Security Risk Assessment in Health Care
Introduction
Security Risk Assessment in Care Settings are intended to protect and secure health information (electronic protected health information or ePHI) from a wide range of threats, whether in emergency situations or during a system failure that constitutes a risk compromising the confidentiality, integrity, and availability of ePHI.
Electronic Protected Health Information
ePHI is patient-related data which are created, sent, received, and/or stored electronically. Those data can concern a health condition, health provision, or care services payment information in the past, present or future. They can be connected to individuals through the following identifiers:
Implementing HIPAA Controls
- General information: Name, address, dates (birth/death date, admission/discharge date ,..), phone numbers, fax numbers, email addresses;
- Care and insurance information: Social Security number, medical record number, health plan beneficiary number;
- Financial information: account number, credit or debit card number;
- Certificate/license number;
- Property information: car and devices identifiers or serial numbers;
- IT-related information: URLs, IP addresses;
- Personal identifiers such as finger or voice print and images;
- Any other unique identifying number, characteristic, or code.
Threats That Could Affect ePHI
Indeed, ePHI are subject to different threats that can be divided into three categories:
- Natural threats: Defined as disasters that cannot be avoided and that are hard to predict, especially in the context of data protection. Examples are earthquakes, tornadoes, and storms.
- Human threats: They are caused by individuals, whether deliberately, as with cyber-attacks, malware upload, computer and USBs theft, and medical ID theft; or not deliberately, including errors in data entry, unintended deletion, and so forth.
- Environmental threats: Related to exposure to both the external and internal environment. Examples are pollution, chemicals, outages, etc.
ePHI can be subject to threats in security during storage in IT material (computers, tablets, external portable hard drives, USB memory sticks, CDs, DVDs and other removable storage devices, Smartphones, scanners) and file and email transfer through wireless, Ethernet, modem, DSL, cable connections, or FAX.
Vulnerabilities That Could Affect ePHI
Threats exercise specific vulnerabilities, which are defined as the weaknesses in the organization’s security procedures, design, implementation, or internal controls, whether they are technical, such as a laptop without a password of an open wireless network that gives a free access to ePHI; or non-technical, such as weak or inexistent internal policy and procedures to protect patient’s information or simply users clicking on a malware.
Basic Protective Measures
In order to protect ePHI from being stolen, lost, or misused by an unauthorized person, organizations can take many basic measures:
- Secure access to computer and other IT materials using passwords or other user authentication;
- Secure the use of IT material by installing and enabling encryption, wiping and/or remote disabling, firewall, and security software, including its updates;
- Secure the internal network by disabling and not installing file-sharing applications, make sure that a public Wi-Fi network can allow secure data exchange when using it;
- Secure the mobile devices by checking the safety of mobile applications before downloading them, having a physical control on them, managing health information they contain, and deleting them if necessary.
However, even all those security measures are not enough to protect ePHI adequately, especially against hackers who are constantly seeking a way to counter the security barriers, making the organization subject to new threats and vulnerabilities. Those measures consequently do not avoid data loss to natural and environmental threats, for instance. This highlights the necessity for organizations to have a full security management process, where security risk analysis is the first step.
Security Risk Analysis or Security Risk Assessment
Security risk analysis is crucial and necessary to identify when and where a security risk exists and its potential impact on the three main health information security objectives behind the HIPAA security rule, which are the confidentiality, integrity, and availability of ePHI.
Security objective of HIPAA
According to the Legal Information Institute, confidentiality is about who or which process has the authorization to access the ePHI and for whom/which process the data cannot be accessed; while integrity is about the data conservation in terms of quality (not altered) and quantity (not destroyed) from unauthorized events; and availability is about accessibility and usability of the ePHI by an authorized person requesting it.
The goals that security risk assessment seeks to achieve through its flexible and flowing process are first and foremost to anticipate the potential risks due to external and internal changes but also to track access to ePHI, to keep an eye open on new threats and vulnerabilities, and to quickly and systematically identify security adverse events when they happen.
