MODUL CLOUD COMPUTING DAN HL7 DALAM PELAYANAN KESEHATAN

(HIM750)

MODUL SESI 8
ISU KEAMANAN CLOUD COMPUTING

DISUSUN OLEH
SYEFIRA SALSABILA, S.GZ, MKM

UNIVERSITAS ESA UNGGUL

2020

Universitas Esa Unggul

http://esaunggul.ac.id 0/
21
 TEORI KEPERCAYAAN, KEAMANAN, KERAHASIAAN HIE

A. Kemampuan Akhir Yang Diharapkan

Setelah mempelajari modul ini, diharapkan mahasiswa mampu :

1. Menjelaskan teori dari kepercayaan, keamanan, kerahasiaan HIE

B. Uraian dan Contoh

Keamanan Informasi adalah terjaganya kerahasiaan (confidentiality),

keutuhan (integrity), dan ketersediaan (availability) informasi.
“Informasi adalah aset yang, seperti aset bisnis penting lainnya, memiliki nilai
bagi suatu organisasi dan karenanya perlu dilindungi secara memadai” "... Apa pun
bentuk informasi yang diambil, atau dengan cara mana informasi itu dibagikan atau
disimpan, itu harus selalu dilindungi dengan tepat" ISO / IEC 27002: 2007.
Privasi adalah kebebasan untuk memilih informasi apa yang dibagikan atau
tidak dibagi dengan pihak lain. Misalnya, privasi adalah hak individu untuk tidak
mengungkapkan informasi tentang diri mereka kepada orang lain, seperti tidak
mengungkapkan kecenderungan genetik seseorang terhadap kanker pada aplikasi
pekerjaan. Legislatif dapat memilih untuk memberlakukan undang-undang yang
melarang pengungkapan informasi secara paksa untuk melindungi privasi individu.
Kerahasiaan adalah kewajiban untuk menyimpan informasi rahasia yang
dipercayakan kepada seseorang. Sebagai contoh, kewajiban kerahasiaan
diberlakukan di bawah Asuransi Kesehatan Portabilitas dan Akuntabilitas Act
(HIPAA) dengan melarang penyedia layanan kesehatan entitas tertutup untuk
mengungkapkan informasi kesehatan yang dilindungi (PHI) ke media tanpa izin
pasien. Kewajiban kerahasiaan sering disalahartikan sebagai kewajiban privasi.
Sebagai contoh, Aturan Privasi HIPAA akan lebih tepat diberi label sebagai Aturan
Rahasia karena menerapkan kewajiban pada entitas yang dilindungi untuk tidak
melakukan pengungkapan informasi tertentu (yaitu, untuk menjaga kerahasiaan).
Keamanan adalah kombinasi dari pengamanan administrasi, teknis, dan fisik
yang memastikan kerahasiaan dan mempromosikan privasi. Keamanan terdiri dari
perlindungan yang mencegah penggunaan yang tidak tepat dan pengungkapan
informasi. Misalnya, kata sandi, enkripsi, dan kunci pintu yang kuat semuanya
Universitas Esa Unggul
http://esaunggul.ac.id 1/
21
mewakili perlindungan keamanan yang ada untuk menjaga informasi tetap di tangan
kanan.
Banyak negara telah memberlakukan hukum yang lebih ketat daripada HIPAA
sehubungan dengan beberapa kategori "data sensitif." Data yang dianggap sensitif
berdasarkan undang-undang negara seringkali berupa data kesehatan mental dan
perilaku, data penyakit menular, informasi genetik, dan data penyakit menular
seksual.
HIPAA dan hukum federal memberikan perlindungan spesifik untuk catatan
psikoterapi (di bawah HIPAA) dan data perawatan kecanduan alkohol dan alkohol (di
bawah 42 CFR Bagian II).
Entitas yang dilindungi adalah (1) penyedia layanan kesehatan yang
melakukan transaksi elektronik tertentu (pada dasarnya penyedia layanan kesehatan
yang menerima asuransi dalam bentuk apa pun akan terlibat dalam transaksi
elektronik tertutup), (2) rencana kesehatan, atau (3) clearinghouse layanan
kesehatan (entitas yang mengubah informasi kesehatan menjadi format standar
yang disyaratkan oleh HIPAA).
Seorang rekan bisnis adalah orang atau entitas (selain anggota tenaga kerja
entitas tertutup) yang membuat, menerima, memelihara, atau mentransmisikan PHI
untuk atau atas nama entitas yang dilindungi; pada dasarnya orang atau entitas
yang melakukan layanan untuk entitas tertutup yang melibatkan PHI. Contoh rekan
bisnis termasuk perusahaan penagihan, perusahaan manajemen praktik, vendor
EHR yang di-host, dan pengacara. Di bawah UU HITECH, organisasi informasi
kesehatan (atau HIE) secara khusus disebut sebagai rekan bisnis
Aturan Privasi mencantumkan 18 pengidentifikasi khusus yang, ketika
dipasangkan dengan beberapa jenis informasi kesehatan, menghasilkan PHI.
Pengidentifikasi tersebut adalah sebagai berikut:
a. Nama - Untuk individu yang terkait dengan PHI,Untuk operasi perawatan,
pembayaran, atau perawatan kesehatan, Untuk kegiatan kesehatan masyarakat
b.Semua subdivisi geografis lebih kecil dari negara bagian, termasuk alamat
jalan, kota, daerah, kantor polisi, kode pos, dan geocode yang setara, kecuali untuk
tiga digit awal kode pos jika persyaratan populasi tertentu terpenuhi
c. Semua elemen tanggal (kecuali tahun) untuk tanggal yang berkaitan
langsung dengan seseorang, termasuk tanggal lahir, tanggal masuk, tanggal keluar,
tanggal kematian; dan semua usia di atas 89 dan semua elemen tanggal (termasuk
Universitas Esa Unggul
http://esaunggul.ac.id 2/
21
tahun) yang mengindikasikan usia tersebut, kecuali bahwa usia dan elemen tersebut
dapat digabungkan ke dalam satu kategori usia 90 atau lebih
d. Nomor telepon
e. Nomor faks
f. Alamat surat elektronik
g. Nomor jaminan social
h. Nomor rekam medis
i. Nomor penerima manfaat rencana kesehatan
j. Nomor akun
k. Nomor sertifikat / lisensi
l. Pengidentifikasi kendaraan dan nomor seri, termasuk nomor plat
m. Pengidentifikasi perangkat dan nomor seri
n. Pencari Sumberdaya Universal Web (URL)
o. Nomor alamat Internet Protocol (IP)
p. Pengidentifikasi biometrik, termasuk sidik jari dan suara
q. gambar foto wajah penuh dan gambar yang sebanding.
r. Setiap nomor pengidentifikasi unik, karakteristik, atau kode, kecuali untuk
sistem pengkodean tertentu yang memungkinkan untuk mengidentifikasi kembali
data

