature by complex spatial Fourier processing. The encrypted biometric signature is further encrypted by other biometric modalities, and the corresponding private keys are synthesized. The resulting biometric signature is privacy protected since the encryption keys are provided by the human, and hence those are private keys. Moreover, the decryption keys are synthesized using those private encryption keys. The encrypted signatures are decrypted using the synthesized private keys and inverse complex spatial Fourier processing. Computer simulations demonstrate the feasibility of the technique proposed.

75 FR 44804 - Privacy Act of 1974; Notice of a New Privacy Act System of Records (SORN), Ginnie Mae Mortgage...

Federal Register 2010, 2011, 2012, 2013, 2014

2010-07-29

...The Department proposes to establish a new Privacy Act SORN subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended, entitled Ginnie Mae Mortgage-Backed Security Unclaimed Funds System. The new record system will be used to track unclaimed security holder payments. Such unclaimed payments are owed to certificate holders of Ginnie Mae-guaranteed mortgage-backed securities who cannot be located by the Ginnie Mae servicer. Ginnie Mae tracks this information to ensure that security holders are paid properly.

Development of a HIPAA-compliant environment for translational research data and analytics.

PubMed

Bradford, Wayne; Hurdle, John F; LaSalle, Bernie; Facelli, Julio C

2014-01-01

High-performance computing centers (HPC) traditionally have far less restrictive privacy management policies than those encountered in healthcare. We show how an HPC can be re-engineered to accommodate clinical data while retaining its utility in computationally intensive tasks such as data mining, machine learning, and statistics. We also discuss deploying protected virtual machines. A critical planning step was to engage the university's information security operations and the information security and privacy office. Access to the environment requires a double authentication mechanism. The first level of authentication requires access to the university's virtual private network and the second requires that the users be listed in the HPC network information service directory. The physical hardware resides in a data center with controlled room access. All employees of the HPC and its users take the university's local Health Insurance Portability and Accountability Act training series. In the first 3 years, researcher count has increased from 6 to 58.

Genomes in the cloud: balancing privacy rights and the public good.

PubMed

Ohno-Machado, Lucila; Farcas, Claudiu; Kim, Jihoon; Wang, Shuang; Jiang, Xiaoqian

2013-01-01

The NIH-funded iDASH1 National Center for Biomedical Computing was created in 2010 with the goal of developing infrastructure, algorithms, and tools to integrate Data for Analysis, 'anonymization,' and SHaring. iDASH is based on the premise that, while a strong case for not sharing information to preserve individual privacy can be made, an equally compelling case for sharing genome information for the public good (i.e., to support new discoveries that promote health or alleviate the burden of disease) should also be made. In fact, these cases do not need to be mutually exclusive: genome data sharing on a cloud does not necessarily have to compromise individual privacy, although current practices need significant improvement. So far, protection of subject data from re-identification and misuse has been relying primarily on regulations such as HIPAA, the Common Rule, and GINA. However, protection of biometrics such as a genome requires specialized infrastructure and tools.

17 CFR 160.2 - Model privacy form and examples.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 1 2011-04-01 2011-04-01 false Model privacy form and... PRIVACY OF CONSUMER FINANCIAL INFORMATION § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in appendix A of this part, consistent with the instructions in appendix...

17 CFR 160.2 - Model privacy form and examples.

Code of Federal Regulations, 2010 CFR

2010-04-01

... 17 Commodity and Securities Exchanges 1 2010-04-01 2010-04-01 false Model privacy form and... PRIVACY OF CONSUMER FINANCIAL INFORMATION § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in appendix A of this part, consistent with the instructions in appendix...

Will you accept the government's friend request? Social networks and privacy concerns.

PubMed

Siegel, David A

2013-01-01

Participating in social network websites entails voluntarily sharing private information, and the explosive growth of social network websites over the last decade suggests shifting views on privacy. Concurrently, new anti-terrorism laws, such as the USA Patriot Act, ask citizens to surrender substantial claim to privacy in the name of greater security. I address two important questions regarding individuals' views on privacy raised by these trends. First, how does prompting individuals to consider security concerns affect their views on government actions that jeopardize privacy? Second, does the use of social network websites alter the effect of prompted security concerns? I posit that prompting individuals to consider security concerns does lead to an increased willingness to accept government actions that jeopardize privacy, but that frequent users of websites like Facebook are less likely to be swayed by prompted security concerns. An embedded survey experiment provides support for both parts of my claim.

Wireless local area network security.

PubMed

Bergeron, Bryan P

2004-01-01

Wireless local area networks (WLANs) are increasingly popular in clinical settings because they facilitate the use of wireless PDAs, laptops, and other pervasive computing devices at the point of care. However, because of the relative immaturity of wireless network technology and evolving standards, WLANs, if improperly configured, can present significant security risks. Understanding the security limitations of the technology and available fixes can help minimize the risks of clinical data loss and maintain compliance with HIPAA guidelines.

Data Security and Privacy in Apps for Dementia: An Analysis of Existing Privacy Policies.

