Risk Assessment, Contingency Planning, & Data Recovery Procedures
In the health sector, the precedence of cases reported for the use of vulnerable portable devices and instances of security challenges lead to the development of security standards termed as electronic Protected Health Information (ePHI), to protect health information. The scenario attracts much compliance of Health and Human Services (HHS) and the “Health insurance Portability and Accountability Act of 1996 (HIPAA)” to address ePHI security protocol, basing principle in information protection (Moatty and Vinet, 2016). The security rule allows the provision of protocols as health information technology advances due to the emergence of new security challenges. In this case, the entities withholding electronic data must implement technical safeguards to reduce the risks associated with ePHI (Kammouh et al., 2017). Further, the security rule upholds the conceptualization of scalability, flexibility and technology neutrality (Kammouh et al., 2017). EPHI covered entities, such as clinics, hospitals and nursing homes, utilizes generalized security measures to expansively and appropriately implement standards and specifications to focus on data security compliance. EPHI data set rules to enable policies and procedures implementation for electronic information systems to sustain access to people or software programs granted the rights to access security measures.
Types of Safeguards
Administrative
The HIPAA security rules undertake an administrative protocol set on policies and procedures to enable the selection, development, implementation and maintenance of security methods not only in healthcare practices but also in activities of other organizations affected by the security rules. Such a concern on HIPAA security enables its enactment to protect electronic health information and help in safeguarding the conduct of the covered organizations under the security rule (Moatty and Vinet, 2016). To maximize on its significance in administrative safeguards, HIPAA upholds its documentation privacy rules. Such a case involves the diverse form of documentation ranging from policies, complaints, procedures and notices reported.
The administrative safeguard ensures the provision of a trained workforce regarding its security procedures and policies, which must be applied through appropriate sanctions against the entity workforce that tries to violate the set policies and procedures (Coffey et al., 2017). Therefore, for a covered entity to implement a periodic assessment of its security measures, it needs to meet the requirements of the security rule.
Physical
Physical safeguards are the “physical, policies, procedures, and measures of protecting the electronic information systems of a covered entity along with related buildings, as well as equipment from environmental and natural hazards, and unauthorized intrusion.” The covered entities are mandated to limit and watch on those accessing information systems and users must be authorized by the relevant authorities to access the systems (Kammouh et al., 2017). The physical aspects also extend to reinforce the implementation of policies that enhance proper usage and access to electronic media and the workstations.
Technical
In Centers for Medicare and Medicaid Services (CMS), technological advancements have increasingly created vulnerabilities in the new challenges facing security systems such as abuse of access to information privileges by insiders. Challenges in health electronic protected information, such as electronic health records, form different external and internal risks. The protocol demands that the protected information is recorded and examined rocedurally to ensure security and avoidance of data alteration or data destruction (Coffey et al., 2017). Such a technical safeguard implementation procedure upholds the standards to represent efficient business operations for technological and technical policies and procedures.
Technological and technical policies, as well as procedures, uphold and safeguard access control, audit control and integrity of stored information. Access control offers the rights and privileges to perform and access functions in utilizing the information systems, programs, applications, or files (Moatty and Vinet, 2016).
Access control restricts user rights and initializes granting privileges to authorizing users based on the management standard rule under the administrative safeguards section of the jurisdiction (Kammouh et al., 2017). An entity enables appropriate access controls to functional workforce members using unique user identifications, emergency access procedures, automatic log-off, encryption and decryption measures (Fernández-Alemán et al. 2013).
Audit control enables hardware implementation, software and procedural mechanisms to examine and record operations in electronic information systems that utilize ePHI. The procession of data in audit reports points to the importance of considering risks in the security rule of an organization to engage organizational factors, technical infrastructure, software and hardware security securities (Coffey et al., 2017). Various audit control protocols authenticate on procession for information structures that contain or utilized ePHI. Therefore, the policy and procedures enacted by audit control enable compliance with the necessitated implementation specifications.
Insincerity exploits the property of information that has not been destroyed or altered in any unauthorized manner. Any instance of improperly destroyed or altered results of clinical information leads to challenges in a covered organization, including issues involving a patient’s safety. The value of a stored data is intimidated by cases where data is compromised in both non-technical and technical data sources. Organization workforce might intentionally or accidentally destroy or alter ePHI, which renders the resultant health intervention as a failure (Kammouh et al., 2017). Authenticity and integrity of electronically protected health information create the value to the covered entities by ensuring the relevant health data are protected.
Risk/Vulnerability | Likelihood of occurrence (low, med, high) | Existing controls in place | Proposed mitigation Measures | Contingency Plan: Which implementation specifications could apply to risk (use # from below, can be one or more) |
EXAMPLE: Staff visiting an unsecured web site and pop-ups getting downloaded, a virus attack leading to a system crash | HIGH | Anti-virus applications installed on all desktops | Review Internet usage policy and mandate review by employees -Pop blockers in place and Software in place to segregate data being erroneously downloaded | 1,4,5 |
Modification of Data transmission | Medium | Private protected networks provided. | Prohibiting data transmission via open networks; | 5 |
Data left on other devices (accidental or intentional) | Medium | Use of flash disks, USB | Avoid downloads of ePHI on portable/remote devices | 1,2 |
The use of external devices to access corporate information leads to uncertainty in data access and security. | Low | Encryption of Data | Controlling access on the devices with only the relevant individuals allowed to access the data, hence avoiding interference. | 1,2,5 |
Theft of the e-PHI devices | Low | Security; CCTV | Installing trackers on the devices to enhance locating a device in case it is stolen. The CCTV camera would also provide images of the potential theft suspects for easier identification and limit the possibility of theft. | 1,2,3 |
References
Coffey, M., Cohen, R., Faulkner, A., Hannigan, B., Simpson, A., & Barlow, S. (2017). Ordinary risks and accepted fictions: how contrasting and competing priorities work in risk assessment and mental health care planning. Health Expectations, 20(3), 471-483.
Fernández-Alemán, J. L., Señor, I. C., Lozoya, P. Á. O., & Toval, A. (2013). Security and privacy in electronic health records: A systematic literature review. Journal of biomedical informatics, 46(3), 541-562.
Kammouh, O., Dervishaj, G., & Cimellaro, G. P. (2017). Quantitative framework to assess resilience and risk at the country level. ASCE-ASME Journal of risk and uncertainty in engineering systems, part A: civil engineering, 4(1), 04017033.
Moatty, A., & Vinet, F. (2016). Post-disaster recovery: the challenge of anticipation. In E3S Web of Conferences (Vol. 7, p. 17003). EDP Sciences.