EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS
Risk: Lack of unique user identification for every workforce member prior to obtaining access to ePHI.
Explanation: A user identifier is typically a name or a number or a combination of numbers and characters put together to form a string of characters that uniquely identify a user. This unique user identifier allows the information system to track the activities that a user makes in the information system. This is done so that every user of the system can be held accountable for his/her functions performed on the information systems that have ePHI in it.
Major Mitigation: Physician practices must determine a user identification strategy that best fits with the organization’s policies and processes. Some organizations use employee codes, variations of names or even identifiers that have been randomly generated by using a combination of characters and numbers. The advantage of using randomly generated identifiers is that it is difficult for an unauthorized user to guess it. On the flip side, it may be difficult for the actual user to remember it. Physician practices must consider all these factors while determining a user identifier. Whatever be the format, the important thing is that only the user of the identifier need to remember the identifier.
Secondary Mitigation: User activity in information systems containing PHI must be tracked and monitored on a regular basis to watch for unauthorized access.
Success criteria: Periodic audits need to be performed that prove that:
- Unauthorized access to ePHI has not taken place.
- Regular monitoring of user activity has been carried out religiously.
Risk: Lack of unique passwords for each member of the workforce. Sharing of passwords.
Access to ePHI is not based on the job function of the workforce.
Explanation: Passwords allow the team to gain access to information systems using ePHI. Each password has to be unique and assigned to individual users. A password given to a user, whether it is system generated or assigned should not be shared with anyone. Users in an organization may require more or less access to ePHI based on their job function and so all users will not need equal access to ePHI.
Major Mitigation: Access to systems containing ePHI should be given to only those individuals who require the access as part of their job function. Additionally the access given to the workforce should be only the minimum access needed for them to carry out their job function. Users should have the privilege to change the passwords and the passwords must be changed periodically so that the passwords are not compromised in any way. Each member of the workforce should be trained on the password protection policies and should be held accountable for slippage.
Secondary Mitigation: The workforce member’s access to ePHI must be periodically reviewed and updates made as their job functions change so as to ensure minimum access to ePHI. Access details must be documented and updated. Periodic audits must be carried out. A sanction policy must be implemented for sharing passwords.
Success criteria: Reports from the periodic audits will show how the defined policies are carried out and how they are periodically updated. User access logs also can be referred to verify users’ access to ePHI based on their job functions.
Risk: Lack of policies and procedures in place to provide appropriate access to ePHI in emergency situations.
Explanation: During an emergency situation, it is vital that doctors still have access to ePHI.There must be documented instructions along with practices and policies that need to be in place so that they are readily available for access in an emergency. The authorized personnel must be aware of how to get to these emergency procedures and operations in the event of an emergency. Physician practices must also determine the various types of emergency situations that would require access to ePHI.
Major Mitigation: Emergency procedures, processes and policies should be easily and readily accessible in the event of an emergency. The severity of emergencies may vary, for example, an emergency may result from an electrical power outage due to a natural or manmade disaster. Workforce members must be trained on the procedures and processes so that they are equipped to handle critical situations. With well trained workforce members, there is little chance of confusions in these kind of situations. They must also be aware of ways to gain access to ePHI in these conditions.
Success criteria: Emergency situations happen rarely and hence proof that the procedures and policies are in fact working can only be proved for sure when such an emergency occurs. However, every physician practice must be well equipped in all aspects to face such an emergency. Frequent audits and periodic emergency drills need to be carried out to mimic emergencies and test out the policies and procedures in place.
Risk: Lack of automatic logoff capability for applications or workstations accessing ePHI
Explanation: Sometimes users, working on workstations running applications that access ePHI, may forget to logoff or sometimes may not have the time to log off when they move away from their workstation. This may pose a threat since the workstation is left unattended and unauthorized users can easily access ePHI, tamper with it or even steal the data. An effective way to prevent this kind of unauthorized access is automatic logoff.
The mitigation can be carried out in 2 ways:
- Configure the applications that access ePHI to automatically logoff after a predetermined period of inactivity.
- For systems with limited capabilities, activate a password protected screen saver after a period of inactivity.
In either of the above 2 cases, unauthorized users do not have access to the workstation containing ePHI.
Secondary Mitigation: There needs to be a shorter log off period for computers in high traffic areas.
Success criteria: Applications that log logoff activities along with the time when the logoff had taken place, show if the automatic logoff has taken place after a specific period of inactivity. Random and periodic testing of automatic logoff by the system administrators on all workstations accessing ePHI can verify if this risk has been taken care off.
Risk: Lack of audit control mechanisms to record and examine activity in information systems that contain or use ePHI.
