Abstract
The shift to the networked world, that has been made possible by the explosive increase in the provision of broadband services not only to organizations but to individuals as well, allows making much better use of health information, but it also exposes this same information to a variety of threats that would not otherwise exist. These threats may, if not appropriately countered, seriously affect the security of health information and the privacy of the underlying subjects. Security and privacy technologies have grown tremendously over the past twenty years and still continue to be a field of intensive research. The result is an extensive arsenal of technological solutions to a variety of security problems. Nevertheless, healthcare organizations suffer regularly from information security breaches. This is due to the fact that security is more than erecting physical and electronic barriers; these are practically useless without an information security management system in place. This chapter presents a manager’s roadmap for securing the electronic medical record.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
http://www.transparencymarketresearch.com/healthcare-cloud-computing.html. Accessed 30 January 2013.
http://www.frost.com/prod/servlet/press-release.pag?docid=267265445. Accessed 30 January 2013.
HIMSS, 5th Annual HIMSS Security Survey, December 12, 2012, available at http://www.himss.org/content/files/2012_HIMSS_SecuritySurvey.pdf. Accessed 30 January 2013.
B. Schneier, Economics and Information Security, June 29, 2006, http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html. Accessed January 30, 2013.
D. Garets, M. Davis, “Electronic Medical Records vs. Electronic Health Records: Yes, there is a difference”, A HIMSS Analytics White Paper, January 26, 2006. Available at http://www.himssanalytics.org/docs/wp_emr_ehr.pdf. Accessed 30 January 2013.
ISO, “Health Informatics—Requirements for an Electronic Health Record Architecture”, ISO/TS 18308, 2003.
ISO, “Health Informatics—Electronic Health Record—Definition, scope and context”, ISO/TR 20514, 2005.
P. Tang, J. Ash, D. Bates, J. Overhage, D. Sands, “Personal Health Records: Definitions, Benefits, and Strategies for Overcoming Barriers to Adoption”, J. of American Medical Informatics Association, Vol. 13, no. 2, 2006, pp. 121–126.
R. Zhang, L. Liu, “Security models and requirements for healthcare application clouds”, in Proceedings, 3rd International Conference on Cloud Computing (CLOUD), IEEE Press, pp. 268–275, 2010. Available at http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/index.html. Accessed 30 January 2013.
National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook, US Department of Commerce, 1995.
A. Pouloudi, “Focus: Conflicting concerns over the privacy of electronic medical records in the NHSnet”, Business Ethics, vol. 6, no. 2, 1997.
S. D. Warren, L. D. Brandeis, “The right to privacy”, Harvard Law Review, vol. 4, issue 193, 1890.
S. Katsikas, J. Lopez, G. Pernul, “The challenge for security and privacy services in distributed health settings”, in B. Blobel, P. Pharow, M. Nerlich (Eds.), eHealth: Combining health telematics, telemedicine, biomedical engineering and bionfiromatics to the edge, IOS Press, 2008, pp. 113–125.
ISO/IEC, “Health Informatics—Information security management in health using ISO/IEC 27002”, ISO/IEC 27799, 2008.
American Health Information Management Association, “Auditing copy and paste”, Journal of American Health Information Management Association, vol. 80, issue 1, 2009, pp. 26–29.
L. B. Harman, C. A. Flite, K. Bond, ”Electronic Health Records: Privacy, Confidentiality and Security”, Virtual Mentor, Vol. 14, number 9, 2012, pp. 712–719.
G. Narayana Samy, R. Ahmad, Z. Ismail, “Security threats categories in healthcare information systems”, Health Informatics Journal, Vol. 16, number 3, 2010, pp. 201–209.
I. Maglogiannis, E. Zafiropoulos, “Modeling risk in distributed healthcare information systems”, in Proceedings of 28\(^{th}\) Annual International Conference of the IEEE on Engineering in Medical and Biology Society (EMBS), 2006, pp. 5447–5450.
I. Maglogiannis, E. Zafiropoulos, A. Platis, C. Lambrinoudakis, “Risk analysis of a patient monitoring system using Bayesian network modelling”, Journal of Biomedical Informatics, Vol. 39, 2006, pp. 637–647.
ENISA, Being diabetic in 2011: Identifying emerging and future risks in remote health monitoring and treatment, 2009.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html. Accessed 14 April 2013.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/. Accessed 14 April 2013.
http://healthcare.partners.org/phsirb/hipaaglos.htm. Accessed 14 April 2013.
http://www.hhs.gov/ocr/hipaa. Accessed 14 April 2013.
