Security Risk Assessment in Health Care
Security Risk Assessment in Care Settings are intended to protect and secure health information (electronic protected health information or ePHI) from a wide range of threats, whether in emergency situations or during a system failure that constitutes a risk compromising the confidentiality, integrity, and availability of ePHI.
Electronic Protected Health Information
ePHI is patient-related data which are created, sent, received, and/or stored electronically. Those data can concern a health condition, health provision, or care services payment information in the past, present or future. They can be connected to individuals through the following identifiers:
- General information: Name, address, dates (birth/death date, admission/discharge date ,..), phone numbers, fax numbers, email addresses;
- Care and insurance information: Social Security number, medical record number, health plan beneficiary number;
- Financial information: account number, credit or debit card number;
- Certificate/license number;
- Property information: car and devices identifiers or serial numbers;
- IT-related information: URLs, IP addresses;
- Personal identifiers such as finger or voice print and images;
- Any other unique identifying number, characteristic, or code.
Threats That Could Affect ePHI
Indeed, ePHI are subject to different threats that can be divided into three categories:
- Natural threats: Defined as disasters that cannot be avoided and that are hard to predict, especially in the context of data protection. Examples are earthquakes, tornadoes, and storms.
- Human threats: They are caused by individuals, whether deliberately, as with cyber-attacks, malware upload, computer and USBs theft, and medical ID theft; or not deliberately, including errors in data entry, unintended deletion, and so forth.
- Environmental threats: Related to exposure to both the external and internal environment. Examples are pollution, chemicals, outages, etc.
ePHI can be subject to threats in security during storage in IT material (computers, tablets, external portable hard drives, USB memory sticks, CDs, DVDs and other removable storage devices, Smartphones, scanners) and file and email transfer through wireless, Ethernet, modem, DSL, cable connections, or FAX.
Vulnerabilities That Could Affect ePHI
Threats exercise specific vulnerabilities, which are defined as the weaknesses in the organization’s security procedures, design, implementation, or internal controls, whether they are technical, such as a laptop without a password of an open wireless network that gives a free access to ePHI; or non-technical, such as weak or inexistent internal policy and procedures to protect patient’s information or simply users clicking on a malware.
Basic Protective Measures
In order to protect ePHI from being stolen, lost, or misused by an unauthorized person, organizations can take many basic measures:
- Secure access to computer and other IT materials using passwords or other user authentication;
- Secure the use of IT material by installing and enabling encryption, wiping and/or remote disabling, firewall, and security software, including its updates;
- Secure the internal network by disabling and not installing file-sharing applications, make sure that a public Wi-Fi network can allow secure data exchange when using it;
- Secure the mobile devices by checking the safety of mobile applications before downloading them, having a physical control on them, managing health information they contain, and deleting them if necessary.
However, even all those security measures are not enough to protect ePHI adequately, especially against hackers who are constantly seeking a way to counter the security barriers, making the organization subject to new threats and vulnerabilities. Those measures consequently do not avoid data loss to natural and environmental threats, for instance. This highlights the necessity for organizations to have a full security management process, where security risk analysis is the first step.
Security Risk Analysis or Security Risk Assessment
Security risk analysis is crucial and necessary to identify when and where a security risk exists and its potential impact on the three main health information security objectives behind the HIPAA security rule, which are the confidentiality, integrity, and availability of ePHI.
Security objective of HIPAA
Source: U.S. Department of Health and Human Services.
According to the Legal Information Institute, confidentiality is about who or which process has the authorization to access the ePHI and for whom/which process the data cannot be accessed; while integrity is about the data conservation in terms of quality (not altered) and quantity (not destroyed) from unauthorized events; and availability is about accessibility and usability of the ePHI by an authorized person requesting it.
The goals that security risk assessment seeks to achieve through its flexible and flowing process are first and foremost to anticipate the potential risks due to external and internal changes but also to track access to ePHI, to keep an eye open on new threats and vulnerabilities, and to quickly and systematically identify security adverse events when they happen.
