Health Information Conference Tbilisi, Georgia May 27

1
Health Information ConferenceTbilisi,
GeorgiaMay 27 28 2003
Privacy and Confidentiality Layton Engwer
2
Privacy and Confidentiality

• Ensuring access to data by only authorized people
  for appropriate purposes
• Personally identified data
• Aggregated data

3
Privacy and Confidentiality

• Who is authorized?
• Providers
• Researchers
• Administrative staff
• Local/regional/ministry staff
• How are they authorized?
• Governance
• Compliance

4
Current Status?

• Limited sharing of data across the health sector
  high level of specialization
• No means of consolidating personal information
  easily
• Is paper considered secure?

5
Global Principles of Fair Information Practices

• Anyone collecting personal information, must
  explain the purpose of collecting it, and obtain
  the individual's consent
• Collect personal information that is reasonable
  and use it only for the purpose for which it was
  collected (a health issue).

6
Global Principles of Fair Information Practices

• They cannot disclose this information to anyone
  else without consent, (a health issue).
• They must allow individuals to have access to
  their own personal information and ability to
  correct any inaccuracies.

7
Global Principles of Fair Information Practices

• Health issues
• Use information for its original purpose
• Information affects family members/community?
• HIV partner notification
• Information affects the safety of others?
• Surveillance
• Disclosure
• Patient referral process
• Consider consistent purpose

8
Confidentiality,Privacy and Security

• ISO standard 17799 a broad based security
  standard
• Describes info security
• Why it is needed
• How to assess requirements
• How to assess risks

9
10 Key areas

• Business continuity
• Counteract interruptions in service
• Lifecycle management (from creation to final
  destruction)
• Access control
• Control access to information
• Prevent and detect unauthorized access to
  information and/or systems and networks
• Ensure protection of networks
• Ensure security in a wireless environment

10
10 Key areas

• System development and maintenance
• Ensure security built into systems and processes
• To prevent unauthorized loss/modification of data
• Develop adequate authenticity integrity of data
• IT support activities conducted in a secure
  manner
• Maintain the security of the software and data
• Physical and environmental security
• Prevent unauthorized access to physical premises
• Prevent loss or damage to assets
• Protect against the theft of information of
  information processing assets

11
10 Key areas

• Compliance
• Avoid unauthorized access release of personal
  information
• Ensure compliance with policies, standards and
  procedures
• Continuous monitoring
• Personal security
• Minimize the risk of human error, theft, fraud
• Awareness of privacy and security policies
• Learn from problems and or errors

12
10 Key areas

• Security organization
• Maintain security of information and assets when
  used by 3rd parties
• Computer operations and management
• Ensure correct and secure operations
• Minimize risk of system failures
• Protect integrity of software and information
• Safeguard networks and infrastructure

13
10 Key areas

• Asset classification and control
• Ensure appropriate security level applied to
  information
• Security policy
• It exists
• Provides management direction and support for
  privacy and security
• Ethics of enforcement
• Email internet access monitoring

14
Privacy and Confidentiality Conclusion

• An HIS will bring these sleeping issues to the
  fore
• Governance and management processes have to be
  put in place
• Unique opportunity to plan for what is coming
• A standard exists

15
Privacy and Confidentiality Working groups

• What confidentiality/privacy standards would you
  anticipate and does existing legislation support
  them?
• How would you identify and manage the publics
  expectations around these issues?