SECURITY AND PRIVACY OF THE INTEGRATED CLINICAL ENVIRONMENT PART I

Jason Lee Williams, MSIT, JD, LLM, CIPP/US

Abstract


EDITOR'S NOTE:

On January 16, 2020 the National Institute of Standards and Technology (NIST) published its long-awaited Privacy Framework.  The Privacy Framework enables healthcare organizations to address privacy risk systematically and complements the previously released NIST Cybersecurity Framework and Risk Management Framework.  As the healthcare ecosystem becomes more interconnected and interoperable, healthcare organizations must be prepared to protect the security and privacy of electronic protected health information.   When used as a part of an enterprise risk management strategy, the three NIST frameworks enable organizations to identify risks and build business processes that allow interoperability while managing security and privacy risk. Security and Privacy of the Integrated Clinical Environment discuss how the NIST frameworks and methodologies can be used to develop an enterprise architecture that ensures patient privacy and information security.  

 

ARTICLE ABSTRACT: Integration without security and privacy is not interoperability. The integrated clinical environment cannot achieve the goals of improving patient safety, increasing treatment effectiveness, and improving operational efficiency without engineering both privacy and security into clinical systems, institutional health information systems, and health information exchanges

The integrated clinical environment is the synthesis of health care providers, medical devices, health information networks and information technology working together to improve patient safety, increase treatment effectiveness, and improve efficiency. Although this is a laudable goal, current research has done little to address security and privacy concerns with the integrated clinical environment. Unfortunately, the concept was born with little focus on security and privacy. The potential for great harm, both physical and emotional, is ever-present in the health care context when information technology is used to assist in the treatment of patients. The basic tenants of information security should be followed when developing an integrated clinical environment—confidentiality, integrity, accessibility, and accountability.

Additionally, privacy concerns outlined in the Fair Information Practice Principles—access and amendment, accountability, authority, minimization, quality and integrity, individual participation, purpose specification and use limitation, security, and transparency—must also be addressed when creating an integrated clinical environment. Integration without security and privacy is not interoperability. A health care organization cannot operate an integrated clinical environment in today’s legal and regulatory environment without assurances of security and privacy engineered into the systems. However, frameworks currently exist that enable health care organizations to manage both security and privacy risk throughout the enterprise systematically. 

Security and Privacy of the Integrated Clinical Environment will be presented in a series of three articles. The first article, Part I, discusses the basic concepts of interoperability and the integrated clinical environment (ICE), the legal and regulatory framework impacting an interoperable ICE, and an overview of the risks associated with the deployment of an interoperable ICE.  The second article, Part II, will discuss the concept of privacy engineering and the various National Institute of Standards and Technology (NIST) frameworks and methodologies, including the new NIST Privacy Framework, that can be utilized to address both privacy and security risk adequately. Finally, the third article, Part III, will discuss how the Sherwood Applied Business Security Architecture (SABSA) can be used to integrate the frameworks and methodologies presented in Part II into an enterprise architecture to ensure an organization deploying an interoperable, ICE is compliant with their obligation to protect the privacy and security of a patient’s health information.


Full Text:

PDF

References


Please see the article for references.


Refbacks

  • There are currently no refbacks.


©Journal of Health Care Finance