Patient Information Security

Similar documents
INFORMATION SECURITY AND RISK POLICY

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cloud Security Standards Supplier Survey. Version 1

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

SECURITY & PRIVACY DOCUMENTATION

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

DETAILED POLICY STATEMENT

Information Governance, the Next Evolution of Privacy and Security

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

A practical guide to IT security

Business Continuity Policy

Information Security Incident

QuickBooks Online Security White Paper July 2017

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Cloud Security Standards and Guidelines

01.0 Policy Responsibilities and Oversight

The Next Frontier in Medical Device Security

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

John Snare Chair Standards Australia Committee IT/12/4

Checklist: Credit Union Information Security and Privacy Policies

INFORMATION ASSET MANAGEMENT POLICY

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Cyber security. Strategic delivery: Setting standards Increasing and. Details: Output:

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security Policies and Procedures Principles and Practices

Identification and Authentication

Securing trust in electronic supply chains

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Wireless e-business Security. Lothar Vigelandzoon

Security Audit What Why

Mobile Computing Policy

Projectplace: A Secure Project Collaboration Solution

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

HPH SCC CYBERSECURITY WORKING GROUP

Protecting your data. EY s approach to data privacy and information security

External Supplier Control Obligations. Cyber Security

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Data Backup and Contingency Planning Procedure

Pacific Knowledge Systems. RippleDown Deployment Guide: v8.0.5

Cyber risk management into the ISM Code

Information Security Policy

Transportation Security Risk Assessment

Defense in Depth Security in the Enterprise

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

LBI Public Information. Please consider the impact to the environment before printing this.

Cyber Risks in the Boardroom Conference

Data Security Standards

ADIENT VENDOR SECURITY STANDARD

Security Overview of the BGI Online Platform

Information Technology Branch Organization of Cyber Security Technical Standard

Cloud Security Standards

Information Security Controls Policy

Mobile Working Policy. Item 15.3

Practical Guide to Securing the SDLC

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Data Breach Notification Policy

How to work your cloud around the UK ICO s Data Protection Act

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Choosing the Right Security Assessment

Information Technology General Control Review

Information Security Strategy

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

The simplified guide to. HIPAA compliance

Information Governance Incident Reporting Policy

Pillar 4: Be Accountable: Implement your Privacy & Data Protection (PDP) Measures Legal Basis: Sec. 20.a-e, 22 and 24 of the DPA, Sections of

CCISO Blueprint v1. EC-Council

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Unified Communications Phase 2 Presentation to IT Services Users Group

Computer Security Policy

IT risks and controls

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

The HUMANE roadmaps towards future human-machine networks Oxford, UK 21 March 2017

Guide to Cyber Security Compliance with GDPR

Objectives of the Security Policy Project for the University of Cyprus

HIPAA Federal Security Rule H I P A A

Understanding the Changing Cybersecurity Problem

Electronic Service Provider Standard

ISO/IEC INTERNATIONAL STANDARD

DIGITAL TRUST Making digital work by making digital secure

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Avanade s Approach to Client Data Protection

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

LEXICON. An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Dealing with Security and Security Breaches

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Security and Privacy Governance Program Guidelines

Information Security Policy

Security Analysis Part I: Basics

Transcription:

Patient Information Security An overview of practice and procedure UK CAB Meeting 13th April 2012 Nathan Lea Senior Research Associate CHIME, UCL

Overview - Questions that have been asked What happens to information collected about me, who has access to it and how is it used? How is it protected? Further information

What happens to information collected about me, who has access to it and how is it used? Information is collected about you to provide care services and support care decisions includes demographic information, lab results, co-morbidities De-identified clinical information valuable for research Also informs: population health surveillance (including condition prevalence) healthcare policy and strategy commissioning of services Background

How is information protected? Core principle across both clinical care and secondary use environments This involves: Development of Information Security Policy Risk Assessment and Analyses Applying protection mechanisms in practice

Information Security Policy Defines management and user responsibilities Guidelines on how to handle information securely (based upon mitigation strategies) Most highly regarded international standards - the ISO 27000 Series Several guideline documents that offer additional guidance within the NHS Information Commissioner's Office - data sharing agreements

What do policies contain? 1. Introduction and Background Details of Organisation handling information 2. Organisations, Members, Service providers and Resources Involved with the Project (plus details of any data sharing agreements) 3 Risk Assessment and Analysis 4. Activities and Stipulations for Securing Asset Use

3 Risk Assessment and Analysis Identification of information assets (records, databases, servers, disks etc.) Vulnerabilities - weaknesses of the assets exposed when used (portability, accessibility, value...) Threats - aspects that can exploit a vulnerability to attack an asset Risk assessment - the likelihood that a threat exploits a vulnerability against the potential impact... Defines a mitigation strategy to protect resources

Assets,Threats,Vulnerabilities and Mitigation Public Health Health Protection Agency De-identification Asset: Records, databases, servers Encryption NHS Care Provision Authentication Asset: Backup Theft of hardware/ storage media Antivirus Firewall Credentials from privileged users Worms/ viruses TRAINING Accidental disclosure External attackers (hacker, privacy advocate, media) TRUST Research Authorisation

Other policy details and security management Important to use forums within an organisation to develop policy (Information Security Management Forum) user engagement ensuring that they know what is in a policy and are engaged management is committed making sure good training is available Reducing the chance that information assets are compromised is key Frequently reviewed and updated security procedures and policy management help make it far less likely that information is compromised

Further thoughts - the nature of Security... Requirements change and evolve new technology more detailed information more readily available Other bodies decide whether information should be shared Ethics Committees National Information Governance Board (NIGB)

Further Information NHS Connecting for Health (CfH) - http:// www.connectingforhealth.nhs.uk/ Care Record Guarantee - http://www.nigb.nhs.uk/pubs/nhscrg.pdf NRES - http://www.nres.nhs.uk/ NIGB - http://www.nigb.nhs.uk/ ICO - http://www.ico.gov.uk/ ISO 27000 Series - Introduction - http://www.27000.org/index.htm and Wikipedia link http://en.wikipedia.org/wiki/iso/iec_27000

Thank you! Nathan Lea n.lea@ucl.ac.uk www.ucl.ac.uk/chime/people/lean

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback