probabilistic risk analysis farrokh alemi, ph.d. april 12, 2004
TRANSCRIPT
Why Assess Risks?Based on experienced incidences across the industry Allows benchmarks against peer organizations If repeated overtime, measures progress in reducing risks Can be used to set premiums for HIPAA insurance
Not an imagined risk
How to Assess Risks for Unauthorized Disclosures?
p(U) = ∑ i=1, .., n p(U | Hi) p(Hi)
p(Hi) = 1 / (1+ ti)
p(U | Hi) = p(Hi | U) p(U) / p(Hi)
Assessment of Probability of Unauthorized Disclosure
Databases Searched
Records found
Number of unauthorized disclosures Dates
Probability of unauthorized
disclosureLexisNexis Academic
47 2 01/01/03 -12/31/03
0.005
Health Reference Center-Academic
Infotrac
141 8 01/01/90 -12/31/03
0.022
DHHS reports 22 16 01/01/03-12/31/03
0.044
3 3 01/01/03-12/31/03
0.008
Total 213 29 01/01/90-12/31/03
0.079
List of HazardsClinician using unsecured email
environmentClinician gather information from patients’
family and friends after the visitDiscussion of patient care with co-workers
not engaged in careMedical reports or records with wrong
recipient informationCaring for employees’ friends and family
membersBenefit Organizations or employers request
employee informationEmployees engaged in whistle blowing to
uncover illegal or unacceptable business or clinical practices
Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others
Clinician discusses patient care in a setting where others can easily hear
Employee removes patient records from secure location or workplace without authorization
Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care
External infection of computers / password / network Systems (e.g. computer hacker)
Theft of computers or hard drivesSale of patient recordsBlackmail/Extortion of organization or an
employeePatient using identity of another person to
gain insurance benefitsChanges in custody or family relationships
not revealed by the patientAudit of business practices by outside firm
without clinicians’ approvalBusiness Associate violates Chain of Trust
AgreementLegal System/Law Enforcement requests,
subpoenas or seizes patient recordsError in patient identity during data transfer
to third party insurers
Prevalence of Hazards Among Unauthorized
DisclosuresHazard Category Description of the Hazard p(H i| U)
Impermissible sharing of patient health information
Clinician using unsecured email environment
0.01
Clinician attempting to gather information from patients' family and friends
0.14
Discussion of patient with co-workers not engaged in care
0.08
Medical reports or records with wrong recipient information
0.07
Caring for clinicians’ friends and family members and discussing the care outside of the work environment
0.03
Benefit Organizations or employers request patient information
0.04
Prevalence of Hazards Among Unauthorized
DisclosuresCategory Hazard P(H|U)
Lack of Physical safeguards for PHI
Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others
0.14
Patient records or information discussed in a setting where others can easily hear
0.05
Inappropriate access to patient health information
Employee removes patient records from secure location or workplace without proper authorization or just cause
0.01
Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care
0.1
Illegal Activities
External infection of Computers/Password/Network Systems (e.g. Computer Hacker)
0.01
Theft of computers or hard drives 0.02
Sale of patients records 0.06
Blackmail/Extortion of your organization or an employee
0.02
Prevalence of Hazards Among Unauthorized
Disclosures
Category Hazard P(U|H)
Patient Causes Patient using identity of another person to gain insurance benefits
0.01
Changes in custody or family relationships not revealed by the patient
0.01
3rd Party Causes Audit of clinical practices by outside firm without clinician approval
0.01
Business Associate violates Chain of Trust Agreement
0.02
Legal System/Law Enforcement requests, subpoenas or seizes medical records
0.12
Error in patient identity during transfer of data to third party insurers
0.01
Assessment of Hazards at Health Care Organizations
How often does a clinician in your organization email a message in an unsecured environment?