Penting untuk dicatat perbedaan antara "penggunaan" dan "pengungkapan."

Penggunaan PHI adalah pembagian, pekerjaan, aplikasi, pemanfaatan,
pemeriksaan, atau analisis informasi tersebut dalam suatu entitas yang mengelola
informasi tersebut. Pengungkapan PHI adalah pelepasan, pemindahan, penyediaan,
akses, atau pengungkapan informasi apa pun di luar entitas yang menyimpan
informasi tersebut. Di bawah Aturan Privasi, berikut ini adalah penggunaan utama
dan pengungkapan PHI yang diizinkan tanpa otorisasi pasien: - Sebagaimana
diharuskan oleh hokum. Untuk kegiatan penelitian tertentu di mana dewan privasi
atau dewan peninjau kelembagaan telah mencabut persyaratan otorisasi.

Universitas Esa Unggul

http://esaunggul.ac.id 3/
21
 Dewasa ini tidak ada satu-pun industri yang terbebas dari hambatan,
tantangan, ancaman, dan gangguan (HTAG) pada sistem jaringan komputer
mereka. Penggunaan TIK di bidang kesehatan meningkatkan aksesibilitas, kualitas,
dan kesinambungan pelayanan kesehatan. Namun dibalik itu juga terdapat ancaman
terhadap data yang dipertukarkan dan disimpan secara digital. Salah satu ancaman
terbesar adalah Cybersecurity. Cybersecurity telah menjadi isu yang krusial untuk
berbagai sektor termasuk kesehatan. Data kesehatan merupakan informasi yang
paling sensitif dan kritikal yang dapat mengancam keamanan dan kesejateraan
masyarakat.
Ancaman siber dalam industri kesehatan mendeskripsikan bahwa terjadi
kebocoran data EMR pasien yang melibatkan kurang lebih 113 juta pasien di
Amerika Serikat, dan penyebab paling tinggi adalah disebabkan karena hacking/
skimming/ phishing dan selalu terjadi peningkatan dari awal tahun 2013.
Industri kesehatan banyak menjadi target utama dari serangan siber, hal ini
sesuai dengan gambar diatas yang menyatakan bahwa data kesehatan bernilai
ekonomis, rendahnya kepedulian, lambannya adopsi sistem keamanan, dan
terbatasnya regulasi.
Secara global juga telah memiliki komitmen untuk menjamin keamanan data
kesehatan melalui; Resolusi WHA tahun2005 nomor58.28 bahwa “all countries have
integrated the use of Information and Communication Technologies in their national
health information systems and health infrastructure”. Untuk mewujudkan hal
itu,WHO mendorong kepada setiap negara untuk:antara lain memobilisasi
kerjasama lintas sektor dalam mengadopsi norma dan standar e-kesehatan,
evaluasi, prinsip-prinsipcost-effectiveness dalam e-kesehatan untuk menjamin mutu,
etika, dan keamanan dengan tetap mengedepankan kerahasiaan,
privasi,equity,dan equality

