Chapter 11

Security for
Healthcare
Informatics

Introduction to Healthcare
Informatics

©© 2013
2013
Objectives
• Differentiate between addressable and
required implementation specifications
• Describe what a security risk analysis
entails
• Differentiate between the concepts of
vulnerabilities, risks, and threats
• Provide examples of administrative,
physical, and technical safeguards
• Appreciate the foundational importance
of confidentiality, integrity, and availability
in regard to the HIPAA Security Rule
© 2013
Objectives
• Articulate the HIPAA Security Rule complaint
and enforcement process
• Identify the agencies responsible for HIPAA
Security Rule enforcement
• Describe civil and criminal penalties and the
tiered penalty approach
• Explain how HITECH modifies the HIPAA
Security Rule
• Define medical identity theft

© 2013
Objectives
• Discuss the potential impacts of medical
identity theft on patients and other
stakeholders
• Describe the steps required for
conducting a business impact analysis
• Delineate the concerns, challenges, and
potential solutions involved in preparing a
full-fledged information and
organizational disaster preparedness plan

© 2013
Types of Standards
• Flexible, scalable, technology-neutral
solutions and alternatives
• Implementation specifications
o Required—must be implemented as
described in the regulation
o Addressable—should be implemented
unless an organization determines the
specification is not reasonable and
appropriate. Organization must document
assessment and decision
© 2013
Foundation
• ePHI—electronic protected health
information
• Security incident—the attempted or
successful unauthorized access, use,
disclosure, modification, or destruction
or interference with systems operations
in an information system

© 2013
Security Risk Analysis
• Full evaluation of the methods,
operational practices, and policies by
the covered entity to secure ePHI
• Structural framework to build HIPAA
Security Plan
• Required for Meaningful Use

© 2013
NIST Guidance on Risk Analysis
• Have you identified the ePHI within your
organization? This includes ePHI that you
create, receive, maintain or transmit.
• What are the external sources of ePHI?
For example, do vendors or consultants
create, receive, maintain, or transmit
ePHI?
• What are the human, natural, and
environmental threats to information
systems that contain ePHI? (NIST SP 800-
66 2008)

© 2013
Vulnerabilities
• An inherent weakness or absence of a
safeguard that can be exploited by a
threat
• Inappropriate protective methods
o Technical
• Firewalls, Virus blocker
o Nontechnical
• Policies and procedures

© 2013
Threat
• The potential for exploitation of a
vulnerability or potential danger to a
computer, network, or data
• Natural—storms, earthquakes, etc.
• Human
o Intentional—hacking
o Unintentional—Forgetting to log off
• Environmental—power failure

© 2013
 Risks
• The probability of incurring injury or loss
• Compare the probability to the potential
impact

© 2013
Mandated Risk Analysis Elements
• Scope of the Risk Analysis
• Data Collection
• Identify and Document Potential Threats
and Vulnerabilities
• Assess Current Security Measures
• Determine the Likelihood of Threat
Occurrence
• Determine the Potential Impact of Threat
Occurrence
• Determine the Level of Risk
• Finalize Documentation
• Periodic Review and Updates to the Risk
Assessment © 2013
Administrative Safeguard
Standards
• Policies and procedures
o Manage the selection, development,
implementation and maintenance of
security measures to protect ePH
o Manage the conduct of the covered
entity’s or business associate’s workforce
in relation to the protection of the
information

© 2013
Security Management Process
Standard—Required
• Risk analysis
• Risk management element
o Communication of security processes
o Leadership involvement with risk
mitigation
• Sanctions policy—how noncompliance
will be addressed
• Information systems activity review—
procedures for monitoring system use

© 2013
Security Officer
• The official who is responsible for the
development and implementation of
the required Security Rule policies and
procedures

© 2013
Workforce Security Standard—
Addressable
• Authorization and supervision—
determining the level of access for each
workforce member
• Workforce clearance procedures—
determining that access to ePHI is
appropriate
• Termination procedures—removal of
access privileges when employment
ends
© 2013
Information Access Management
Standard—Required and
Addressable
• Required—healthcare clearinghouses
must segregate their data from other
activities
• Addressable
o Access authorization—policies and
procedures for granting access
o Authorization and access establishment
and modification—policies and
procedures to establish, document, review
and modify a user’s right of access
© 2013
Security Awareness and Training
Standard—Addressable
• All existing workforce members must
receive training and periodic training
on updates
o Security reminders—pop-up for log-off
o Protection from malicious software—
guidance for opening attachments
o Log-in monitoring—lockout after 3
unsuccessful log-in attempts
o Password protection—creation, changing
and safeguarding passwords
© 2013
Security Incident Procedures
Standard—Addressable
• Response and reporting—identify and
respond to suspected or known
security incidents; mitigate the harmful
effects; document security incidents
and their outcomes