PubMed

Rosenfeld, Lisa; Torous, John; Vahia, Ipsit V

2017-08-01

Despite tremendous growth in the number of health applications (apps), little is known about how well these apps protect their users' health-related data. This gap in knowledge is of particular concern for apps targeting people with dementia, whose cognitive impairment puts them at increased risk of privacy breaches. In this article, we determine how many dementia apps have privacy policies and how well they protect user data. Our analysis included all iPhone apps that matched the search terms "medical + dementia" or "health & fitness + dementia" and collected user-generated content. We evaluated all available privacy policies for these apps based on criteria that systematically measure how individual user data is handled. Seventy-two apps met the above search teams and collected user data. Of these, only 33 (46%) had an available privacy policy. Nineteen of the 33 with policies (58%) were specific to the app in question, and 25 (76%) specified how individual-user as opposed to aggregate data would be handled. Among these, there was a preponderance of missing information, the majority acknowledged collecting individual data for internal purposes, and most admitted to instances in which they would share user data with outside parties. At present, the majority of health apps focused on dementia lack a privacy policy, and those that do exist lack clarity. Bolstering safeguards and improving communication about privacy protections will help facilitate consumer trust in apps, thereby enabling more widespread and meaningful use by people with dementia and those involved in their care. Copyright © 2017. Published by Elsevier Inc.

Privacy Issues of a National Research and Education Network.

ERIC Educational Resources Information Center

Katz, James E.; Graveman, Richard F.

1991-01-01

Discussion of the right to privacy of communications focuses on privacy expectations within a National Research and Education Network (NREN). Highlights include privacy needs in scientific and education communications; academic and research networks; network security and privacy concerns; protection strategies; and consequences of privacy…

32 CFR 701.101 - Privacy program terms and definitions.

Code of Federal Regulations, 2014 CFR

2014-07-01

... or online collection that directly identifies an individual (e.g., name, address, social security... her (e.g., Social Security Number (SSN), age, military rank, civilian grade, marital status, race... from a project on privacy issues, identifying and resolving the privacy risks, and approval by a...

17 CFR 160.2 - Model privacy form and examples.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 1 2013-04-01 2013-04-01 false Model privacy form and... PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in appendix A of this...

17 CFR 160.2 - Model privacy form and examples.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 1 2012-04-01 2012-04-01 false Model privacy form and... PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in appendix A of this...

17 CFR 160.2 - Model privacy form and examples.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 2 2014-04-01 2014-04-01 false Model privacy form and... (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in appendix A of...

Image feature extraction in encrypted domain with privacy-preserving SIFT.

PubMed

Hsu, Chao-Yung; Lu, Chun-Shien; Pei, Soo-Chang

2012-11-01

Privacy has received considerable attention but is still largely ignored in the multimedia community. Consider a cloud computing scenario where the server is resource-abundant, and is capable of finishing the designated tasks. It is envisioned that secure media applications with privacy preservation will be treated seriously. In view of the fact that scale-invariant feature transform (SIFT) has been widely adopted in various fields, this paper is the first to target the importance of privacy-preserving SIFT (PPSIFT) and to address the problem of secure SIFT feature extraction and representation in the encrypted domain. As all of the operations in SIFT must be moved to the encrypted domain, we propose a privacy-preserving realization of the SIFT method based on homomorphic encryption. We show through the security analysis based on the discrete logarithm problem and RSA that PPSIFT is secure against ciphertext only attack and known plaintext attack. Experimental results obtained from different case studies demonstrate that the proposed homomorphic encryption-based privacy-preserving SIFT performs comparably to the original SIFT and that our method is useful in SIFT-based privacy-preserving applications.

Protocols development for security and privacy of radio frequency identification systems

NASA Astrophysics Data System (ADS)

Sabbagha, Fatin

There are benefits to adopting radio frequency identification (RFID) technology, although there are methods of attack that can compromise the system. This research determined how that may happen and what possible solutions can keep that from happening. Protocols were developed to implement better security. In addition, new topologies were developed to handle the problems of the key management. Previously proposed protocols focused on providing mutual authentication and privacy between readers and tags. However, those protocols are still vulnerable to be attacked. These protocols were analyzed and the disadvantages shown for each one. Previous works assumed that the channels between readers and the servers were secure. In the proposed protocols, a compromised reader is considered along with how to prevent tags from being read by that reader. The new protocols provide mutual authentication between readers and tags and, at the same time, remove the compromised reader from the system. Three protocols are proposed. In the first protocol, a mutual authentication is achieved and a compromised reader is not allowed in the network. In the second protocol, the number of times a reader contacts the server is reduced. The third protocol provides authentication and privacy between tags and readers using a trusted third party. The developed topology is implemented using python language and simulates work to check the efficiency regarding the processing time. The three protocols are implemented by writing codes in C language and then compiling them in MSP430. IAR Embedded workbench is used, which is an integrated development environment with the C/C++ compiler to generate a faster code and to debug the microcontroller. In summary, the goal of this research is to find solutions for the problems on previously proposed protocols, handle a compromised reader, and solve key management problems.

Ethical considerations in internet use of electronic protected health information.

PubMed

Polito, Jacquelyn M

2012-03-01

Caregivers, patients, and their family members are increasingly reliant on social network websites for storing, communicating, and referencing medical information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule seeks balance by protecting the privacy of patients' health information and assuring that this information is available to those who need it to provide health care. Though federal and state governments have created laws and policies to safeguard patient privacy and confidentiality, the laws are inadequate against the rapid and innovative use of electronic health websites. As Internet use broadens access to information, health professionals must be aware that this information is not always secure. We must identify and reflect on medical ethics issues and be accountable for maintaining privacy for the patient.

Will You Accept the Government's Friend Request? Social Networks and Privacy Concerns

PubMed Central

Siegel, David A.