Universitas Esa Unggul

http://esaunggul.ac.id 4/
21
Cloud Computing Security
Nowadays, people are very conscious about their health; this is also the biggest
business in the world. People can pay a lot of money to doctors and hospitals to
save their lives. From the business point of view, this is a business whose demise
will never occur. Before the availability of technology, the hospital was the only
medium for provision of healthcare, but nowadays the scene has changed. Most
people have adopted these services as a business, and healthcare is now provided
online. This has become possible only because of cloud computing. With the help of
cloud computing, companies are changing their ways of providing services, e.g., by
offering online consultations with doctors or online clinics and pharmacies, with
impacts on the quality of service delivery and the cost of these services. To manage
these changes, two forces are applied: the first is to fulfill the business imperative to
cut costs, and the second is to improve the quality of healthcare services. Hospital
users have always been assured that their IT staff can promise a system uptime of
99.9%. However, with the increasing use of cloud services for data protection
purposes, IT must adjust to the new reality of cloud-based DR options. For this, they
use DRaaS (disaster-recovery-as-a-service) .

The appearance of cloud computing technology with major advantages is one of the
present key challenges. This is a new prototyping technology based on “pay-
ondemand”fortheuseofinformationandcommunicationstechnology(ICT).The National
Institute of Standards and Technology (NIST) in the USA has focused on three
models of cloud computing: SaaS, PaaS, and IaaS [19]. In healthcare cloud
computing for internal communications, an extensive number of computers and
servers are dedicated to meeting the requirements of the medical care business.
Healthcare services can be delivered to users (patients or physicians) through an
internet connection.
Also, it is important to note that the [US] Health Insurance Portability and
Accountability Act (HIPAA) compilation rule requires patient data to be well
protected, regardless of where it is stored. Organizations that are working as
contractor firm and do not necessarily analyze the data on a normal basis must
adhere to HIPAA rules. This particular system records every access attempt by the
username and include the date, time, relationship to the patient, etc. Still, more
Universitas Esa Unggul
http://esaunggul.ac.id 5/
21
research work is required in this field to increase the security of patient data and
users’ trust levels.

How to protect the data Protection of critical patient information and medical
records is one of the most basic duties of the healthcare industry and one of the
most firmly regulated. To defend data as they move in and out of the cloud requires
data encryption,which makes the data unusable if they are compromised. It also
demands safe communication connections, which limit browser access and encrypt
content as it is moved over the network and throughout the cloud. However, data
encryption based on the Advanced Encryption Standard (AES) algorithm is very
compute intensive.

This type of software-based encryption relies on compute-intensive algorithms that

can impact the performance of the computing network, particularly when used
pervasively to protect the massive volumes of information that pass to and from the
cloud. Traditional encryption solutions can create computing logjams due to high

Universitas Esa Unggul

http://esaunggul.ac.id 6/
21
performance overheads, making them less than optimal for protecting cloud data
traffic. Intel has worked to mitigate these performance penalties.

How to provide security against unauthorized access Realizing cloud computing

advantages while meeting stringent requirements for data security and compliance
requires hardening of the underlying platform, including the hardware, software, and
process methodologies. Better securing of both server and client
platformshelpssafeguardcloudinfrastructures,andbettermanagementofidentities and
access control points at the network edges helps ensure that only authorized users
can enter the cloud. With malware attacks now moving beyond software to target the
platform, organizations face new risks from rootkit and other low-level exploits that
can infect system components such as hypervisors and the BIOS to quickly spread
throughout the cloud environment.

