Do I need to address all identified security risks?

public security cybersecurity

Before conducting meaningful security risk analysis of ePHI, it is important that practitioners clearly understand the terminologies:

Risk is the level of exposure and potential impact of threats on the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

Threats are all factors that can have a negative impact on ePHI.

  Threats may be:

–  Intentional (e.g., malicious intent); or

–  Unintentional (e.g., misconfigured security role assignment in EHR system, data entry error).

Threat sources include:

– Natural (e.g., floods, earthquakes, storms, tornados);

–  Human (e.g., intentional, such as identity thieves, hackers, spyware authors; unintentional, such as data entry error, accidental deletions, improper disclosure); or

– Environmental (e.g., power surges and spikes, hazmat contamination pollution).

 Vulnerabilities are flaws or weaknesses in an EHR or PMS system’s security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.

Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of ePHI.

Covering how to identify security risks during your meaningful use security risk assessment process is beyond the scope of this article. Rather, our focus will be on strategizing how to address the identified risks. As demonstrated by recent announcements from major retailers and healthcare providers on data breaches, identifying security risks in the technology systems is only half the battle. Strategically addressing the risks identified in the risk analysis is the key to maintain the upper hand. The majority of risk identification will be focused on analyzing your different systems, including your EHR programs, network, wireless infrastructure, desktops/laptops, mobile devices, and other portable devices including USB thumb drive, backup tapes, etc.

In terms of addressing all identified risks, it’s effectively impossible to address all of them, as security experts generally agree that security threats are constantly evolving. For instance, by the time you have reasonably secured all desktops and laptops, your ePHI  also may be on mobile devices and/or with cloud service providers. It’s said in the industry that you cannot run a business with zero risk, and this notion very much applies to the information security risk area.

Prioritization of risk should take into account all information gathered and determinations made by analyzing the likelihood of threat occurrence and its resulting impact. The risk-level determination may be performed by assigning a risk-level based on the average of the assigned likelihood and impact levels. A risk-level matrix, such as the sample depicted below, can be used to assist in determining risk levels.

It’s possible for most organizations to address the risks using one or more of the following options:

  • By accepting the risks
  • By mitigating the risks
  • By transferring the risks

It should be noted that not all possible recommended security controls can always be implemented to reduce risks identified. To determine which are most required and appropriate, a cost-benefit analysis needs to be conducted for the recommended controls to demonstrate that the costs of implementing the controls will be justified by the reduction in the level of risk. In addition to cost, organizations should consider the operational impact and feasibility of introducing the recommended security controls into the operating environment.

Your overall objective for addressing any risks needs to be minimizing the probability and consequences of adverse events to your organization, along with managing the risks within acceptable levels

Download Free FAQ on MU EHR Incentive Audit

Listen to our on-demand webinar on security risk analysis:

Shasta Regional Medical Center Settles HIPAA Security Case for $275,000

Cybersecurity Maturity Model Certification

Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle an investigation by the U.S. Department of Health and Human Services (HHS) about potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and will pay a $275,000 monetary settlement.
The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient. OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review indicated that senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce. Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

In addition to the $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

Shasta agreement from EHR 2.0