1、病歷資訊安全王大為中研院資訊所大綱 資訊安全簡介 CNS17799 HIPAA Security Rule Privacy issues Common sense information security Conclusion資訊安全 目標:保障資訊資產之 Availability Integrity Confidentiality 資訊時代 Gigabytes 彈指間複製完成 Gigabytes 轉瞬間傳送千里 Gigabytes 談笑間分析處理完畢 付出少收益大-有經濟誘因 資安管理標準 CNS17799:資訊安全管理之作業要點 安全政策 組織 資產管理 風險評鑑管理 人力資源安全 實體與
2、環境安全 通訊與作業管理 存取控制 資訊安全事故管理 營運持續管理HIPAA-Security rule Proposed security rule published Aug.12 1998 2350 public comments received Final rule published Feb 20 2003 Standard for digital signatures not included in the final ruleThree basic concepts The standard should be coordinated to address all aspect
3、s of security It should be scalable so that it can be implemented by all covered entities It should not linked to specific technologiesGeneral General requirement:“reasonably anticipated”Flexibility of approach:find security measures fit you Standards Implementation Specifications Maintenance:Securi
4、ty measures implemented must be reviewed and modified as neededStandards Standards:3 categories 18 items Administrative safeguards Physical Safeguards Technical SafeguardsAdministrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Mana
5、gement Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other arrangementPhysical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media ControlsTechnical Safeguards Access Control Audit Contr
6、ols Integrity Person or Entity Authentication Transmission Security Implementation Specification Required Addressable Addressable implementation specification If implement it is not reasonable and appropriate Document why it is not reasonable and appropriate Implement an equivalent alternative measu
7、re 病歷資訊安全 Availability 最重要,但大多數醫療院所已經有備份,有些也已經有備援 Integrity 與病患安全有關,現況我不瞭解 Confidentiality 爭議最大,討論重點隱私立法各國現況隱私立法各國現況 兩種形式:一般性的隱私保護(如我國的個資法)為醫療資訊訂定隱私保護法 有法令特別為保護醫療資訊隱私的國家捷克Czech Republic 丹麥 匈牙利 日本(審理中)立陶宛 盧森堡 荷蘭 紐西蘭 瑞士 土耳其 美國 英國 美國的HIPAA(Health Insurance Portability and Accountability Act)隱私規範主要的概念:隱
8、私規範主要的概念:治療、給付或醫療運作目的時,須有當事人的同意(consent)非治療、給付或醫療運作目的時,須有當事人的授權(authorization)限制在必要範圍(Minimum Necessary)內 合約限制業務伙伴(Business Associates)製作除去辨識欄位資訊的機制(Mechanism for De-identifying information)個人的權利(Individual Rights)同意與授權之比較同意與授權之比較同意同意1.有治療、給付或醫療運作 目的(例外情況:緊急或 其他法律要求)2.可以就比較廣泛的情形給予同意(general terms)。3
9、.得以同意書之提供與否作 為治療或加入健康計劃資 格的條件。授權授權1.適用於非治療、給付或醫療目的的情形。2.以針對特定狀況來給予授權(specific terms)。3.不得以授權書之提供與否 作為治療、給付或加入健 康計劃資格的條件。學術研究目的(學術研究目的(Research PurposeResearch Purpose)研究計劃書經IRB(Institutional Review Board)或隱私權委員會(Privacy Board)審核通過准許免除當事人授權時,covered entity才能在不經當事人授權下,對該計劃的研究人員揭露個人醫療資訊。De-identificati
10、on:處理資料使得個人身份無法被辨識出來的過程 Use your common sense to deal with information security problem Why do you need information security What are the valuables How to do itDaily security decision Dont talk to strangers Dont walk alone in a dark alley Dont hand your ATM card to anyone Do lock your door Put valua
11、ble to a safety box Buy insurance Dont put all eggs in one basketWhy and What Information security goals,to maintain data Availability Integrity Confidentiality What are the valuable information assets?What are the threats?How much will security incidents cost you?Whats the odd an incident occurs?Hi
12、gh cost,very low probability:insurance.Fire insurance High cost,high probability:do something to reduce the cost and/or the probability Low cost,high probability:do a cost-benefit analysis Low cost,lost probability:whats the problem?How How do you secure your home or office?How do you build a buildi
13、ng?How do you know your lift is safe?How do you fight against bacteria/virus?。Working with the expertsTechnical Jargons If there is no common sense explanation,then either the person does not know it well enough or the technology is not mature.Second opinionsImportant clich Information security is a
14、 process not a product 70%of the incidents caused by insiders,if not 80%You wont get a medal for a good security job,and you dont want to be famous Security is about balance not optimization Cost-benefit,risk-convenience Summary Common sense can go a long way Diving into the ocean of technical jargons can be dangerous Ask professionals,and ask twiceConclusion 資訊時代是個刺激但又充滿了危險的時代 新舊之際將加速新陳代謝 同時又充滿了新的契機 資安與病歷專業之結合應有利基
