Risk: Lack of proper mechanisms to authenticate ePHI
Explanation: It is essential that the integrity of ePHI is given high importance. Compromises to the integrity of ePHI occurs due to human errors that caused incorrect information to be stored into database, or due to system crashes the stored information gets altered/damaged. ePHI integrity can also be compromised if the back ups are not ensured to be accurate. Intentional unauthorized access to ePHI through hacking can also destroy the integrity of ePHI.
Major Mitigation: Controls to validate human data entries, and that check for errors must be employed. Also controls that ensure the accuracy of back-ups of data must be in place. Intrusion detection services can be used to detect intrusions or attempts to tamper data. Vulnerability scanning can also be employed which will scan the systems on a predetermined basis. Malware scanning tools must be used and configured to scan the systems in frequent intervals to ensure no malware is present. Patches for applications, OS etc must be tested and ensured to be latest.
Secondary Mitigation: Designing policies and procedures to ensure integrity of ePHI is maintained. The policies and procedures must include all the above mentioned mitigation steps, and additionally can include policy that ensures data integrity tests are conducted ion regular basis. All log-in attempts can be logged and checked to ensure the access controls are in place as intended.
Success Criteria: Audit of the logs from the different tools/services can help to know whether the risks have been mitigated. If data integrity tests are run, those logs can also be audited to know the exact status. Also the reports of the risk analysis/risk assessment can be used to understand whether the risk is mitigated and the current controls are effective or more controls are to be added.