© 2013
Contingency Plan Standards—
Required and Addressable
• Data back-up plan
o What data needs to be backed up from
which sources
• Disaster recovery plan
o Procedures for the restoration of any loss
of data
• Emergency mode operation plan
o Continuation of critical business processes
while operating in emergency mode
© 2013
Contingency Plan Standards—
Required and Addressable
(continued)
• Addressable
o Testing and revision of required
contingency plans—organizational size
and resources
o Criticality analysis of applications and data
• Balance recovery and management with the
criticality of the system
• Update when new systems added or changes
made

© 2013
Evaluation Standard—Required
• Perform periodic evaluations, in
response to environmental or
operational changes, to determine
whether security policies and
procedures meet the requirements of
the Security Rule

© 2013
Business Associate Contracts and
Other Arrangements—Required
• Business associates must
o Follow the Security Rule for ePHI.
o Have business associate agreements with
their subcontractors who must also follow
the security rule for ePHI. Covered entities
do not have business associate
agreements with these subcontractors.
o Obtain authorization prior to marketing

© 2013
Physical Safeguard Standards
• Physical measures, policies, and
procedures to protect a covered
entity’s electronic information systems
and related buildings and equipment,
from natural and environmental
hazards, and unauthorized intrusion

© 2013
Facility Access Control
Standard—Addressable
• Contingency operations—procedures
to restore lost data
• Security plan—safeguard the facility
and equipment from unauthorized
physical access tampering and theft
• Access control and validation
procedures—based on role
• Maintenance records—document
repairs and modifications related to
security
© 2013
Workstation Use Standard
• Includes onsite and offsite workstations
• Policies and procedures for proper
function
• Surroundings of the workstation
• Allowed access—workstation must be
encrypted

© 2013
Workstation Security Standard
• Physical safeguards for all workstations
that access ePHI to restrict access to
authorized users
• Policies and procedures for how
workstations are used and protected

© 2013
Device and Media Controls
Standard—Addressable and
Required
• Disposal—must be unreadable and
unusable
• Media reuse—internal and external
• Accountability—movements of
hardware and electronic media
• Data back-up and storage—create
retrievable, exact copy

© 2013
Technical Safeguards Standards
• Increased opportunity also increases
organizational risk
• Technology and the policy and
procedures for its use that protect
electronic protected health
information and control access to it

© 2013
Access Control Standard—
Required and Addressable
• Allow access only to those persons or
software programs with granted access
rights
• Unique user identification
• Emergency access procedure
• Automatic logoff
• Encryption and decryption

© 2013
Audit Control Standards
• Implement hardware, software, and/or
procedural mechanisms that record
and examine activity in information
systems that contain or use electronic
protected health information
• Track and record user activities to
monitor intentional and unintentional
actions

© 2013
Integrity Standard—Addressable
• Protect ePHI from improper alteration
or destruction
• The extent to which healthcare data
are complete, accurate, consistent, and
timely
• Ensure data are not improperly altered
or destroyed

© 2013
Person or Entity Authentication
Standard
• Verify that a person or entity seeking
access to ePHI is the one claimed
o Are users who they claim to be?
o Methods
• Passwords
• Smart cards
• Tokens
• Fobs
• Biometrics

© 2013
Transmission Security Standard—
Addressable
• ePHI being transmitted over an
electronic communications network
MUST be secured
• Integrity controls—electronically
transmitted ePHI cannot be improperly
modified
• Encryption—ePHI must be encrypted
whenever appropriate

© 2013
Confidentiality, Integrity and
Availability
• Confidentiality—ePHI is accessible only
by authorized people and processes
• Integrity—ePHI is not altered or
destroyed in an unauthorized manner
• Availability—ePHI can be accessed as
needed by authorized users

© 2013
Enforcement
• Department of Health and Human
Services Office of Civil Rights (OCR)
• Must investigate all reported violations
and appropriately initiate investigations
for cause in absence of a reported
violation

© 2013
Civil Penalties
• Fines or money damages to sanction
violators
• Prior to 2/18/2009
o Limit of $100 per violation
o Limit of $25,000 for identical violations
during a calendar year

© 2013
Civil Penalties, continued
• No more than $1,500,000 for identical
violations each year in any situation
• Inadvertent violation with reasonable
diligence
o Between $100 to $50,000 for each
violation
• Violation due to reasonable cause and
not to willful neglect
o Between $1,000 to $50,000 for each
violation
© 2013
Civil Penalties, continued
• Violation due to willful neglect, corrected
during 30-day period CE knew or would
have known of the violation
o Between $10,000 to $50,000 for each
violation
• Violation due to willful neglect and not
corrected during 30-day period CE knew
or would have known of the violation
o $50,000 for each violation