Protection of identity in the cloud Protection of identity on a cloud platform begins

with managing who has access to it. Identity protection devices (such as Intel® IPT)
provide a simple way for healthcare organizations to validate that legitimate
employees or approved users are allowed in from a trusted device. IPT offers token
generation incorporated into the hardware, which gets rid of the need for (and cost
of) a different physical token. It also confirm transactions and protects against
malware. Any user who wants to access a cloud application first needs to enter his
or her credentials (username and password) on the identity protection system and
then receives a one-time password (OTP) on his or her registered cell phone or
email address. Only if both are correct will the identity protection system allow that
user to access the cloud.

Protection of API keys Application programming interfaces (APIs) are the

fundamental method used for exposing cloud applications to third parties and mobile
services. A hacker tries to break these API keys for unauthorized access. Many
researchers and scientists have suggested algorithms to protect API keys.

Security Threats in the Healthcare Cloud

Healthcare organizations have always struggled with information security. Because
the healthcare industry stores massive volumes of critical data and is subject to strict
Universitas Esa Unggul
http://esaunggul.ac.id 7/
21
compliance rules, it must make security its primary concern. Therefore, the industry
has long been doubtful about new technologies that could put data at risk, including
cloud technologies. Cloud computing poses many risks to data security, data
confidentiality, and overheads because of the huge volumes of data involved. Data
processed in the cloud are highly confidential, such as business records, patient
records, military records, etc. Therefore, proper encryption standards and
architecture must be applied to secure sensitive data against tampering.
However, everything changes, and the healthcare industry is changing as well. In
January 2018, an important decision was made: the National Health Service
(NHS)—the largest healthcare provider in the UK—officially approved the use of US-
based cloud providers to store patient data. According to the 2018 Netwrix Cloud
Security In-Depth Report, 84% of healthcare organizations already store data in the
cloud, but the NHS is the first state healthcare organization to give the go ahead.
Here, we discuss some of the major security risks in the healthcare cloud.

Malware and viruses Malware and viruses are being developed continuously, and
ransomware (a type of malware that, once it has taken over the computer, threatens
harm) is one of the most frequent sources of attack. According to one report, a
companyistargetedbyransomwareevery40seconds.Malware—suchasNotPetya,
WannaCry, and Locky, in particular—has spread among healthcare providers. Even
the NHS itself has been targeted by WannaCry: the attack resulted in disruptions at
37% of NHS organizations and cancellation of many appointments and surgeries.
AlthoughtheNHSdidnotpaytheransom,itdidincurextracoststocovercancelled
appointments, hire IT consultants, and restore data and systems after the attack,
besidesincurringdamagetoitsreputation.Unsurprisingly,nearly61%ofhealthcare
organizations are reportedly worried about malware and the threat of unauthorized
access.

Identity protection and access management Unauthorized access is the biggest

challenge in all types of cloud computing. This is a major security issue throughout
the world and a huge challenge in healthcare cloud computing. Many researchers
and IT industry developers are working to resolve this issue. According to a Netwrix
survey in January 2018, 68% of unauthorized access security concerns are related
to the healthcare cloud. This is the biggest security issue. Existing organizational
Universitas Esa Unggul
http://esaunggul.ac.id 8/
21
identification and authentication frameworks may not expand into the cloud, and if
these are based on unique username–password combinations for individual
applications, they can be a weak link in the security chain. In the cloud, identity
management helps to preserve security, visibility, and management, and
centralization of IT control of identities and access is useful.

Data encryption Data saved in the cloud usually reside in a multitenant

environment—a distribution virtualized server space—with data from other clients of
the cloud provider. Healthcare entities that move critical and synchronized data into
the cloud must make sure the data are encrypted at rest and in transit. One of the
main risks of multitenancy and shared computing resources within cloud
infrastructures is possible failure of the separation instrument that provides
separation of memory, storage, and routing between tenants.

Data compliance regulations Security laws and regulations vary at national,

regional, and local levels, making fulfillment a potentially complex issue for cloud
computing. For example, some countries in the European Union (EU) stipulate that
some health data must never cross those countries’ own borders. Other authorities
have detailed data compliance regulations that stipulate special handling of certain
kinds of health information (medical treatment of minors, disease history, etc.),
controlling transmission across local or state borders. To comply with these strict
data privacy laws, cloud infrastructures must be auditable for such features as
encryption, security controls, and geometric location.

Illegal activities of IT staff Although it seems strange, employees have been

identified as a security threat. Only 21% of healthcare industries have a complete
perception of what their IT staff members are doing in the cloud, and visibility of the
actions of business users is even rarer. Actually, the overall visibility of inner actors
is the lowest among all organizations surveyed. IT people are aware of this
difference, but the majority of them do not get essential support from the C-level to
address it. Only 50% of respondents say that they get top management support to
implement cloud security projects; this is the lowest outcome across all businesses
surveyed.

