WEEK 5 ANNOTATED BIBLIOGRAPHY

Heathersimf

AB241816_Ch13.pptx

Home >Science homework help >WEEK 5 ANNOTATED BIBLIOGRAPHY

Chapter 13: Security Threats and Controls

Fundamentals of Law for Health Informatics and Information Management, Third Edition

Overview

Healthcare organizations must address circumstances that threaten privacy and security of patient information.

The HIPAA Security Rule requires implementation of security safeguards to protect ePHI.

NIST and other standards are also covered in the chapter

Types of Security Threats

Threats to health information can be categorized as

Human

Natural

Environmental

Both human and natural/environmental threats can also be categorized as:

Internal threats

External threats

Human Security Threats

Human threats

Can be intentional

For example, theft, intentional alteration and destruction, virus attacks

May be due to disgruntled employees (internal)

May be due to external hackers or pranksters (cybersecurity, phishing, ransomware)

Can be unintentional

For example, employee error, unintentional alteration and destruction

Internal breaches caused by humans are more common than external breaches.

Figure 13.1 has an example of employee breach

Natural and Environmental Security Threats

Are generally unintentional

Examples of external threats:

Hurricanes, tornadoes, lightning

Examples of internal threats:

Fire, water damage from an internal source

Highlight the need for disaster recovery/ business continuity/planning to minimize downtime and restore data

Vulnerabilities

Weaknesses that impact security

It is something that can be exploited

Threat vector—The path taken to exploit the vulnerability

Identity Theft: A Security Threat

Identity theft

Made possible due to ease by which electronic information can be stolen

Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit identity theft

Federal Trade Commission has oversight of identity theft regulations

Medical Identity Theft

Two main types

Use of name and other personal identifiers without knowledge or consent of the victim to obtain medical services

In some circumstances, victim’s consent may be obtained, but victim doesn’t realize the consequences

Example: Victim gives permission to another to use the victim’s insurance card to obtain medical services

Use of name and other personal identifiers to obtain money by falsifying claims for medical services

Medical Identity Theft

Medical identity theft can be internal or external

Internal (most common): Committed by organization insiders

Examples: Clinical or administrative staff with access to patient information, sophisticated crime rings infiltrating an organization by posing as staff

External: Committed by outsiders

Example: A patient who uses another’s medical insurance information (with or without permission)

Medical Identity Theft

If a patient’s information is altered but the patient’s identity is not abused, this is not medical identity theft.

If a patient’s financial information is used to purchase goods or services that are not medical in nature, this is not medical identity theft.

Implications of Medical Identity Theft

Financial consequences

Debt collection

Monetary losses

Damaged credit

Insurance denials

Medical consequences

Possibility of wrong care

Incorrect medical history

Detecting Theft of One’s Own Medical Identity

HIPAA

Accounting of disclosures (all covered entities) and accounting of payment disclosures for covered entities with EHRs

Weak; requires patient to make request

HITECH

Breach notification requirement

Application of HIPAA to personal health record vendors and third-party service providers

Reporting Medical Identity Theft

HIPAA breach notification requirement

Fair and Accurate Credit Transactions Act (FACTA)

Requires financial institutions and creditors to develop and implement written identity theft programs to identify, detect, and respond to red flags that may signal presence of identity theft (Red Flags Rule)

Red flag: Pattern, practice, or specific activity that could indicate identity theft

FACTA and the Red Flags Rule

FACTA and the Red Flags Rule do not specifically address medical identity theft, but many healthcare organizations must follow it because they meet the definition of creditor.

The Red Flags Rule went into effect December 31, 2010.

Examples are in Figure 13.2

Red Flags Rule

Five categories of red flags that trigger an alert of possible identity theft:

Alerts, notifications, or warnings from a consumer reporting agency

Suspicious documents

Suspicious personally identifying information such as a suspicious address

Unusual use of, or suspicious activity relating to, a covered account

Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account

Red slags should be incorporated into healthcare provider policies and procedures

Prevention, Detection, and Mitigation of Medical Identity Theft

Prevention challenges

Ensuring that preventive safeguards are in place to protect the privacy and security of patient information

Balancing patient privacy protections with disclosure of identity theft events to victims, law enforcement, and federal agencies

Identifying resources to assist healthcare organizations, providers, and patients who are victims of identity theft

Prevention of Medical Identity Theft

Ensure appropriate background checks of employees and business associates who may have access to business and patient protected health information (PHI).

Minimize the use of Social Security numbers for identification. Whenever possible, redact or replace some of the digits in the number. Avoid displaying the entire number on any document, screen, or data collection field.

Store patient information in a secure manner, ensuring that physical safeguards such as restricted access and locks are in place. Consider securing a release of liability from patients who refuse to use facility-provided lockboxes or other storage for personal items.