2013-01-01

Participating in social network websites entails voluntarily sharing private information, and the explosive growth of social network websites over the last decade suggests shifting views on privacy. Concurrently, new anti-terrorism laws, such as the USA Patriot Act, ask citizens to surrender substantial claim to privacy in the name of greater security. I address two important questions regarding individuals' views on privacy raised by these trends. First, how does prompting individuals to consider security concerns affect their views on government actions that jeopardize privacy? Second, does the use of social network websites alter the effect of prompted security concerns? I posit that prompting individuals to consider security concerns does lead to an increased willingness to accept government actions that jeopardize privacy, but that frequent users of websites like Facebook are less likely to be swayed by prompted security concerns. An embedded survey experiment provides support for both parts of my claim. PMID:24312236

Security and privacy of EHR systems--ethical, social and legal requirements.

PubMed

Kluge, Eike-Henner W

2003-01-01

This paper addresses social, ethical and legal concerns about security and privacy that arise in the development of international interoperable health information systems. The paper deals with these concerns under four rubrics: the ethical status of electronic health records, the social and legal embedding of interoperable health information systems, the overall information-requirements healthcare as such, and the role of health information professionals as facilitators. It argues that the concerns that arise can be met if the development of interoperability protocols is guided by the seven basic principles of information ethics that have been enunciated in the IMIA Code of Ethics for Health Information Professionals and that are central to the ethical treatment of electronic health records.

A secure steganography for privacy protection in healthcare system.

PubMed

Liu, Jing; Tang, Guangming; Sun, Yifeng

2013-04-01

Private data in healthcare system require confidentiality protection while transmitting. Steganography is the art of concealing data into a cover media for conveying messages confidentially. In this paper, we propose a steganographic method which can provide private data in medical system with very secure protection. In our method, a cover image is first mapped into a 1D pixels sequence by Hilbert filling curve and then divided into non-overlapping embedding units with three consecutive pixels. We use adaptive pixel pair match (APPM) method to embed digits in the pixel value differences (PVD) of the three pixels and the base of embedded digits is dependent on the differences among the three pixels. By solving an optimization problem, minimal distortion of the pixel ternaries caused by data embedding can be obtained. The experimental results show our method is more suitable to privacy protection of healthcare system than prior steganographic works.

A linkable identity privacy algorithm for HealthGrid.

PubMed

Zhang, Ning; Rector, Alan; Buchan, Iain; Shi, Qi; Kalra, Dipak; Rogers, Jeremy; Goble, Carole; Walker, Steve; Ingram, David; Singleton, Peter

2005-01-01

The issues of confidentiality and privacy have become increasingly important as Grid technology is being adopted in public sectors such as healthcare. This paper discusses the importance of protecting the confidentiality and privacy of patient health/medical records, and the challenges exhibited in enforcing this protection in a Grid environment. It proposes a novel algorithm to allow traceable/linkable identity privacy in dealing with de-identified medical records. Using the algorithm, de-identified health records associated to the same patient but generated by different healthcare providers are given different pseudonyms. However, these pseudonymised records of the same patient can still be linked by a trusted entity such as the NHS trust or HealthGrid manager. The paper has also recommended a security architecture that integrates the proposed algorithm with other data security measures needed to achieve the desired security and privacy in the HealthGrid context.

45 CFR 150.207 - Procedure for determining that a State fails to substantially enforce HIPAA requirements.

Code of Federal Regulations, 2010 CFR

2010-10-01

... 45 Public Welfare 1 2010-10-01 2010-10-01 false Procedure for determining that a State fails to... MARKETS CMS Enforcement Processes for Determining Whether States Are Failing To Substantially Enforce HIPAA Requirements § 150.207 Procedure for determining that a State fails to substantially enforce HIPAA...

45 CFR 150.207 - Procedure for determining that a State fails to substantially enforce HIPAA requirements.

Code of Federal Regulations, 2011 CFR

2011-10-01

... 45 Public Welfare 1 2011-10-01 2011-10-01 false Procedure for determining that a State fails to... MARKETS CMS Enforcement Processes for Determining Whether States Are Failing To Substantially Enforce HIPAA Requirements § 150.207 Procedure for determining that a State fails to substantially enforce HIPAA...

45 CFR 150.207 - Procedure for determining that a State fails to substantially enforce HIPAA requirements.

Code of Federal Regulations, 2012 CFR

2012-10-01

... 45 Public Welfare 1 2012-10-01 2012-10-01 false Procedure for determining that a State fails to... MARKETS CMS Enforcement Processes for Determining Whether States Are Failing To Substantially Enforce HIPAA Requirements § 150.207 Procedure for determining that a State fails to substantially enforce HIPAA...

17 CFR 160.4 - Initial privacy notice to consumers required.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 1 2011-04-01 2011-04-01 false Initial privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.4 Initial privacy... notice that accurately reflects your privacy policies and practices to: (1) Customer. An individual who...

17 CFR 160.5 - Annual privacy notice to customers required.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 1 2011-04-01 2011-04-01 false Annual privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.5 Annual privacy... customers that accurately reflects your privacy policies and practices not less than annually during the...

76 FR 30048 - Privacy Act of 1974: Implementation and Amendment of Exemptions

Federal Register 2010, 2011, 2012, 2013, 2014

2011-05-24

... SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 200 [Release No. PA-45; File No. S7-19-11] Privacy.... ACTION: Proposed rule. SUMMARY: Pursuant to the Privacy Act of 1974, as amended, the Securities and... from provisions of the Privacy Act to the extent that the records contain investigatory materials...