Universitas Esa Unggul

http://esaunggul.ac.id 9/
21
Human error This is also one of the biggest security threats; with just one small
mistake, the industry can lose billions of dollars within a second. According to
Verizon’s 2016 Breach Investigations Report, healthcare data breaches in 2015 were
most likely to be caused by human error or unintentional error in the form of stolen or
lost assets, insider and privilege misuse, and miscellaneous errors, such as improper
device disposal or mishandling.
Detailed above are some of the common threats that are spreading in the healthcare
cloud. The healthcare cloud also contains massive volumes of data. Thus, the
healthcare industry is worried about protecting these data. The HIPAA and public
health authorities (PHAs) have issued regulations to secure data in the healthcare
cloud. In the next section we describe some methods by which the healthcare
industry can save its data in the cloud.

Universitas Esa Unggul

http://esaunggul.ac.id 10 /
21
 TEORI PRIVACY DAN SECURITY DALAM PERTUKARAN DATA DAN
INFORMASI KESEHATAN

C. Kemampuan Akhir Yang Diharapkan

Setelah mempelajari modul ini, diharapkan mahasiswa mampu :

1. Mengetahui standar privacy and security dari HIPAA

D. Uraian dan Contoh

1. Standar keamanan dan kerahasiaan HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) yang

merupakan bagian dari Health and Human Services (HHS) departemen di Amerika
Serikat telah berdiri sejak 1996. Badan ini merupakan badan yang mengembangkan
standar keamanan dan juga kerahasiaan pada data dan informasi pasien. Secara
garis besarnya mereka telah mengeluarkan standar untuk Keamanan (security) dan
standar privacy.
Untuk Aturan privacy lebih mengatur tentang standar untuk perlindungan
informasi kesehatan tertentu. Sedangkan aturan security disini mengatur tentang
standar untuk perlindungan informasi kesehatan tertentu yang disimpan atau di
transfer melalui bentuk elektronik. Aturan keamanan (security rule) disini berisikan
tentan operasional dari privacy rule dengan membahas terkait perlindungan teknis
dan non teknis dalam melindungi suatu organisasi yang disebut dengan “covered
entity” (entitas yang dilindungi) untuk mengamankan “informasi kesehatan secara
elektronik” elektronik PHI. Covered entity ini dapat didefinisikan sebagai dari provider
pelayanan kesehatan, lembaga keuangan, atau perencana dari asuransi kesehatan.
Target utama dari security rule ini adalah untuk melindungi privacy dari
informasi kesehatan pasien/individu ketika covered entities telah menerapkan
pembaruan teknologi untuk meningkatkan kualitas dan efisiensi dalam pelayanan
kesehatan terhadap pasiennya. Teknologi dapat berupa pendafatran pasien online,
EMR, atau bahkan dalam penyimpanan data gambar, laboratorium, sampai
Universitas Esa Unggul
http://esaunggul.ac.id 11 /
21
pembiayaan. Security rule ini di buat secara fleksibel dan leluasa (skalabilitas),
sehingga suatu provider kesehatan ini dapat menerapkannya yang dapat
disesuaikan dengan jumlah tenaga, struktur organisasi, dan risiko terhadap data dari
pasien.

a. The HIPAA Privacy Rule

The HIPAA Privacy Rule dibuat untu melindungi data medis pasien d dan
informasi kesehatan lainnya. Hal ini mencakup data pasien dalam rekam medis,
asuransi, dan lembaga keuangan yang menjalankan transaksi elektronik terhadap
data pasien ini. Auran ini mencakup mengenai pengaman secara sesuai terhadap
kerahasiaan data informasi kesehatan, dan menentukan batasan dan kondisi yang
dapat digunakan dalam membuat informasi tanpa seizin dari pasien. Aturan ini juga
memberikan hak kepada pasien terhadap informasi kesehatannya, termasuk dalam
memeriksa dan mengumpulkan salinan dari hasil kesehatannya dan melakukan
pengajuan pembetulan.