Prevention of Medical Identity Theft

Implement and comply with organizational policies for the appropriate disposal, destruction, and reuse of any media used to collect and store patient information.

Implement and comply with organizational policies and procedures that provide safeguards to ensure the security and privacy of patient information collected, maintained, and transmitted electronically.

Train staff on organizational policies and practices developed to provide protection and appropriate use and disclosure of patient information, as well as appropriate responses to identity theft events.

Develop a proactive identity theft response plan or policy that clearly outlines the response process and identifies the organization’s obligations to report or disclose to law enforcement or government agencies information related to such crimes.

Prevention of External Medical Identity Theft

When a patient presents for service or seeks to obtain benefits such as medical equipment:

Require a driver’s license to verify identity

Take photograph of patient

Biometric identifiers

Compare patient signature from previous encounters

All measures depend on valid baseline information

If baseline information is fraudulent, all subsequent encounters will be based on fraudulent information.

Prevention of Internal Medical Identity Theft

Background checks for employees and business associates

Minimize temporary hiring of individuals not licensed, certified, credentialed, or bound by professional codes of ethics

Avoid using or showing full Social Security numbers on data collection fields

Stringent access controls and systems controls

Mitigation of Medical Identity Theft

Address breach notification requirements

Separate intermingled health information of victim and perpetrator

Contact law enforcement

Security Access and Systems Controls

Access controls: Prevent unauthorized individuals from retrieving, using, or altering information rights

Only individuals with a “need to know” should have access to ePHI.

Security Access and Systems Controls

Access parameters:

Who has a right to information

How a user can access information

Access Controls

Types of access rights

User-based

Example: Specific access given to an individual

Role-based: Access based on roles that individuals have in an organization

Example: All nurses given same level of access

Context-based: Most stringent; additional layer beyond user-based or role-based access and considers context of transaction

Example: Nurses given access to only their units and only during their assigned shifts

Access Controls: Entity Authentication

Entity authentication: Determining an entity is the one claimed based on predetermined criteria

User ID (is often logical and/or public)

Authentication methods:

Something you know (for example, password)

Something you are (for example, biometric identifier)

Something you have (for example, tokens and swipe cards)

Telephone call-back can also be used for remote access

Access Controls: Entity Authentication

Single-factor authentication

Combines user ID with one of the three authentication methods

Two-factor authentication

Combines user ID with any two of the three authentication methods

Access Controls: Passwords

Often 4–16 characters

Minimum of 8 characters is common

Easy to remember for the user

Difficult for others to determine

Organizations must develop password guidelines

Access Controls: Password Guidelines

Should

Be a combination of letters and numbers

Have at least 8 characters, mixing upper- and lower-case

Be changed frequently

Should not be

Easily guessed (for example, a pet’s name)

A word that is in the dictionary

A word that is newsworthy

Similar to one’s previous password

Shared with others or displayed

Figure 13.3 in text

Access Controls: Other Common Security Mechanisms

Automatic log-off

Termination of access

Prior to or at end of employment

When user roles change within organization

Audit trail

Reactive, but shows log-on attempts and successful computer access

Tokens

Biometric identification

Access Controls: Other Common Security Mechanisms

Employee nondisclosure agreements and training

Frequent review/modification of individual access

Security training should evolve with new technologies and policy changes

Remote Access Control

Create security policy and train workforce

Issue proper equipment for work purposes only

Deploy virtual private networks

Use two-factor authentication

Do not allow information to be stored locally

Monitor status of all computers

Check virus updates regularly

Require personal firewalls

Require shredders for printed information

Balance security with ease of access

Remote Network Access

SANS recommendations

Acceptable encryption policy

Acceptable use policy

Password policy

Third-party agreement

Hardware and software configuration standards for remote access

Access Controls: Mechanisms for Mobile Devices

Require that laptop always be carried

Use physical security device

Never leave laptop unattended

Never leave laptop visible

Install desktop firewall, antivirus, and intrusion software

Encrypt files on laptop

Do not store password on device

Systems Controls

Protect ePHI in addition to access controls discussed previously

Also addressed by the HIPAA Security Rule

Generally relate to systems hardware or software, and functions such as ePHI transmission (for example, fax and e-mail)

Cybersecurity

“Preventative methods used to protect information from being stolen, compromised or attacked. It requires an understanding of potential information threats, such as viruses and other malicious code. Cybersecurity strategies include identity management, risk management and incident management.”