78 FR 15731 - Privacy Act of 1974; Computer Matching Program

Federal Register 2010, 2011, 2012, 2013, 2014

2013-03-12

... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2013-0011] Privacy Act of 1974; Computer Matching Program AGENCY: Department of Homeland Security/U.S. Citizenship and Immigration Services. ACTION: Notice. Overview Information: Privacy Act of 1974; Computer Matching Program...

78 FR 15732 - Privacy Act of 1974; Computer Matching Program

Federal Register 2010, 2011, 2012, 2013, 2014

2013-03-12

... DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2013-0007] Privacy Act of 1974; Computer Matching Program AGENCY: Department of Homeland Security/U.S. Citizenship and Immigration Services. ACTION: Notice. Overview Information: Privacy Act of 1974; Computer Matching Program...

17 CFR 160.9 - Delivering privacy and opt out notices.

Code of Federal Regulations, 2011 CFR

2011-04-01

... 17 Commodity and Securities Exchanges 1 2011-04-01 2011-04-01 false Delivering privacy and opt out... PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.9 Delivering privacy and opt out notices. (a) How to provide notices. You must provide any privacy notices and opt out notices...

32 CFR 806b.51 - Privacy and the Web.

Code of Federal Regulations, 2013 CFR

2013-07-01

... 32 National Defense 6 2013-07-01 2013-07-01 false Privacy and the Web. 806b.51 Section 806b.51 National Defense Department of Defense (Continued) DEPARTMENT OF THE AIR FORCE ADMINISTRATION PRIVACY ACT... security notices at major web site entry points and Privacy Act statements or Privacy Advisories when...

17 CFR 160.6 - Information to be included in privacy notices.

Code of Federal Regulations, 2011 CFR

2011-04-01

... privacy notices. 160.6 Section 160.6 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION Privacy and Opt Out Notices § 160.6 Information to be included in privacy notices. (a) General rule. The initial, annual, and revised privacy notices that you...

Federal privacy regulations and the provision of Early Hearing Detection and Intervention programs.

PubMed

Houston, K Todd; Behl, Diane D; White, Karl R; Forsman, Irene

2010-08-01

To be successful, Early Hearing Detection and Intervention (EHDI) programs require individually identifiable information about children to be shared among people who are responsible for screening, diagnosis, early intervention, family support, and medical home services. Pediatricians and other stakeholders in the EHDI process often point to federal laws that were passed to ensure privacy and confidentiality in health care and educational programs as major obstacles to achieving efficient and effective EHDI programs. In this article we summarize the provisions of 3 federal laws (the Health Insurance Portability and Accountability Act [HIPAA], the Family Education Rights and Privacy Act [FERPA], and Part C privacy regulations of the Individuals With Disabilities Education Act [IDEA]) that most directly affect information-sharing in EHDI programs. We suggest strategies for sharing the information needed to operate successful EHDI programs while remaining in compliance with these laws, including obtaining signed parental consent to share information between providers, including an option on the individual family services plan for parents to permit sharing of the plan with pediatricians and other providers, and giving copies of all relevant test results to parents to share with providers as they wish.

Governance Through Privacy, Fairness, and Respect for Individuals.

PubMed

Baker, Dixie B; Kaye, Jane; Terry, Sharon F

2016-01-01

Individuals have a moral claim to be involved in the governance of their personal data. Individuals' rights include privacy, autonomy, and the ability to choose for themselves how they want to manage risk, consistent with their own personal values and life situations. The Fair Information Practices principles (FIPPs) offer a framework for governance. Privacy-enhancing technology that complies with applicable law and FIPPs offers a dynamic governance tool for enabling the fair and open use of individual's personal data. Any governance model must protect against the risks posed by data misuse. Individual perceptions of risks are a subjective function involving individuals' values toward self, family, and society, their perceptions of trust, and their cognitive decision-making skills. Individual privacy protections and individuals' right to choose are codified in the HIPAA Privacy Rule, which attempts to strike a balance between the dual goals of information flow and privacy protection. The choices most commonly given individuals regarding the use of their health information are binary ("yes" or "no") and immutable. Recent federal recommendations and law recognize the need for granular, dynamic choices. Individuals expect that they will govern the use of their own health and genomic data. Failure to build and maintain individuals' trust increases the likelihood that they will refuse to grant permission to access or use their data. The "no surprises principle" asserts that an individual's personal information should never be collected, used, transmitted, or disclosed in a way that would surprise the individual were she to learn about it. The FIPPs provide a powerful framework for enabling data sharing and use, while maintaining trust. We introduce the eight FIPPs adopted by the Department of Health and Human Services, and provide examples of their interpretation and implementation. Privacy risk and health risk can be reduced by giving consumers control, autonomy, and

75 FR 54662 - Privacy Act of 1974: Systems of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2010-09-08

..., Chief Privacy Officer, Office of Information Technology, 202-551-7209. In the Federal Register of August... SECURITIES AND EXCHANGE COMMISSION [Release No. PA-44A; File No. S7-17-10] Privacy Act of 1974: Systems of Records AGENCY: Securities and Exchange Commission. ACTION: Notice to establish systems of...

Preserving Patient Privacy When Sharing Same-Disease Data.

