Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:Definitions of privacy, confidentiality, and security
Slide content:Some Technologies Can Worsen the Problem USB ( thumb ) drives run programs when plugged into USB port; can be modified to extract data from computer (Wright & Sittig , 2007a, 2007b) Personal health records, other systems, may lack encryption and be easily compromised 10% of hard drives sold by a second-hand retailer in Canada had remnants of personal health information (El Emam , Neri , & Jonker , 2007) Peer-to-peer (P2P) file sharing0.5% of all U.S. IP addresses have PHI (El Emam et al., 2010) Digital photocopiers store all copies made ( Keteyian , 2010); scanners may also store copies Restrict physical access where possible, always encrypt! 13
Slide notes:And, of course, technology itself can worsen the problem. A widely cited study by Wright looked at the USB drives (sometimes called thumb drives) commonly plugged into computers. These drives run a program that enables their use when they are plugged in, and that program can be modified to extract data from the computer. So if that computer has personal health information on it, the thumb drive can basically copy it from the computer. Some personal health record systems and other consumer-targeted health applications may or may not have encryption functionality and could be easily compromised. Another interesting analysis found that ten percent of hard drives sold by second-hand retailers in Canada had remnants of personal health information on them. Often, when computers are disposed of, the hard drives are not completely wiped clean, potentially providing access to personal information for the next user if that user knows how to extract it. This applies to both patient and consumer mobile devices and computers, as well as equipment owned by health care organizations. Also of note is that PHI can be discovered by files available from peer-to-peer (P2P, pee-two-pee) file-sharing networks. One analysis found that half of one percent of all IP addresses on the Internet in the United States have discoverable PHI. Finally, another technology that can store PHI is the digital photocopier, which stores all copies on an internal hard disk. If this information is compromised, PHI can potentially be leaked. Fax machines and scanners may also store data that can include PHI. A rule of thumb is to restrict physical access when possible and always encrypt. Physical access includes access to hardware devices but also the physical area where computers, servers, and network equipment are housed. 13