One of the major causes of data breaches

Systems Controls

Workstation use and security

Screen savers

Screen shields

Screen positioning

Policies and procedures

Systems Controls

Data encryption

Codes or scrambles data being transferred from one location to another

Pretty good privacy

Used to encrypt e-mail messages

Wired equivalent privacy

Used to protect information on wireless networks

Systems Controls

Encryption

Public key: Uses two keys, one private and one public

Data encrypted with public key can be decrypted only by private key

Data encrypted with private key can be decrypted only by public key

Single key

Used more frequently for large files

Systems Controls

Firewall protection

A firewall is hardware or software that examines traffic entering and leaving a network

Most commonly used between healthcare organization’s internal (trusted) network and Internet (untrusted network)

Provides limits

Internal users are limited in accessing the internet.

Internet users are limited in accessing portions of internal network.

Systems Controls

Routers

Routers link different networks

Are responsible for sending network traffic to correct designation

Not as robust as firewalls, but may filter certain network traffic

Systems Controls

Intrusion detection systems (IDS)

Alarm network for the system

Warn of possible inappropriate access attempts

Intrusion prevention systems (IPS)

Identify malicious network traffic

Apply rules to block its passage

Both IDS and IPS require significant human monitoring to check for false alarms.

Systems Controls

Antivirus programs

Common types of viruses

File infectors: Attach to program files

System or boot-record infectors: Infect areas of hard disks or diskettes

Macro viruses: Infects Microsoft Word application, inserting unwanted words or phrases

Worm: Stores and replicates itself

Trojan horse: Destructive programming code that hides itself in another piece of programming code

Systems Controls

Antivirus programs

Virus checking is an important system security mechanism.

Antivirus software packages

Virus catalog must be updated frequently

Zero-day exploits may do considerable harm within one day.

Transmission of ePHI

Policies and procedures must be put into place to safeguard data transmitted via

Faxing

Internet

E-mail

Telehealth/telemedicine

Wireless communication devices

Social media

Faxing Health Records

AHIMA guidelines:

Generally: Only in urgent medical situations or for ongoing payer certification

Never prudent to fax highly sensitive information

Verify that recipient is authorized to receive, will be on stand-by to receive, will call to confirm receipt

Preprogram frequent fax numbers

Fax machines in secure locations

Confidentiality statement on cover page

Internet

Used more widely to transmit PHI with advent of integrated healthcare delivery systems

Uses:

Information source

Communication device

Extension of organizational network (functional)

Protection of data and system:

Policies and procedures

Systems protections (for example, firewalls)

E-mail

Prohibition against sending highly sensitive information

Issues

Potential for broader discovery

Possible interception (compromises privacy) during transmission or by erroneous recipient

Retention periods

May be difficult to determine true identity of sender

Group e-mails compromise confidentiality

Poor communication can trigger patient dissatisfaction/liability

E-mail attachments can contain computer viruses

Medical Device Security

Potential for security risks

FDA has published new guidance based on 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity

Telehealth/Telemedicine

Telemedicine: Electronic exchange of medical information from one site to another to improve patients’ health

Telehealth: The digital use of technologies to deliver medical care, health education, and public health services by connecting multiple users in separate locations

Telehealth/Telemedicine

Issues include privacy during transmission

Videoconferencing

Transmission of still images

e-Health

Patient portals

Remote patient monitoring

Continuing medical education

Nursing call centers

Social Media

Texting

Video

Audio

Exponential risks to privacy and security of PHI

Organizations must have policies and procedures regarding what constitutes appropriate and inappropriate posting.

Contingency and Disaster Planning

Continuity plan: Ensures critical business functions can withstand emergencies

Contingency/disaster plan: Includes technical, procedural, and organizational components to follow after a loss. Includes

Risk assessment and analysis

Downtime and contingency planning

Data backup

Data recovery

Emergency mode of operations

Data Backup

Backup servers

Storage media such as backup tapes

Data “dump” onto tapes or other media

Removing it to another location outside the vicinity of the event

Data Recovery

Need is not extensive if data backup efforts are successful

If restoration is not possible, efforts should be made to reconstitute the record as much as possible

Upload documents from undamaged databases

Retranscribe documents from dictation system

Obtain copies from recipients of previously distributed copies

Emergency Mode of Operations

In a healthcare organization, may include recording clinical information:

How will the information be collected?

How will the information be secured?

Figure 13.5 includes a sample disaster plan and checklist

Figure 13.6 is a sample contingency plan

Emergency Mode of Operations

Determine other core operations (for example, MPI and transcription)

Identify contingency plan for each type of disaster and core process

Consider temporary and long-term effects of disasters

Anticipate operations both with and without electricity

Resources to Assist with Threats

Computer Security Resource Center of National Institute of Standards and Technology (NIST)

National Cyber Security Alliance (NCSA)

SANS Institute

AHIMA