Informasi kesehatan yang dilindungi adalah setiap informasi yang

mengidentifikasi pasien — termasuk nama pasien, DOB, alamat, alamat email, dan
nomor telepon; majikan pasien; nama setiap kerabat; nomor Jaminan Sosial dan
nomor rekam medis pasien; nomor akun yang diikat ke akun pasien; sidik jari
pasien; foto-foto pasien; dan setiap karakteristik tentang pasien yang secara
otomatis akan mengungkapkan identitasnya (misalnya, "gubernur negara bagian
terbesar di Amerika Serikat").
Selain itu, PHI mencakup informasi medis yang terkait dengan orang tersebut,
termasuk diagnosis, hasil tes, perawatan, dan prognosis; dokumentasi oleh
penyedia perawatan dan profesional kesehatan lainnya; dan informasi penagihan.
HIPAA menyatakan (dan HITECH meningkatkan) bahwa hanya orang yang memiliki
kebutuhan untuk mengetahui yang dapat memiliki akses ke PHI pasien. Dan, untuk
melangkah lebih jauh, mereka hanya berhak untuk mengakses informasi minimum
yang diperlukan untuk melakukan pekerjaan mereka. Contohnya adalah entitas
tertutup seperti perusahaan asuransi kesehatan yang mengerjakan klaim untuk
pasien yang menjalani bypass arteri koroner tiga bulan lalu. Kecuali jika perusahaan
asuransi dapat membuktikan sebaliknya, informasi minimum yang diperlukan yang

Universitas Esa Unggul

http://esaunggul.ac.id 12 /
21
diperlukan adalah dokumentasi pendukung terkait dengan operasi bypass. Fakta
bahwa pasien melahirkan anak pada tahun 1980 tidak ada hubungannya dengan
operasi bypass, dan oleh karena itu perusahaan tidak memerlukan akses ke catatan
tersebut.
Ada banyak cara fasilitas melindungi privasi dan kerahasiaan pasien mereka.
Privasi adalah hak untuk dibiarkan sendiri. Dengan kata lain, tidak seorang pun
boleh melanggar waktu atau ruang pribadi pasien saat dirawat; itulah sebabnya
departemen penerimaan dan area pendaftaran memiliki partisi atau ruang kecil,
sehingga pasien memiliki privasi. Kerahasiaan adalah menjaga rahasia; dalam
perawatan kesehatan, itu berarti menyimpan informasi tentang seorang pasien untuk
dirinya sendiri. Pasien memiliki hak untuk berharap bahwa informasi medis mereka
akan dirahasiakan. Kebijakan tertulis dan pendidikan staf yang berkelanjutan adalah
dua aspek yang sangat penting untuk mematuhi aturan HIPAA dan HITECH.

Privacy and confidentiality policies should address, at a minimum:

➢ Release (disclosure) of information to outside sources. PHI is released to
outside entities only upon written authorization of the patient/legal
representative (or as required by law) and release to inside sources (access)
is only on a need-to-know basis. The policy should also address exceptions.
Let’s first look at internal access as an example.
Cathy Hess was a patient on unit 3E of Memorial Hospital from May 3 to May
5. Suzanne Hess is a nurse who works at Memorial Hospital and is Cathy
Hess’ sister-in-law. She does not work on 3E and did not take care of
Suzanne. She did not have, does not have, and will not have a need to
access Cathy’s health record. But, let’s say two months after Suzanne’s
hospitalization, Cathy is on a committee that is auditing records for a study
and Suzanne’s record happens to be one of the records in the sample. Cathy
could ask one of the other reviewers to audit that particular record, but if
Cathy does review Suzanne’s record, she is accessing the record within the
scope of her job, and she does have a need know in that case. Internal
access does not require an authorization from the patient, if there is a need to
know.
➢ Outside access without the need for authorization of the patient/ personal
representative. This includes access by an insurance company (for payment
Universitas Esa Unggul
http://esaunggul.ac.id 13 /
21
 of the bill), by public health officials in cases of mandatory reporting (infectious
diseases, for example), and by licensing and accrediting agencies.
➢ Release of directory information. Directory information includes the fact that
the patient is in the hospital (or is being treated at an ambulatory facility) and
his or her room number. However, if a patient does not want certain
individuals (or anyone) to know that he or she is in the hospital or the location
within the hospital, then the patient/legal representative would sign an
authorization stipulating who can and cannot have access to that information.
➢ Written guidelines and examples of what is considered minimum necessary
information by reason for the request
➢ Faxing of documentation—information that can and cannot be faxed and the
protocol to be followed, should information be faxed to the wrong location
➢ Computer access and lockdown. Policy requires staff to lock their computers
down (sign out) if they are going to be away from their desks for any length of
time.
➢ Password sharing—makes it a disciplinary offense to share one’s password
with another
➢ Computer screens—should be kept out of view of the public or anyone else
who might have access to areas with computers
➢ Shredding any hard-copy documents (where applicable) rather than just
discarding them in a waste paper basket.
➢ Signing by patients of a Notice of Privacy Practices so that patients are
aware of how their personal health information will be used. The Notice of
Privacy Practices must be in writing and be signed by the patient/legal
representative. It informs the patient how his or her health information will be
used and the reasons it may be released, notifies the patient that he or she
may view or have copies of the health record and may request amendments
to it, and states the procedure for filing a complaint with the Department of
Health and Human Services.
➢ Requirement that all staff (including care providers) sign a document
committing themselves to keeping private and confidential the information that
is written, spoken, or overheard about any and all patients

