of 24

Clinical Information System Security Policy

Published on June 2016 | Categories: Documents | Downloads: 6 | Comments: 0



CSC 662 Computer Security

 The patient’s information is the most important data for

clinical affairs.
 ACH95 (Keeping Information Confidential)
 “Doctors and other clinical professionals are worried

that making personal health information more widely available may endanger patient confidentiality”

Scope of the policy
 Clinician
 Patient  System

 Clinician (licensed professional such as a doctor, nurse,

dentist physiotherapist or pharmacist) who has access in the line of duty to personal health information and is

bound by a professional obligation of confidentiality.
 Social workers, students, charity workers and receptionists

may access personal health information under the supervision of a healthcare professional (but the professional remains responsible for their conduct)

 Patient (the individual’s concerned or the individual’s

 The rules may depend on the wishes of the patient  If the patient is a child, parent or guardian of a child will be

acts on his behalf

 System(hardware, software, communications and manual

procedures which make up a connected information processing system)

Threats and Vulnerabilities
 The ethical basis of clinical confidentiality
 In GMC (General Medical Council) booklet,

“Confidentiality” state that doctors who record of

confidential information must ensure that it is
effectively protected against improper disclosure
 The basic ethical principle, state Confidentiality is the

privilege of the patient, so only he way waive it and the consent must be informed, voluntary and competent

Threats and Vulnerabilities
 The ethical basis of clinical confidentiality
 for example, patients must be made aware that

information may be shared between members of a care

team, such as a general practice or a hospital
 There is the issue of the patient's consent to have his

record kept on a computer system at all. It is unethical to discriminate against a patient who demands that his

records be kept on paper instead

Threats and Vulnerabilities
 Other security requirements for clinical information
 we also concerned with its integrity and availability  If information is corrupted, clinicians may take incorrect

decisions which harm or even kill patients.
 If information is unreliable, in the sense that it could

have been corrupted then its value as a basis for clinical
decisions is decrease

Threats and Vulnerabilities
 Threats to clinical confidentiality
 Experience shows that the main new threat comes from

 Eg : most of the big UK banks now let any teller access

any customer's account (private detectives bribe tellers to get account information)

Threats and Vulnerabilities
 Threats to clinical confidentiality
 security depends on the fragmentation and scattering

inherent in manual record systems, and these systems

are already vulnerable to private detectives ringing up
and pretending to be from another healthcare provider.

Threats and Vulnerabilities
 Other security threats to clinical information
 Hardware failures occasionally corrupt messages  Higher error rates could result from the spreading

practice of sending lab results as unstructured email
 Viruses have already destroyed clinical information, and

a virus could conceivably be written to make malicious alterations to records
 A malicious attacker might also manipulate messages

Security Policy
 Principle 1 : Access control
 Each identifiable clinical record shall be marked with an

access control list naming the people or groups of

people who may read it and append data to it
 The system shall prevent anyone not on the access

control list from accessing the record in any way

Security Policy
 Principle 2 : Record opening
 A clinician may open a record with herself and the

patient on the access control list
 Where a patient has been refer, she may open a record

with herself, the patient and the referring clinician on the access control list

Security Policy
 Principle 3 : Control
 One of the clinicians on the access control list must be

marked as being responsible.
 Only she may alter the access control list, and she may

only add other health care professionals to it

Security Policy
 Principle 4 : Consent and notification
 The responsible clinician must notify the patient of the

names on his record's access control list when it is

opened, of all subsequent additions, and whenever
responsibility is transferred.
 His consent must also be obtained, except in emergency


Security Policy
 Principle 5 : Persistence
 No-one shall have the ability to delete clinical

information until the appropriate time period has


Security Policy
 Principle 6 : Attribution
 All accesses to clinical records shall be marked on the

record with the subject's name, as well as the date and

 An audit trail must also be kept of all deletions

Security Policy
 Principle 7 : Information flow
 Information derived from record A may be appended to

record B if and only if B's access control list is contained

in A's

Security Policy
 Principle 8 : Aggregation control
 There shall be effective measures to prevent the

aggregation of personal health information

Security Policy
 Principle 9 : The Trusted Computing Base
 Computer systems that handle personal health

information shall have a subsystem that enforces the above principles in an effective way
 Its effectiveness shall be subject to evaluation by

independent experts

 Based on the experience, we can conclude that the threats

to the confidentiality, integrity and availability of personal health information enforced the medical sector to developed a Clinical Information System that can give the high level protection to patient’s data.
 Clinicians making decisions must be compliance with CISS


 Nowadays, there is a lot of Clinical Information System but

still have a weakness that can cause the data of patient’s spread
 So we need to enhance the already system so that we can

keep the data as confidentiality

 Reference:  Dr Rose, J. A., (1996). Security in Clinical Information System. Computer Laboratory University of Cambridge.


Sponsor Documents

Or use your account on DocShare.tips


Forgot your password?

Or register your new account on DocShare.tips


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in