RESUMO
OBJECTIVES: Internet technologies provide an attractive infrastructure for efficient and low cost communications in regional health information networks. The advantages provided by the Internet come however with a significantly greater element of risk to the confidentiality and integrity of information. This is because the Internet has been designed primarily to optimize information sharing and interoperability, not security. The main objective of this paper is to propose the exploitation of public-key cryptography techniques to provide adequate security to enable secure healthcare Internet applications. METHODS: Public-key cryptography techniques can provide the needed security infrastructure in regional health networks. In the regional health-care security framework presented in this paper, we propose the use of state-of-art Public Key Infrastructure (PKI) technology. Such on e-Health PKI consists of regional certification authorities that are implemented within the central hospitals of each region and provide their services to the rest of the healthcare establishments of the same region. RESULTS: Significant experience in this area has been gained from the implementation of the PKI@AUTH project. CONCLUSIONS: The developed PKI infrastructure already successfully provides its security services to the AHEPA university hospital. The same infrastructure is designed to easily support a number of hospitals participating in a regional health information network.
Assuntos
Segurança Computacional/instrumentação , Sistemas de Informação Hospitalar/normas , Internet , Programas Médicos Regionais/normas , Telemedicina/normas , Grécia , Humanos , Sistemas Computadorizados de Registros Médicos , Programas Médicos Regionais/organização & administração , Medidas de SegurançaRESUMO
BACKGROUND: The Internet provides many advantages when used for interaction and data sharing among health care providers, patients, and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality, integrity, and availability of information. It is therefore essential that Health Care Establishments processing and exchanging medical data use an appropriate security policy. OBJECTIVE: To develop a High Level Security Policy for the processing of medical data and their transmission through the Internet, which is a set of high-level statements intended to guide Health Care Establishment personnel who process and manage sensitive health care information. METHODS: We developed the policy based on a detailed study of the existing framework in the EU countries, USA, and Canada, and on consultations with users in the context of the Intranet Health Clinic project. More specifically, this paper has taken into account the major directives, technical reports, law, and recommendations that are related to the protection of individuals with regard to the processing of personal data, and the protection of privacy and medical data on the Internet. RESULTS: We present a High Level Security Policy for Health Care Establishments, which includes a set of 7 principles and 45 guidelines detailed in this paper. The proposed principles and guidelines have been made as generic and open to specific implementations as possible, to provide for maximum flexibility and adaptability to local environments. The High Level Security Policy establishes the basic security requirements that must be addressed to use the Internet to safely transmit patient and other sensitive health care information. CONCLUSIONS: The High Level Security Policy is primarily intended for large Health Care Establishments in Europe, USA, and Canada. It is clear however that the general framework presented here can only serve as reference material for developing an appropriate High Level Security Policy in a specific implementation environment. When implemented in specific environments, these principles and guidelines must also be complemented by measures, which are more specific. Even when a High Level Security Policy already exists in an institution, it is advisable that the management of the Health Care Establishment periodically revisits it to see whether it should be modified or augmented.
Assuntos
Segurança Computacional/normas , Confidencialidade/normas , Guias como Assunto , Internet/normas , Computação em Informática Médica/normas , Sistemas Computadorizados de Registros Médicos/normas , Política Organizacional , Acesso à Informação/legislação & jurisprudência , Canadá , Segurança Computacional/legislação & jurisprudência , Bases de Dados como Assunto/classificação , Bases de Dados como Assunto/legislação & jurisprudência , Educação Profissionalizante/legislação & jurisprudência , Europa (Continente) , Humanos , Consentimento Livre e Esclarecido/legislação & jurisprudência , Computação em Informática Médica/legislação & jurisprudência , Direitos do Paciente/legislação & jurisprudência , Qualidade da Assistência à Saúde/legislação & jurisprudência , Estados UnidosRESUMO
The Internet provides unprecedented opportunities for interaction and data sharing among health care providers, patients and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality and integrity of information. This paper defines the basic security requirements that must be addressed in order to use the Internet to safely transmit patient and/or other sensitive Health Care information. It describes a suitable Internet Security Policy for Health Care Establishments and provides the set of technical measures that are needed for its implementation. The proposed security policy and technical approaches have been based on an extensive study of the related recommendations from the security and standard groups both in EU amid USA and our related work and experience. The results have been utilized in the framework of the Intranet Health Clinic project, where the use of the Internet for the transmission of sensitive Health Care information is of vital importance.