Universitas Esa Unggul

http://esaunggul.ac.id 14 /
21
Once a paper record is converted to an electronic one, the paper copy is no longer
needed. It is best practice to destroy the paper copy, if the electronic version is
considered the legal document, and the one upon which healthcare decisions are
made. The paper record should be destroyed either by incineration or by shredding.
An example of a shredding policy statement in an office that no longer keeps hard-
copy records (a “paperless environment”) is
The electronic health record is the legal health record at Greensburg Medical
Center. Printed copies should only be made when there is a need to refer to
the printed document rather than the computerized image. Once the printed
document is no longer needed, it is to be placed in one of the marked shred
bins immediately. Shred bins are located in the business office and in the
secure area of the front office. The only exception to this policy is the printed
copies made for patients’ requests, or that are to be mailed by the Release of
Information Specialist.

In addition to the policies noted above, security-specific policies should address:

➢ Password protection. Every computer user must have a unique code, or
password, that is known (and used) only by the user. Passwords should not
be easily discerned; for instance, the user’s birthdate, spouse’s name, child’s
name, phone number, and the like would not be secure passwords. Instead,
the password should be a combination of numbers, letters, and special
characters (symbols), no less than six and no longer than eight characters in
length, and the system should be set up to prompt users to change their
password at least every 90 days. Individual offices and facilities will set
policies regarding their password configuration requirements. The software
system in use will dictate some of the password constraints as well.
➢ Appointment of a security and/or privacy officer. Someone in the facility must
be named as privacy and security officer, though these may be two different
individuals. The privacy/security officer is ultimately responsible for setting,
monitoring, updating, investigating, and enforcing all privacy and security
policies.
➢ Log-in attempts. The system set-up should include automatic lock-out when a
user attempts to log in a certain number of times (usually three) with the
wrong password. The policy and procedure should also address how to regain
Universitas Esa Unggul
http://esaunggul.ac.id 15 /
21
 access. No doubt you have already experienced this with online banking, a
credit card company, or the learning management system at your college.
➢ Protection from computer viruses and malware. This should include the
facility’s policy on downloading music or other attachments that may carry
viruses and malware. A virus is a “deviant program, stored on a computer
floppy disk, hard drive, or CD, that can cause unexpected and often
undesirable effects, such as destroying or corrupting data. Malware comes in
the form of worms, viruses, and Trojan horses, all of which attack computer
programs” (Williams and Sawyer). In early 2016 several hospitals were
plagued by computer malware. Though patient records were not accessed,
MedStar Health near Washington, DC, was affected and the system’s users
were not able to log in. This attack affected 250 outpatient locations and 10
hospitals. As a precaution, the health system sent patients to other facilities
until the problem was resolved and the FBI was involved in the investigation
(Cox, Turner, and Zapotsky).
➢ Security audits. A policy should be in place and carried out that requires
random security audits to monitor access to patients’ records. Often, this may
be done on a rotating basis so that all staff members (including providers) are
audited periodically, or it may be done based on a random selection of
patients in the database. Of course, the investigation of any rumored or
known breaches should include a security audit. It is important that internal
security audits be carried out, since the Officer of Inspector General (OIG)
also carries out random audits of EHR system security vulnerabilities.
➢ Off-site access. With the use of current technology, many PMs and EHRs can
be accessed via the Internet. Policies must dictate who can access remotely
as well as what information can be viewed and/or edited remotely.
➢ Printing policies. The more information that is printed from the HER or PM
software, the greater chance there is of unauthorized disclosure.
➢ Destruction policies. If paper copies of the electronic record are going to be
made, then the destruction of those copies also needs to be addressed. The
usual method of destruction is shredding, either externally by a destruction
company or internally through use of portable shredders. Regardless of which
is used, a policy must be addressed that states when paper copies are
destroyed, how, by whom, and when.
Universitas Esa Unggul
http://esaunggul.ac.id 16 /
21
 ➢ Detailed policies and procedures that address privacy or security incidents.
Disciplinary action should be addressed in this policy as well.
➢ Staff education—requirement that all staff (including care providers)
participate in continuing education opportunities to reinforce the laws
governing privacy and security.
➢ Email. It is a part of everyday life, not just in our personal lives but in our work
lives as well. Anything written in an email is protected information. However, it
is not a secure means of communication, and the facility should adopt policies
related to the sending and receiving of email messages, including what, if any,
patient-related information can be sent via email. Like faxes, emails can go to
the wrong individual, constituting a privacy breach. There must be a policy
regarding patient-related emails or emails to or from patients—are they a part
of the patient’s health record, and if so, how will the email become part of the
record? Emails should be encrypted, which means the words are scrambled
and can be read only if the receiver has a special code to decipher it, but
encrypting still does not ensure total security. Encryption applies to any
information that is electronically transmitted.

