Institute:Office of National Coordinator (ONC) Workforce Training Curriculum
Component:The Culture of Health Care
Unit:Privacy, Confidentiality, and Security
Lecture:Tools for protecting privacy and confidentiality
Slide content:For the Record Best Practices ( Committee on Maintaining Privacy and Security , 1997) Organizational Information & security governance Confidentiality and security policies and committees Education and training programs Sanctions Patient access to audit trails Management dashboards Risk management and compliance Technical Authentication of users Audit trails Physical security and disaster recovery Protection of remote access points and external communications Software discipline Ongoing system vulnerability assessment Infrastructure management 14
Slide notes:The For the Record report lists a number of best practices, divided into organizational and technical practices. In addition, other best practices for protecting information have emerged in the industry. This slide identifies just a few areas divided into organizational and technical. Organizational practices encompass overall information and security governance for the organization. This includes policies and procedures regarding security, privacy and confidentiality, education and training programs, and the all-important sanctions which ensure that when an individual is caught breaching security, he or she faces appropriate penalties. Patients also need to be given access to the audit trail so they can see who has accessed their record and then determine whether it has been done appropriately. Management dashboards are tools for oversight of the organizations performance. Privacy and security must be included in the organizations risk management program, which includes overall compliance management of regulations and laws. Risk management is involved in ongoing risk (vulnerability) assessments, event disaster planning and recovery processes, as well as remediation and mitigation. Technical best practices include securing information access such as with user authentication, audit trails, identity management, and activity monitoring. Protecting the data assets encompasses cloud management; third-party outsource suppliers protection; data warehouses, repositories, databases, and storage security; and end-point device protection, including all mobile devices. Infrastructure management includes physical security management, security analytics, and infrastructure protection. 14