PubMed

Liu, Xiaoping; Li, Xiao-Bai; Motiwalla, Luvai; Li, Wenjun; Zheng, Hua; Franklin, Patricia D

2016-10-01

Medical and health data are often collected for studying a specific disease. For such same-disease microdata, a privacy disclosure occurs as long as an individual is known to be in the microdata. Individuals in same-disease microdata are thus subject to higher disclosure risk than those in microdata with different diseases. This important problem has been overlooked in data-privacy research and practice, and no prior study has addressed this problem. In this study, we analyze the disclosure risk for the individuals in same-disease microdata and propose a new metric that is appropriate for measuring disclosure risk in this situation. An efficient algorithm is designed and implemented for anonymizing same-disease data to minimize the disclosure risk while keeping data utility as good as possible. An experimental study was conducted on real patient and population data. Experimental results show that traditional reidentification risk measures underestimate the actual disclosure risk for the individuals in same-disease microdata and demonstrate that the proposed approach is very effective in reducing the actual risk for same-disease data. This study suggests that privacy protection policy and practice for sharing medical and health data should consider not only the individuals' identifying attributes but also the health and disease information contained in the data. It is recommended that data-sharing entities employ a statistical approach, instead of the HIPAA's Safe Harbor policy, when sharing same-disease microdata.

Preserving Patient Privacy When Sharing Same-Disease Data

PubMed Central

LIU, XIAOPING; LI, XIAO-BAI; MOTIWALLA, LUVAI; LI, WENJUN; ZHENG, HUA; FRANKLIN, PATRICIA D.

2016-01-01

Medical and health data are often collected for studying a specific disease. For such same-disease microdata, a privacy disclosure occurs as long as an individual is known to be in the microdata. Individuals in same-disease microdata are thus subject to higher disclosure risk than those in microdata with different diseases. This important problem has been overlooked in data-privacy research and practice, and no prior study has addressed this problem. In this study, we analyze the disclosure risk for the individuals in same-disease microdata and propose a new metric that is appropriate for measuring disclosure risk in this situation. An efficient algorithm is designed and implemented for anonymizing same-disease data to minimize the disclosure risk while keeping data utility as good as possible. An experimental study was conducted on real patient and population data. Experimental results show that traditional reidentification risk measures underestimate the actual disclosure risk for the individuals in same-disease microdata and demonstrate that the proposed approach is very effective in reducing the actual risk for same-disease data. This study suggests that privacy protection policy and practice for sharing medical and health data should consider not only the individuals’ identifying attributes but also the health and disease information contained in the data. It is recommended that data-sharing entities employ a statistical approach, instead of the HIPAA's Safe Harbor policy, when sharing same-disease microdata. PMID:27867450

A case study of the Secure Anonymous Information Linkage (SAIL) Gateway: A privacy-protecting remote access system for health-related research and evaluation☆

PubMed Central

Jones, Kerina H.; Ford, David V.; Jones, Chris; Dsilva, Rohan; Thompson, Simon; Brooks, Caroline J.; Heaven, Martin L.; Thayer, Daniel S.; McNerney, Cynthia L.; Lyons, Ronan A.

2014-01-01

With the current expansion of data linkage research, the challenge is to find the balance between preserving the privacy of person-level data whilst making these data accessible for use to their full potential. We describe a privacy-protecting safe haven and secure remote access system, referred to as the Secure Anonymised Information Linkage (SAIL) Gateway. The Gateway provides data users with a familiar Windows interface and their usual toolsets to access approved anonymously-linked datasets for research and evaluation. We outline the principles and operating model of the Gateway, the features provided to users within the secure environment, and how we are approaching the challenges of making data safely accessible to increasing numbers of research users. The Gateway represents a powerful analytical environment and has been designed to be scalable and adaptable to meet the needs of the rapidly growing data linkage community. PMID:24440148

17 CFR 160.4 - Initial privacy notice to consumers required.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 2 2014-04-01 2014-04-01 false Initial privacy notice to... COMMISSION (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.4 Initial privacy notice to consumers required. (a) Initial notice...

17 CFR 160.4 - Initial privacy notice to consumers required.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 1 2012-04-01 2012-04-01 false Initial privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.4 Initial privacy notice to consumers required. (a) Initial notice requirement...

17 CFR 160.4 - Initial privacy notice to consumers required.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 1 2013-04-01 2013-04-01 false Initial privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.4 Initial privacy notice to consumers required. (a) Initial notice requirement...

77 FR 38274 - Privacy Act of 1974; System of Records

Federal Register 2010, 2011, 2012, 2013, 2014

2012-06-27

.... SUPPLEMENTARY INFORMATION: The Defense Security Service systems of records notices subject to the Privacy Act of... DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID DOD-2012-OS-0077] Privacy Act of 1974; System of Records AGENCY: Defense Security Service, DoD. ACTION: Notice to Delete Four Systems of Records...

17 CFR 160.5 - Annual privacy notice to customers required.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 2 2014-04-01 2014-04-01 false Annual privacy notice to... COMMISSION (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.5 Annual privacy notice to customers required. (a)(1) General rule. You...

17 CFR 160.5 - Annual privacy notice to customers required.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 1 2012-04-01 2012-04-01 false Annual privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.5 Annual privacy notice to customers required. (a)(1) General rule. You must...

17 CFR 160.5 - Annual privacy notice to customers required.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 1 2013-04-01 2013-04-01 false Annual privacy notice to... COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.5 Annual privacy notice to customers required. (a)(1) General rule. You must...