Firewalls should also be used to deter access to the system by unauthorized

individuals. Williams and Sawyer define a firewall as “a system of hardware and/or
software that protects a computer or a network from intruders.”
Hardware also has to be protected, and policies must be written to govern the
security of hardware devices. Hardware includes desktop computers, laptop
computers, hand-held devices, and the like. These devices are always at risk for loss
or theft. But to protect the information on a device, follow these simple rules:
➢ Always lock down (sign out of) the device when it is unattended, and require a
password to log on.
➢ Never store the passwords to any of your hardware devices or sites on the
computer.
➢ Back up files onto a CD, external hard drive, or flash drive.
➢ Encrypt PHI if policy allows health records to be stored on the device.
➢ Use the portable devices in a secure area—using one in the cafeteria and
walking away to freshen your coffee is not secure.

Universitas Esa Unggul

http://esaunggul.ac.id 17 /
21
 ➢ Wipe the hard drives of any computers that are taken out of use before
recycling them or placing them in the trash. This is typically a responsibility of
the IT department.

b. Security Rule

The Security Rule requires covered entities to maintain reasonable and

appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create,
receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or
integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures;
and
4. Ensure compliance by their workforce.

The Security Rule defines “confidentiality” to mean that e-PHI is not available
or disclosed to unauthorized persons. The Security Rule's confidentiality
requirements support the Privacy Rule's prohibitions against improper uses and
disclosures of PHI. The Security rule also promotes the two additional goals of
maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity”
means that e-PHI is not altered or destroyed in an unauthorized manner.
“Availability” means that e-PHI is accessible and usable on demand by an authorized
person.

HHS recognizes that covered entities range from the smallest provider to the
largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to
allow covered entities to analyze their own needs and implement solutions
appropriate for their specific environments. What is appropriate for a particular
covered entity will depend on the nature of the covered entity’s business, as well as
the covered entity’s size and resources.

Universitas Esa Unggul

http://esaunggul.ac.id 18 /
21
 Therefore, when a covered entity is deciding which security measures to use,
the Rule does not dictate those measures but requires the covered entity to
consider:

• Its size, complexity, and capabilities,

• Its technical, hardware, and software infrastructure,
• The costs of security measures, and
• The likelihood and possible impact of potential risks to e-PHI.

Technical Safeguards

• Access Control. A covered entity must implement technical policies and

procedures that allow only authorized persons to access electronic protected
health information (e-PHI).24
• Audit Controls. A covered entity must implement hardware, software, and/or
procedural mechanisms to record and examine access and other activity in
information systems that contain or use e-PHI.25
• Integrity Controls. A covered entity must implement policies and procedures
to ensure that e-PHI is not improperly altered or destroyed. Electronic
measures must be put in place to confirm that e-PHI has not been improperly
altered or destroyed.26
• Transmission Security. A covered entity must implement technical security
measures that guard against unauthorized access to e-PHI that is being
transmitted over an electronic network.27

Required and Addressable Implementation Specifications

• Covered entities are required to comply with every Security Rule "Standard."
However, the Security Rule categorizes certain implementation specifications
within those standards as "addressable," while others are "required." The
"required" implementation specifications must be implemented. The
"addressable" designation does not mean that an implementation
specification is optional. However, it permits covered entities to determine
whether the addressable implementation specification is reasonable and
appropriate for that covered entity. If it is not, the Security Rule allows the

Universitas Esa Unggul

http://esaunggul.ac.id 19 /
21
 covered entity to adopt an alternative measure that achieves the purpose of
the standard, if the alternative measure is reasonable and appropriate.

A. Daftar Pustaka

1. https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html
2. Mehmood, R., Katib, S. S. I., & Chlamtac, I. (2020). Smart Infrastructure
and Applications. Springer International Publishing.

Universitas Esa Unggul

http://esaunggul.ac.id 20 /
21