S. Kahn, V. Sheshadri, “Medical record privacy and security in a digital environment”, IT Pro, March/April, 2008, pp. 46–52.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. Accessed 14 April 2013.
http://www2.ftc.gov/opa/2009/08/hbn.shtm. Accessed 14 April 2013.
K. T. Win, “A review of security of electronic health records”, Health Information Management, Vol. 34, no. 1, 2005, pp. 13–18.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT. Accessed 14 April 2013.
M. Verschuuren et al., “The European data protection legislation and its consequences for public health monitoring: a plea for action”, European Journal of Public Health, Vol. 18, no. 6, 2008, pp. 550–551.
R. Clark, “Implications of the EU data protection directive and council of Europe recommendations for healthcare establishments”, In The ISHTAR Consortium (Eds.), Implementing Secure Healthcare Telematics Applications in Europe, IOS Press, 2001, pp. 33–52.
C. Laske, “Legal liability for telemedicine and healthcare networking”, in The ISHTAR Consortium (Eds.), Implementing Secure Healthcare Telematics Applications in Europe, IOS Press, 2001, pp. 53–100.
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm. Accessed 14 April 2013.
http://www.imia-medinfo.org/new2/pubdocs/Ethics_Eng.pdf. Accessed 14 April 2013.
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_024277.hcsp?dDocName=bok1_024277. Accessed 14 April 2013.
ISO/IEC, “Information technology—Security techniques—Code of practice for information security management”, ISO/IEC 27002, 2005.
http://www.27000.org/iso-27002.htm. Accessed 14 April 2013.
http://www.iso.org/iso/catalogue_detail?csnumber=41298. Accessed 14 April 2013.
S. Katsikas, “Risk Management”, in J. Vacca (Ed.), Computer and Information Security Handbook, Morgan Kaufmann, 2009.
ISO/IEC, “Information technology—security techniques—information security risk management”, ISO/IEC 27005:2011 (E).
S. K. Katsikas, S. Kokolakis, “High-level Security Policies for Health Care Establishments”, in B. Blobel (Ed). Health Informatics, IOS Press, 2003, pp. 98–104.
C. Cresson-Wood, Information Security Policies Made Easy, Baseline Software, USA, 1991.
S. K. Katsikas, D. G. Gritzalis, “The Need for a Security Policy in Health Care Institutions”, Int. J. of Biomedical Computing, Vol. 35 (Suppl.), 1994, pp 73–81.
S. K. Katsikas, D. Gritzalis, “High Level Security Policy Guidelines”, in Data Security for Health Care, Vols I-III, The SEISMED Consortium (Eds), IOS Press, 1996, pp. 57–81 (Vol. I), 164–188 (Vol. II), 53–77 (Vol. III).
S. K. Katsikas, “Health Care Management and Information Systems Security: Awareness, Training or Education?”, Int. J. of Medical Informatics, Vol. 60, 2000, pp. 129–135.
J. Davey, “IT security training”, in: ISHTAR Consortium (Eds.), in The ISHTAR Consortium (Eds.), Implementing Secure Healthcare Telematics Applications in Europe, IOS Press, 2001, pp. 149–166.
G. Aggelinos, S. Katsikas, “Enterprise Recovery in Health Care”, in P. Bath, K. Albright, T. Norris (Eds.), Proceedings of the 12th International Symposium on Health Information Management Research - ISHIMR, 2007, pp 63–73.
ISO/IEC, “Information technology–Security techniques—Guidelines for information and communications technology disaster recovery services”, ISO/IEC 24762:2008.
M. Swanson, P. Bowen, A. W. Phillips, D. Gallup, D. Lynes, Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800–34 Rev. 1, available at http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf. Accessed 14 April 2013.
ISO/IEC, “Information technology—Security techniques—Information security incident management”, ISO/IEC TR 18044, 2004.
G. Aggelinos, S. K. Katsikas, “Disaster Recovery Analysis and Management Method (DRAMM): An IT Management tool”, in Proceedings, Panhellenic Conference on Informatics (PCI) 2012, Piraeus, Greece, IEEE Press, 2012.
D. Gritzalis, K. Mavroudakis, S. K. Katsikas, “Developing a European Computer Security Incident Reporting Service for Health Care”, in The ISHTAR Consortium (Eds.), Implementing Secure Healthcare Telematics Applications in Europe, IOS Press, 2001, pp. 181–248.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this chapter
Cite this chapter
Katsikas, S.K. (2013). Security of the Electronic Medical Record. In: Furht, B., Agarwal, A. (eds) Handbook of Medical and Healthcare Technologies. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-8495-0_18
Download citation
DOI: https://doi.org/10.1007/978-1-4614-8495-0_18
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-8494-3
Online ISBN: 978-1-4614-8495-0
eBook Packages: Computer ScienceComputer Science (R0)