Unlikely 2-3 times / 5 years
<=once / year
<=once / 6 months
<=once / month
=>once / month
=>once / day
Negligible Very Low Low Medium High Very High Extreme
Indicate the two most recent times, (enter number of days, weeks, months or years) prior to today when a clinician emailed a message in an unsecured environment:
Please indicate the last two times when a clinician emailed a message in an unsecured environment: Enter date in the format DD/MM/YY
AssignmentAnswer the online survey for an imaginary health care organizationAnalyze responses to calculate probability of unauthorized disclosureDiscuss the assessment procedure
Security Management Process
Analyzing and managing risk, Developing a sanction policy for violationsReviewing information systems activities
None
Process Event
Assigned Security Responsibility
Assigning a person at the facility to oversee and implement the HIPAA security plan
Security official is not available during an incident
Process Events
Workforce Security
Authorizing or supervising employees’ access to ePHI Implementing a clearance policy and adjusting access if employment is terminated or changed.
Employee performs a job not appropriate for his/her access levelConducting insufficient background checksEmployee termination incorrectly recordedChecklist not used to verify access termination
Process Events
Information Access Management
Isolating clearinghouse functions Determining criteria for establishing access Determining who should access ePHI and evaluating existing security measures
Employee exceeds the “greater than minimum” access necessary for his/her job role
Process Events
Security Awareness and Training
Conduct a training needs assessmentDevelop a training strategyDevelop appropriate awareness training content and best delivery methodsImplement the trainingMonitor training plan
Traveling employee has an unsecured machineFailure to apply security patches to systems
Process Events
Security Incident Procedures
Determine goals of Incident ResponseDevelop and deploy Incident Response TeamDevelop Incident Response ProceduresPost-Incident analysis procedures
Incident response team is not available during an incident
Process Events
Contingency Plan
Developing a planConducting Impact and Data Criticality analysesIdentifying preventive measuresDeveloping a recover strategy
No call list of emergency responders during an incident
Process Events
Evaluation
Performing periodic technical and non technical evaluations in response to environmental and operational changes affecting the security of ePHI.
None
Process Events
Business Associate Agreements
Identifying Business AssociatesExecuting new agreements or updating current ones.Measuring contract performance and violations
Business Associate violates security policiesNew vendors are not listed on contractsAudit log does not contain complete record Business Associate activities
Process Events
Facility Access Controls
Analyze existing physical vulnerabilitiesIdentify corrective measuresDevelop a facility security planDevelop access control proceduresEstablish Contingency operations procedures
Employee bypassed physical security controlPhysical environment around facility contains risk to security controlsEmergency personnel cannot access facility during an emergencyNatural disasters
Process Events
Workstation Use
Identify workstation types and functionsIdentify expected performance of each workstationAnalyze physical surrounding for physical attributes
Workstations with different functions kept in the same area
Process Events
Workstation Security
Identify all methods of physical access to workstationsAnalyze the risk associate with each type of accessIdentify physical safeguards
Workstations are kept in public areasUnauthorized viewing of workstations
Process Events
Access Controls
Analyze workloads and operations to identify the access needs of all usersIdentify data and systems where access control is requiredAssign Unique IdentifierDevelop access control policyImplement access control proceduresReview and update user accessEstablish and emergency access procedureTerminate access if no longer needed
Sharing of User ID or password Access not changed in conjunction with change in employment statusMachine fails to auto-log off
Process Events
Audit Controls
Determine the systems or activities that will be tracked or auditedSelect auditing toolsDevelop system/activity review policyDevelop appropriate standard operating proceduresImplement the audit/system review process
Audit logs do not accurately or completely track users’ actions
Process Events
Integrity
Identify all users who have been authorized to access ePHIIdentify any possible unauthorized sources that may be able to intercept the information and modify it.Develop Integrity policyImplement proceduresEstablish a monitoring process
Foreign entity intercepts and modifies data
Process Events
Person or Entity Authentication
Determine authentication applicability to current systems/applicationsEvaluate authentication options availableSelect and implement authentication option
Identity of information source is not verified
Process Events
Transmission Security
Identify any possible unauthorized sources that may be able to intercept and/or modify the informationDevelop a transmission security policyImplement procedures for transmitting ePHI
Sending Unencrypted messages
Process Events
Device and Media Controls
Evaluate methods for final disposal of ePHIDevelop procedures for reuse of electronic mediaMaintain records of hardware, media and personnelDevelop backup procedures to ensure data integrity during equipment relocation
Electronic media is re-used or discarded without modification
Process Events