The Purpose of Security Risk Analysis
- To meet the requirements of the HIPAA Security rule, which came into force in 2005 and requires all healthcare organizations under it to run a comprehensive and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- To help health care organizations identify threatened areas where ePHI could be at risk, evaluate the risk and vulnerabilities, and take adequate measures to reduce it to a reasonable level, which are all seen as good practices in business;
- To benefit from meaningful use program, thereby receiving Medicare and Medicaid EHR incentives after completion of the analysis and correcting security deficiencies and attesting it
The Security Risk Analysis Process
To make a security risk assessment, organizations should follow the steps below:
- Define the scope of the risk analysis, including all the ePHI created, stored, received, and transmitted by the organizations. It can include EHR system, 3rd party website, email, scan, data to work offline, etc.
- Reviewing and capitalizing on past risk analysis and projects;
- Running interviews and surveys in different departments including the IT staff;
- Reviewing the organization’s policies and procedures;
- Others: checking technical data, running vulnerability scan, network scan, etc.
- Administrative safeguards are all the policies and procedures meant to secure ePHI, including risk analysis and management, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, contingency planning, evaluation, business associate contracts, and other arrangements.
- Physical safeguards are all the hard measures, policies, and procedures that aims to protect the organization’s information systems gathered in buildings as well as related equipment from natural threats, environmental hazards, and unauthorized access, including facility access controls, workstation use and security and device and media controls.
- Technical safeguards are the non-specific requirements regarding the type of technology required to be in adherence with the HIPAA security rules, taking into account access control, audit controls, integrity controls, person or entity authentication, and transmission security.
- This step can be accomplished by vulnerability testing, penetration testing, social engineering, reviewing/updating documents, etc.
Risk level matrix example
Source: HealthIT.gov
8. Creating a document about corrective measures to lower the risk (new policy, training staff).
9. Reviewing and updating the risk analysis at least annually, as well as when there are changes in the practice or electronic systems. Other reviews may also be required (every EHR reporting period under meaningful use programs).
What Security Risk Analysis Is NOT:
- Security risk analysis is not facultative for small organizations but all the care providers under the HIPAA security rule and who want to benefit from the meaningful use program.
- Security risk analysis is more than just installing a certified EHR, with only a checklist, by only looking at the EHR of the organization, or performed only once. It should be a full analysis (not only what is in EHR), should follow a systematic and documented process, should consider EHR hardware and software as well as other devices that can access the ePHI, and, finally, should be an ongoing and continuous process that adapts to the organization’s changes.
- Security risk analysis should not be outsourced if external help is not needed. It is valuable especially for small providers who are able to run their own analysis and only outsource expertise to check their compliance to the HIPAA security rule.
Conclusion
To perform a security risk assessment, there are many tools, methods, and best practices tips to help organizations reach compliance with HIPAA security rules. The guidance on risk analysis requirements of the security rule issued by OCR is a good reference for organizations about the best and most effective ways to protect ePHI.
Sources
https://www.healthit.gov/sites/default/files/onc_srat_webeventtoolsresourcesdeck.pdf
http://www.eprotex.com/3threats/
https://www.healthit.gov/sites/default/files/risk_assessment_user_guide_final_3_26_2014.pdf
https://www.healthit.gov/providers-professionals/security-risk-assessment
https://www.healthit.gov/providers-professionals/video/security-risk-analysis
https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
http://www.hhshipaasagtraining.com/documents/Module%203%20HIPAA%20Security%20Fundamentals.pdf
https://www.law.cornell.edu/cfr/text/45/164.304
Implementing HIPAA Controls
http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- Security Risk Assessment in Health Care
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- How to Comply with HIPAA Regulations – 10 Steps
- 5 Security Awareness Tips for HIPAA Compliance
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Genetic testing "hottest" new form of health insurance fraud, FBI warns
Healthcare information security
Healthcare data security issues: Best security practices for virtual healthcare sessions
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security