病历资讯安全课件

按一下以編輯母片標題樣式,按一下以編輯母片文字樣式,第二層,第三層,第四層,第五層,*,*,病歷資訊安全,王大為,中研院資訊所,病歷資訊安全王大為,大綱,資訊安全簡介,CNS17799,HIPAA Security Rule,Privacy issues,Common sense information security,Conclusion,大綱資訊安全簡介,資訊安全,目標：保障資訊資產之,Availability,Integrity,Confidentiality,資訊安全目標：保障資訊資產之,資訊時代,Gigabytes,彈指間複製完成,Gigabytes,轉瞬間傳送千里,Gigabytes,談笑間分析處理完畢,付出少收益大-有經濟誘因,資訊時代Gigabytes 彈指間複製完成,資安管理標準,CNS17799:,資訊安全管理之作業要點,安全政策 組織,資產管理 風險評鑑管理,人力資源安全,實體與環境安全,通訊與作業管理,存取控制,資訊安全事故管理 營運持續管理,資安管理標準CNS17799:資訊安全管理之作業要點,HIPAA-Security rule,Proposed security rule published Aug.12 1998,2350 public comments received,Final rule published Feb 20 2003,Standard for digital signatures not included in the final rule,HIPAA-Security ruleProposed se,Three basic concepts,The standard should be coordinated to address all aspects of security,It should be scalable so that it can be implemented by all covered entities,It should not linked to specific technologies,Three basic conceptsThe standa,General,General requirement:“reasonably anticipated”,Flexibility of approach:find security measures fit you,Standards,Implementation Specifications,Maintenance:Security measures implemented must be reviewed and modified as needed,GeneralGeneral requirement:“r,Standards,Standards:3 categories 18 items,Administrative safeguards,Physical Safeguards,Technical Safeguards,StandardsStandards:3 categorie,Administrative Safeguards,Security Management Process,Assigned Security Responsibility,Workforce Security,Information Access Management,Security Awareness and Training,Security Incident Procedures,Contingency Plan,Evaluation,Business Associate Contracts and Other arrangement,Administrative SafeguardsSecur,Physical Safeguards,Facility Access Controls,Workstation Use,Workstation Security,Device and Media Controls,Physical SafeguardsFacility Ac,Technical Safeguards,Access Control,Audit Controls,Integrity,Person or Entity Authentication,Transmission Security,Technical SafeguardsAccess Con,Implementation Specification,Required,Addressable,Addressable implementation specification,If implement it is not reasonable and appropriate,Document why it is not reasonable and appropriate,Implement an equivalent alternative measure,病历资讯安全课件,病歷資訊安全,Availability,最重要，但大多數醫療院所已經有備份，有些也已經有備援,Integrity,與病患安全有關，現況我不瞭解,Confidentiality,爭議最大，討論重點,病歷資訊安全Availability 最重要，但大多數醫療院,隱私立法各國現況,兩種形式:一般性的隱私保護（如我國的個資法）為醫療資訊訂定隱私保護法,有法令特別為保護醫療資訊隱私的國家捷克,Czech Republic,丹麥 匈牙利 日本（審理中）立陶宛 盧森堡 荷蘭 紐西蘭 瑞士 土耳其 美國 英國,美國的HIPAA(Health Insurance Portability and Accountability Act),隱私立法各國現況兩種形式:一般性的隱私保護（如我國的個資法,隱私規範主要的概念：,治療、給付或醫療運作目的時，須有當事人的同意（,consent）,非治療、給付或醫療運作目的時，須有當事人的授權（,authorization）,限制在必要範圍（,Minimum Necessary）,內,合約限制業務伙伴（,Business Associates）,製作除去辨識欄位資訊的機制（,Mechanism for De-identifying information）,個人的權利（,Individual Rights）,隱私規範主要的概念：,同意與授權之比較,同意,1.有治療、給付或醫療運作,目的（例外情況：緊急或,其他法律要求）,2.可以就比較廣泛的情形給予同意（,general terms）,。,3.得以同意書之提供與否作,為治療或加入健康計劃資,格的條件。,授權,1.適用於非治療、給付或醫療目的的情形。,2.以針對特定狀況來給予授權（,specific terms）,。,3.不得以授權書之提供與否,作為治療、給付或加入健,康計劃資格的條件。,同意與授權之比較同意授權,學術研究目的（,Research Purpose）,研究計劃書經,IRB（Institutional Review Board）,或隱私權委員會（,Privacy Board）,審核通過准許免除當事人授權時，,covered entity,才能在不經當事人授權下，對該計劃的研究人員揭露個人醫療資訊。,De-identification:,處理資料使得個人身份無法被辨識出來的過程,學術研究目的（Research Purpose）,Use your common sense to deal with information security problem,Why do you need information security,What are the valuables,How to do it,Use your common sense to deal,Daily security decision,Dont talk to strangers,Dont walk alone in a dark alley,Dont hand your ATM card to anyone,Do lock your door,Put valuable to a safety box,Buy insurance,Dont put all eggs in one basket,Daily security decisionDont t,Why and What,Information security goals,to maintain data,Availability,Integrity,Confidentiality,What are the valuable information assets?,What are the threats?,How much will security incidents cost you?,Whats the odd an incident occurs?,Why and WhatInformation securi,High cost,very low probability:insurance.,Fire insurance,High cost,high probability:do something to reduce the cost and/or the probability,Low cost,high probability:do a cost-benefit analysis,Low cost,lost probability:whats the problem?,High cost,very low probabilit,How,How do you secure your home or office?,How do you build a building?,How do you know your lift is safe?,How do you fight against bacteria/virus?,。,Working with the experts,HowHow do you secure your home,Technical Jargons,If there is no common sense explanation,then either the person does not know it well enough or the technology is not mature.,Second opinions,Technical JargonsIf there is n,Important clich,Information security is a process not a product,70%of the incidents caused by insiders,if not 80%,You wont get a medal for a good security job,and you dont want to be famous,Security is about balance not optimization,Cost-benefit,risk-convenience,Important clich Information s,Summary,Common sense can go a long way,Diving into the ocean of technical jargons can be dangerous,Ask professionals,and ask twice,SummaryCommon sense can go a l,Conclusion,資訊時代是個刺激但又充滿了