17 CFR 248.2 - Model privacy form: rule of construction.

Code of Federal Regulations, 2010 CFR

2010-04-01

... 17 Commodity and Securities Exchanges 3 2010-04-01 2010-04-01 false Model privacy form: rule of... Safeguarding Personal Information § 248.2 Model privacy form: rule of construction. (a) Model privacy form. Use of the model privacy form in Appendix A to Subpart A of this part, consistent with the instructions...

Personal control of privacy and data: Estonian experience.

PubMed

Priisalu, Jaan; Ottis, Rain

2017-01-01

The Republic of Estonia leads Europe in the provision of public digital services. The national communications and transactions platform allows for twenty-first century governance by allowing for transparency, e-safety (inter alia privacy), e-security, entrepreneurship and, among other things, rising levels of prosperity, and well-being for all its Citizens. However, a series of Information Infrastructure attacks against the Estonian e-society infrastructure in 2007 became one of best known incidents and experiences that fundamentally changed both Estonian and international discussions about Cyber Security and Privacy. Estonian experience shows that an open and transparent attitude provides a good foundation for trust between the Citizen and the State, and gives more control to the real owner of the data - the Citizen. Another important lesson is that the Citizen needs to be confident in the government's ability to keep their data safe -- in terms of confidentiality, integrity and availability - establishing a strong link between privacy and information security. This paper discusses certain critical choices, context, and events connected to the birth and growth of the Estonian e-society in terms of Privacy.

17 CFR 160.9 - Delivering privacy and opt out notices.

Code of Federal Regulations, 2012 CFR

2012-04-01

... 17 Commodity and Securities Exchanges 1 2012-04-01 2012-04-01 false Delivering privacy and opt out... PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.9 Delivering privacy and opt out notices. (a) How to provide notices. You must provide any...

17 CFR 160.9 - Delivering privacy and opt out notices.

Code of Federal Regulations, 2013 CFR

2013-04-01

... 17 Commodity and Securities Exchanges 1 2013-04-01 2013-04-01 false Delivering privacy and opt out... PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.9 Delivering privacy and opt out notices. (a) How to provide notices. You must provide any...

17 CFR 160.9 - Delivering privacy and opt out notices.

Code of Federal Regulations, 2014 CFR

2014-04-01

... 17 Commodity and Securities Exchanges 2 2014-04-01 2014-04-01 false Delivering privacy and opt out... (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.9 Delivering privacy and opt out notices. (a) How to provide notices. You must...

Secure count query on encrypted genomic data.

PubMed

Hasan, Mohammad Zahidul; Mahdi, Md Safiur Rahman; Sadat, Md Nazmus; Mohammed, Noman

2018-05-01

Human genomic information can yield more effective healthcare by guiding medical decisions. Therefore, genomics research is gaining popularity as it can identify potential correlations between a disease and a certain gene, which improves the safety and efficacy of drug treatment and can also develop more effective prevention strategies [1]. To reduce the sampling error and to increase the statistical accuracy of this type of research projects, data from different sources need to be brought together since a single organization does not necessarily possess required amount of data. In this case, data sharing among multiple organizations must satisfy strict policies (for instance, HIPAA and PIPEDA) that have been enforced to regulate privacy-sensitive data sharing. Storage and computation on the shared data can be outsourced to a third party cloud service provider, equipped with enormous storage and computation resources. However, outsourcing data to a third party is associated with a potential risk of privacy violation of the participants, whose genomic sequence or clinical profile is used in these studies. In this article, we propose a method for secure sharing and computation on genomic data in a semi-honest cloud server. In particular, there are two main contributions. Firstly, the proposed method can handle biomedical data containing both genotype and phenotype. Secondly, our proposed index tree scheme reduces the computational overhead significantly for executing secure count query operation. In our proposed method, the confidentiality of shared data is ensured through encryption, while making the entire computation process efficient and scalable for cutting-edge biomedical applications. We evaluated our proposed method in terms of efficiency on a database of Single-Nucleotide Polymorphism (SNP) sequences, and experimental results demonstrate that the execution time for a query of 50 SNPs in a database of 50,000 records is approximately 5 s, where each record

Privacy information management for video surveillance

NASA Astrophysics Data System (ADS)

Luo, Ying; Cheung, Sen-ching S.

2013-05-01

The widespread deployment of surveillance cameras has raised serious privacy concerns. Many privacy-enhancing schemes have been proposed to automatically redact images of trusted individuals in the surveillance video. To identify these individuals for protection, the most reliable approach is to use biometric signals such as iris patterns as they are immutable and highly discriminative. In this paper, we propose a privacy data management system to be used in a privacy-aware video surveillance system. The privacy status of a subject is anonymously determined based on her iris pattern. For a trusted subject, the surveillance video is redacted and the original imagery is considered to be the privacy information. Our proposed system allows a subject to access her privacy information via the same biometric signal for privacy status determination. Two secure protocols, one for privacy information encryption and the other for privacy information retrieval are proposed. Error control coding is used to cope with the variability in iris patterns and efficient implementation is achieved using surrogate data records. Experimental results on a public iris biometric database demonstrate the validity of our framework.

A case study of the Secure Anonymous Information Linkage (SAIL) Gateway: a privacy-protecting remote access system for health-related research and evaluation.

