Friday, August 14, 2009


Soon, i will be working on a Medical Data Security Model.


In August 1998, the United State Department of Health and Human Services (HHS) published the Security and Electronic Signature Standards; Proposed Rule (Security Rule). The Security Rule covers all healthcare information that is electronically maintained or used in electronic transmissions. It is defined by HHS as a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information remains secure[1].

The Security Rule is merely a set of common best practices that is intended to be comprehensive, technology neutral, and scalable for different-sized organizations. It is a high-level information security framework that documents what needs to be done to secure healthcare information systems. At the same time, and much to widespread chagrin, the Security Rule is not a set of how-to instructions outlining the exact steps for securing healthcare information systems[1].
To ensure the confidentiality, integrity and accessibility of healthcare information, the Security Rule outlines various technologies, policies that must be implemented[1].
The policies and procedure for technology-based systems include:
• Logical access controls
• Physical access controls
• User authentication controls
• Authorization controls
• Audit controls
• Data encryption mechanisms[1]
General medical security models fall short of what is needed. From the policies and from the environment where the information is kept, the requirements for the security model can be deduced:

1) Attribute and credential -based authorization
2) Content-dependent authorization
3) Context-dependent access modes
4) Delegation of rights
5) Administration of security
6) Temporal restrictions
7) Need for coordinated authentication and encryption
8) Consideration of web standards
9) Consideration of different architectural levels
10) Compliance with laws protecting security and privacy of health care information
11) Explicit audit[3]

It is clear that no single model can satisfy all these requirements. Thus it needs several related models at different abstraction levels to cover all the requirements.[3]


[1] Kevin Beaver, Healthcare Information System, Second Edition, United State of America: Auerbach, 2003, 173-180.
[2] E.Supriyanto, S.C.Seow, “Java Based Automatic Curriculum Generator for Children Trisomy 21”, WASET, vol. 32, pp 237-249, 2007.
[3] Eduardo B. Fernandez, MarĂ­a M. Larrondo Petrie, and Tami Sorgente, “Security Models for Medical and Genetic Information”, 2004.

No comments:

Post a Comment