© 2013
Criminal Penalties
• OCR refers cases it determines to be of
a criminal nature to the Department of
Justice. OCR and DOJ cooperate to
pursue possible violators.
o Must knowingly commit a HIPAA violation
o There HAVE been criminal convictions
• Most complaints found to be not
relevant

© 2013
Breach Notification
• Finalized in 2013
• CEs and BAs MUST report breaches of
unsecured PHI
• Unsecured PHI—PHI that has not been
rendered unusable, unreadable, or
indecipherable to unauthorized
individuals through the use of a
technology or methodology

© 2013
Breach Notification, continued
• Breach—the acquisition, access, use or
disclosure or protected health
information in a manner not
permitted….which compromises the
security or privacy of the PHI
• Reporting requirement mandates
o Notification of the individual whose
information was breached
o If more than 500 individuals, notify the
media and the Secretary of HHS
© 2013
Breach Notification, continued
• Breach notification exception
o CE or BA workforce unintentionally acquires,
uses, or discloses PHI under the authority of
the CE or BA
o When authorized workforce member
inadvertently discloses PHI to another
authorized workforce member in the same CE
or BA setting
o CE or BA who made inadvertent disclosure
has reason to believe the PHI recipient would
not have been able to retain the information

© 2013
Risk Assessment
• Assess potential risks and areas of
vulnerability related to the security of
the ePHI

© 2013
Medical Identity Theft
• The assumption of a person’s name
and/or other parts of his or her identity
without the victim’s knowledge or
consent to obtain medical services or
good, or
• When someone uses the person’s identity
to obtain money by falsifying claims for
medical services and falsifying medical
records to support those claims

© 2013
Medical Identity Theft Risks
• Financial loss
• Clinical risks if critical conditions,
procedures, medications, allergies and
other information are incorrectly
omitted or included

© 2013
Cascading Effect of Medical
Identity Theft

© 2013
Red Flag Rules
• Issued by the Federal Trade
Commission, Department of the
Treasury, Federal Reserve System,
Federal Deposit Insurance Corporation,
and the National Credit Union
Administration
• Requires creditor and financial
institutions to implement an Identity
Theft Prevention Program.
© 2013
Red Flag Rules, continued
• Federal Trade Commission enforces the
rules that apply to healthcare
organizations
• Red Flags:
o Suspicious documents—do they appear to
have been altered?
o Suspicious information—addresses do not
match between ID and insurance
o Suspicious behaviors—confused about
type of insurance

© 2013
Identity Theft Prevention Program
• Identify Covered Accounts
• Identify Relevant Red Flags
• Detect Red Flags
• Respond to Red Flags
• Oversee the Program
• Train Employees
• Oversee Service Provider Arrangements
• Approve the Identity Theft Prevention
Program
• Provide Reports and Periodic Updates
© 2013
Identity Theft Operational
Recommendations
• Urge and education consumers to
adopt preventive measures
o Exercise caution when sharing personal
information
o Monitor EOB received from insurance
o Maintain copies of healthcare records
o Monitor credit reports for unexpected
medical charges
o Protect all health insurance and financial
information
© 2013
Identity Theft Operational
Recommendations (continued)
• Establish organizational methods to
prevent and detect medical identity
theft
o Annual security risk analysis
o Background checks when hiring
o Patient ID verification processes
o Minimize use of SSN
o Policies and procedures to safeguard info
o Create plan to handle suspicious activity
o Ongoing staff training
© 2013
Identity Theft Operational
Recommendations (continued)
• Data in the patient record
o Policies and procedures to allow victims
access to their patient records
o Establish mechanisms to correct
inaccurate information
o Keep current with medical identity theft
legislation and regulations
o Provide victims with resources and tools
for easier recovery

© 2013
Disaster Preparedness
• Ensure protection of organizational
information assets
• Ensure information functions can
continue when disasters occur

© 2013
Protecting Information Assets
• NIST Special Publication 800-34, Rev. 1,
Contingency Planning Guide for Federal
Information Systems
• NIST Special Publication 800-30, Rev. 1,
Guide for Conducting Risk Assessments
• Business impact analysis—evaluate and
prioritize all potential risks

© 2013
Business Impact Analysis
• Recovery Point Objective—length of
time the organization can operate
without an application
• Recovery Time Objective—maximum
amount of time tolerable for data loss
and capture

© 2013
Business Impact Analysis
(continued)
1. What are the minimal resources for
operations?
2. What are the business recovery
objectives and assumptions?
3. What is the order for restoration of
services?
4. What would be the operational,
financial, and reputational impact of
loss of data?

© 2013
Information Security Threat
Analysis

Backup Data Facilities

• Hot Site
• Warm Site
• Code Site

© 2013
Disaster Planning
• Organizations need to help their
employees be prepared
• Planning
• Preparedness
o Training
o Testing
• Response and Recovery

© 2013
Summary
• Security Risk Analysis is essential
• Medical Identity Theft
• Disaster Planning

© 2013