PubMed

Jones, Kerina H; Ford, David V; Jones, Chris; Dsilva, Rohan; Thompson, Simon; Brooks, Caroline J; Heaven, Martin L; Thayer, Daniel S; McNerney, Cynthia L; Lyons, Ronan A

2014-08-01

With the current expansion of data linkage research, the challenge is to find the balance between preserving the privacy of person-level data whilst making these data accessible for use to their full potential. We describe a privacy-protecting safe haven and secure remote access system, referred to as the Secure Anonymised Information Linkage (SAIL) Gateway. The Gateway provides data users with a familiar Windows interface and their usual toolsets to access approved anonymously-linked datasets for research and evaluation. We outline the principles and operating model of the Gateway, the features provided to users within the secure environment, and how we are approaching the challenges of making data safely accessible to increasing numbers of research users. The Gateway represents a powerful analytical environment and has been designed to be scalable and adaptable to meet the needs of the rapidly growing data linkage community. Copyright © 2014 The Aurthors. Published by Elsevier Inc. All rights reserved.

Efficient Privacy-Aware Record Integration.

PubMed

Kuzu, Mehmet; Kantarcioglu, Murat; Inan, Ali; Bertino, Elisa; Durham, Elizabeth; Malin, Bradley

2013-01-01

The integration of information dispersed among multiple repositories is a crucial step for accurate data analysis in various domains. In support of this goal, it is critical to devise procedures for identifying similar records across distinct data sources. At the same time, to adhere to privacy regulations and policies, such procedures should protect the confidentiality of the individuals to whom the information corresponds. Various private record linkage (PRL) protocols have been proposed to achieve this goal, involving secure multi-party computation (SMC) and similarity preserving data transformation techniques. SMC methods provide secure and accurate solutions to the PRL problem, but are prohibitively expensive in practice, mainly due to excessive computational requirements. Data transformation techniques offer more practical solutions, but incur the cost of information leakage and false matches. In this paper, we introduce a novel model for practical PRL, which 1) affords controlled and limited information leakage, 2) avoids false matches resulting from data transformation. Initially, we partition the data sources into blocks to eliminate comparisons for records that are unlikely to match. Then, to identify matches, we apply an efficient SMC technique between the candidate record pairs. To enable efficiency and privacy, our model leaks a controlled amount of obfuscated data prior to the secure computations. Applied obfuscation relies on differential privacy which provides strong privacy guarantees against adversaries with arbitrary background knowledge. In addition, we illustrate the practical nature of our approach through an empirical analysis with data derived from public voter records.

Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study.

PubMed

Papoutsi, Chrysanthi; Reed, Julie E; Marston, Cicely; Lewis, Ruth; Majeed, Azeem; Bell, Derek

2015-10-14

Although policy discourses frame integrated Electronic Health Records (EHRs) as essential for contemporary healthcare systems, increased information sharing often raises concerns among patients and the public. This paper examines patient and public views about the security and privacy of EHRs used for health provision, research and policy in the UK. Sequential mixed methods study with a cross-sectional survey (in 2011) followed by focus group discussions (in 2012-2013). Survey participants (N = 5331) were recruited from primary and secondary care settings in West London (UK). Complete data for 2761 (51.8 %) participants were included in the final analysis for this paper. The survey results were discussed in 13 focus groups with people living with a range of different health conditions, and in 4 mixed focus groups with patients, health professionals and researchers (total N = 120). Qualitative data were analysed thematically. In the survey, 79 % of participants reported that they would worry about the security of their record if this was part of a national EHR system and 71 % thought the National Health Service (NHS) was unable to guarantee EHR safety at the time this work was carried out. Almost half (47 %) responded that EHRs would be less secure compared with the way their health record was held at the time of the survey. Of those who reported being worried about EHR security, many would nevertheless support their development (55 %), while 12 % would not support national EHRs and a sizeable proportion (33 %) were undecided. There were also variations by age, ethnicity and education. In focus group discussions participants weighed up perceived benefits against potential security and privacy threats from wider sharing of information, as well as discussing other perceived risks: commercial exploitation, lack of accountability, data inaccuracies, prejudice and inequalities in health provision. Patient and public worries about the security risks associated

A tracking and verification system implemented in a clinical environment for partial HIPAA compliance

NASA Astrophysics Data System (ADS)

Guo, Bing; Documet, Jorge; Liu, Brent; King, Nelson; Shrestha, Rasu; Wang, Kevin; Huang, H. K.; Grant, Edward G.

2006-03-01

The paper describes the methodology for the clinical design and implementation of a Location Tracking and Verification System (LTVS) that has distinct benefits for the Imaging Department at the Healthcare Consultation Center II (HCCII), an outpatient imaging facility located on the USC Health Science Campus. A novel system for tracking and verification of patients and staff in a clinical environment using wireless and facial biometric technology to monitor and automatically identify patients and staff was developed in order to streamline patient workflow, protect against erroneous examinations and create a security zone to prevent and audit unauthorized access to patient healthcare data under the HIPAA mandate. This paper describes the system design and integration methodology based on initial clinical workflow studies within a clinical environment. An outpatient center was chosen as an initial first step for the development and implementation of this system.

17 CFR 160.6 - Information to be included in privacy notices.

Code of Federal Regulations, 2012 CFR

2012-04-01

... privacy notices. 160.6 Section 160.6 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.6 Information to be included in privacy notices. (a) General rule. The initial...