Explanation: It is necessary that information systems be equipped with audit controls that track and record system activity. This is important especially for detecting security violations. Most audit controls also provide audit reports of the system activity.
- Evaluate and understand the current technical infrastructure, hardware and software security capabilities
- Perform a risk analysis, determine the risks and possible mitigation/avoidance strategies.
- Decide on the audit controls that work for information systems in the physician’s practice containing ePHI
Secondary Mitigation: The organization must have more than one person to conduct the audit process and report the results. It may also be a good idea to have IT vendors explain how audits are conducted and have the process documented.
Success criteria: Data gathered from audit controls and periodic review of data can help verify if the audit control mechanisms are tracking activity in information systems. Auditing the audit control system by outside third party organizations can verify the proper working of the audit controls in the organization.
Risk: Lack of proper mechanisms to authenticate ePHI.
Explanation: It is essential that the integrity of ePHI is given high importance. Compromises to the integrity of ePHI occurs due to human errors that caused incorrect information to be stored into database, or due to system crashes the stored information gets altered/damaged. ePHI integrity can also be compromised if the back ups are not ensured to be accurate. Intentional unauthorized access to ePHI through hacking can also destroy the integrity of ePHI.
Major Mitigation: Controls to validate human data entries, and that check for errors must be employed. Also controls that ensure the accuracy of back-ups of data must be in place. Intrusion detection services can be used to detect intrusions or attempts to tamper data. Vulnerability scanning can also be employed which will scan the systems on a predetermined basis. Malware scanning tools must be used and configured to scan the systems in frequent intervals to ensure no malware is present. Patches for applications, OS etc must be tested and ensured to be latest.
Secondary Mitigation: Designing policies and procedures to ensure integrity of ePHI is maintained. The policies and procedures must include all the above mentioned mitigation steps, and additionally can include policy that ensures data integrity tests are conducted ion regular basis. All log-in attempts can be logged and checked to ensure the access controls are in place as intended.
Success criteria: Audit of the logs from the different tools/services can help to know whether the risks have been mitigated. If data integrity tests are run, those logs can also be audited to know the exact status. Also the reports of the risk analysis/risk assessment can be used to understand whether the risk is mitigated and the current controls are effective or more controls are to be added.
Risk: Lack of proper authentication.
Explanation: The first step to gain access to ePHI must be authentication, which is verifying whether the entity trying to access ePHI is really the one it claims to be. If persons or entities (can be other software programs) are not authenticated, this can lead to the risk of ePHI being compromised. Proper authentication also needs to be done, before ePHI is shared with anyone in any manner. Without doing so, ePHI may end up in wrong hands.
Major Mitigation: In the simplest form, authentication mechanism includes a user name and password, which has to be used to gain access. This authentication mechanism can be either at the workstation level or at the application or both, depending on the level of security that is needed. There must defined policies and procedures which lays out the authentication mechanisms to be followed. These policies and procedures must include the mechanism to be adopted when sharing ePHI with another person/entity.
Secondary Mitigation: A combination of authentication mechanisms can be used for a more advanced level of authentication, a multifactor authentication.
Success criteria: Each and every access to the systems need to be logged. An audit of these logs can give a clear picture. Also the risk analysis/assessment reports will give a clear indication whether any risks exists, and whether the controls are effective or not.
Risk: Lack of encryption of ePHI in transmission and at rest.
Explanation: ePHI is vulnerable to be compromised in all the states it is in. Whether it is at rest (in databases and files), or in motion (being transmitted through networks), or in use (being updated, or read), or is disposed (discarded paper files or electronic storage media). Using encryption puts an extra layer of security to ePHI because even if someone gains access or reads ePHI, if it is encrypted then the chances of ePHI getting compromised diminishes. It makes the data unreadable and unusable by unauthorized persons. When ePHI is transmitted through networks, it is possible that it will be accessed by unauthorized persons, thus compromising ePHI. These type of unauthorized access hacking may not be immediately known, but can cause many damages.
Major Mitigation: ePHI should be encrypted and there must also be reasonable and appropriate mechanisms in place to prevent access to ePHI so that it is not accessed by persons or software programs that have not been granted access rights.
There are many different encryption methods and technologies to encrypt data in motion (SSL, VPN) or at rest. Choose the methods and technologies that best meet the physician’s office requirements.
Success criteria: The risk analysis/assessment reports will provide a clear indication of whether these type of risks exists or has been mitigated with appropriate controls.
Auditing logs that track access to ePHI can be verified periodically to check if there has been unauthorized access by persons or software programs that have not been granted access rights.