The Purpose of Security Risk Analysis
- To meet the requirements of the HIPAA Security rule, which came into force in 2005 and requires all healthcare organizations under it to run a comprehensive and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- To help health care organizations identify threatened areas where ePHI could be at risk, evaluate the risk and vulnerabilities, and take adequate measures to reduce it to a reasonable level, which are all seen as good practices in business;
- To benefit from meaningful use program, thereby receiving Medicare and Medicaid EHR incentives after completion of the analysis and correcting security deficiencies and attesting it
The Security Risk Analysis Process
To make a security risk assessment, organizations should follow the steps below:
- Define the scope of the risk analysis, including all the ePHI created, stored, received, and transmitted by the organizations. It can include EHR system, 3rd party website, email, scan, data to work offline, etc.
- Collect data, starting from where and how the ePHI are stored, received, maintained and transmitted. Data can be collected from various sources using various means:
- Reviewing and capitalizing on past risk analysis and projects;
- Running interviews and surveys in different departments including the IT staff;
- Reviewing the organization’s policies and procedures;
- Others: checking technical data, running vulnerability scan, network scan, etc.
- Identify and document potential threats and vulnerabilities to ePHI
- Assess current security measures to safeguard ePHI and their effectiveness. This consists of reviewing the administrative, technical, and physical safeguards used in the organizations and assessing how effective they are.
- Administrative safeguards are all the policies and procedures meant to secure ePHI, including risk analysis and management, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, contingency planning, evaluation, business associate contracts, and other arrangements.
- Physical safeguards are all the hard measures, policies, and procedures that aims to protect the organization’s information systems gathered in buildings as well as related equipment from natural threats, environmental hazards, and unauthorized access, including facility access controls, workstation use and security and device and media controls.
- Technical safeguards are the non-specific requirements regarding the type of technology required to be in adherence with the HIPAA security rules, taking into account access control, audit controls, integrity controls, person or entity authentication, and transmission security.
- This step can be accomplished by vulnerability testing, penetration testing, social engineering, reviewing/updating documents, etc.
- Determining the likelihood that the identified threat will take advantage of a vulnerability. It helps to know what threats the HIPAA security rules require you to protect against.
- Determining the potential impact when the threat actually occurs. This step is the most important to know exactly what is affected from confidentiality, integrity and availability of ePHI. Indeed, when a security adverse event occurs, it can make ePHI accessible to external individuals, such as hackers compromising their confidentiality; it can lead to partial or complete loss of data (after an earthquake, for instance) it can change and threaten their integrity; and, finally, it can make them inaccessible to the care givers, for instance, which make their availability compromised.
- Determining the level of risk. By combining the likelihood and impact of threats and vulnerabilities that helps classify risk as high, medium or low and prioritize how risk will be addressed.
Risk level matrix example
8. Creating a document about corrective measures to lower the risk (new policy, training staff).
9. Reviewing and updating the risk analysis at least annually, as well as when there are changes in the practice or electronic systems. Other reviews may also be required (every EHR reporting period under meaningful use programs).
What Security Risk Analysis Is NOT:
- Security risk analysis is not facultative for small organizations but all the care providers under the HIPAA security rule and who want to benefit from the meaningful use program.
- Security risk analysis is more than just installing a certified EHR, with only a checklist, by only looking at the EHR of the organization, or performed only once. It should be a full analysis (not only what is in EHR), should follow a systematic and documented process, should consider EHR hardware and software as well as other devices that can access the ePHI, and, finally, should be an ongoing and continuous process that adapts to the organization’s changes.
- Security risk analysis should not be outsourced if external help is not needed. It is valuable especially for small providers who are able to run their own analysis and only outsource expertise to check their compliance to the HIPAA security rule.
To perform a security risk assessment, there are many tools, methods, and best practices tips to help organizations reach compliance with HIPAA security rules. The guidance on risk analysis requirements of the security rule issued by OCR is a good reference for organizations about the best and most effective ways to protect ePHI.