17 CFR 160.6 - Information to be included in privacy notices.

Code of Federal Regulations, 2014 CFR

2014-04-01

... privacy notices. 160.6 Section 160.6 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION (CONTINUED) PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.6 Information to be included in privacy notices. (a) General rule. The...

17 CFR 160.6 - Information to be included in privacy notices.

Code of Federal Regulations, 2013 CFR

2013-04-01

... privacy notices. 160.6 Section 160.6 Commodity and Securities Exchanges COMMODITY FUTURES TRADING COMMISSION PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT Privacy and Opt Out Notices § 160.6 Information to be included in privacy notices. (a) General rule. The initial...

47 CFR 0.506 - FOIA and Privacy Act requests.

Code of Federal Regulations, 2010 CFR

2010-10-01

... 47 Telecommunication 1 2010-10-01 2010-10-01 false FOIA and Privacy Act requests. 0.506 Section 0... Declassification of National Security Information § 0.506 FOIA and Privacy Act requests. Requests for....461), of the Privacy Act of 1974, (See § 0.554) shall be processed in accordance with the provisions...

47 CFR 0.506 - FOIA and Privacy Act requests.

Code of Federal Regulations, 2014 CFR

2014-10-01

... Declassification of National Security Information § 0.506 FOIA and Privacy Act requests. Requests for... 47 Telecommunication 1 2014-10-01 2014-10-01 false FOIA and Privacy Act requests. 0.506 Section 0....461), of the Privacy Act of 1974, (See § 0.554) shall be processed in accordance with the provisions...

47 CFR 0.506 - FOIA and Privacy Act requests.

Code of Federal Regulations, 2013 CFR

2013-10-01

... Declassification of National Security Information § 0.506 FOIA and Privacy Act requests. Requests for... 47 Telecommunication 1 2013-10-01 2013-10-01 false FOIA and Privacy Act requests. 0.506 Section 0....461), of the Privacy Act of 1974, (See § 0.554) shall be processed in accordance with the provisions...

47 CFR 0.506 - FOIA and Privacy Act requests.

Code of Federal Regulations, 2011 CFR

2011-10-01

... Declassification of National Security Information § 0.506 FOIA and Privacy Act requests. Requests for... 47 Telecommunication 1 2011-10-01 2011-10-01 false FOIA and Privacy Act requests. 0.506 Section 0....461), of the Privacy Act of 1974, (See § 0.554) shall be processed in accordance with the provisions...

47 CFR 0.506 - FOIA and Privacy Act requests.

Code of Federal Regulations, 2012 CFR

2012-10-01

... Declassification of National Security Information § 0.506 FOIA and Privacy Act requests. Requests for... 47 Telecommunication 1 2012-10-01 2012-10-01 false FOIA and Privacy Act requests. 0.506 Section 0....461), of the Privacy Act of 1974, (See § 0.554) shall be processed in accordance with the provisions...

6 CFR 5.34 - Standards of conduct for administration of the Privacy Act.

Code of Federal Regulations, 2010 CFR

2010-01-01

... 6 Domestic Security 1 2010-01-01 2010-01-01 false Standards of conduct for administration of the Privacy Act. 5.34 Section 5.34 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY DISCLOSURE OF RECORDS AND INFORMATION Privacy Act § 5.34 Standards of conduct for administration of the...

Achieving Privacy in a Federated Identity Management System

NASA Astrophysics Data System (ADS)

Landau, Susan; Le van Gong, Hubert; Wilton, Robin

Federated identity management allows a user to efficiently authenticate and use identity information from data distributed across multiple domains. The sharing of data across domains blurs security boundaries and potentially creates privacy risks. We examine privacy risks and fundamental privacy protections of federated identity- management systems. The protections include minimal disclosure and providing PII only on a “need-to-know” basis. We then look at the Liberty Alliance system and analyze previous privacy critiques of that system. We show how law and policy provide privacy protections in federated identity-management systems, and that privacy threats are best handled using a combination of technology and law/policy tools.

45 CFR 164.520 - Notice of privacy practices for protected health information.

Code of Federal Regulations, 2014 CFR

2014-10-01

... DATA STANDARDS AND RELATED REQUIREMENTS SECURITY AND PRIVACY Privacy of Individually Identifiable Health Information § 164.520 Notice of privacy practices for protected health information. (a) Standard... 45 Public Welfare 1 2014-10-01 2014-10-01 false Notice of privacy practices for protected health...

46 CFR 14.105 - Disclosure and privacy.

Code of Federal Regulations, 2014 CFR

2014-10-01

... 46 Shipping 1 2014-10-01 2014-10-01 false Disclosure and privacy. 14.105 Section 14.105 Shipping COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MERCHANT MARINE OFFICERS AND SEAMEN SHIPMENT AND DISCHARGE OF MERCHANT MARINERS General § 14.105 Disclosure and privacy. The Coast Guard makes information...

46 CFR 14.105 - Disclosure and privacy.

Code of Federal Regulations, 2013 CFR

2013-10-01

... 46 Shipping 1 2013-10-01 2013-10-01 false Disclosure and privacy. 14.105 Section 14.105 Shipping COAST GUARD, DEPARTMENT OF HOMELAND SECURITY MERCHANT MARINE OFFICERS AND SEAMEN SHIPMENT AND DISCHARGE OF MERCHANT MARINERS General § 14.105 Disclosure and privacy. The Coast Guard makes information...

46 CFR 14.105 - Disclosure and privacy.

Code of Federal Regulations, 2012 CFR