Your SlideShare is downloading. ×
Risk management in Healthcare on Cloud
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Risk management in Healthcare on Cloud


Published on

Quickly made presentation in two hours …

Quickly made presentation in two hours
Security Risk Management in Healthcare on Cloud using NIST guidelines
More details: (blog: ,

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SCENARIO: You are the Chief Information Security Officer for an organization that develops tools for medical clinics and centers so that they can view medical records electronically. Your organization is considering a move to the cloud so that patients (customers of the medical clinics and centers) can also view their records online. You are tasked with conducting a risk analysis that will include a risk assessment and risk management plan. Make any relevant assumptions that will guide you in the balance of this work. Be thoughtful, but let your imagination run wild. Design the scope of your analysis, making sure to consider its viability within the scope of a 2-week effort. Next, decide on the approach you will take – which risk methodology(ies) will you use/follow? Who are the participants (roles and responsibilities) – members of the team, upper management sponsors, the project manager, etc.? Answer : Risk Identification : provisioning Software on Cloud comes with following risk: Software should meet requirement of various legislation ascertaining health and safety of patients PHR patient health record, EMR Electronic medical Record, PHI Patient Health Information. This liability concern was of special concern for small EHR system makers. Some smaller companies may be forced to abandon markets based on the regional liability climate.Larger EHR providers (or government-sponsored providers of EHRs) are better able to withstand legal assaults. Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e- PHI. Risk associated with Software list below: Risk #1: electronic time stamps: Many physicians are unaware that EHR systems produce an electronic time stamp every time the patient record is updated. If a malpractice claim goes to court, through the process of discovery, the prosecution can request a detailed record of all entries made in a patient's electronic record. Waiting to chart patient notes until the end of the day and making addendums to records well after the patient visit can be problematic, in that this practice could result in less than accurate patient data or indicate possible intent to illegally alter the patient's record. In some communities, hospitals attempt to standardize EHR systems by providing discounted versions of the hospital's software to local healthcare providers. A challenge to this practice has been raised as being a violation of Stark rules that prohibit hospitals from preferentially assisting community healthcare providers.
  • 2. Risk #2. Under HIPAA Health care insurance probability and accountability Act, Privacy Act. PHR patient health record privacy, EMR electronic medical record safety, confidentiality so patient information is not disclosed to unauthorized person. Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care during transmission , Electronic Exchange EDI Electronic data exchange, security at user interface level from Top 10 OWASP vulnerability at client End:. 1. Names 2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 3. Dates (other than year) directly related to an individual 4. Phone numbers 5. Fax numbers 6. Email addresses 7. Social Security numbers 8. Medical record numbers 9. Health insurance beneficiary numbers 10.Account numbers 11.Certificate/license numbers 12.Vehicle identifiers and serial numbers, including license plate numbers; 13.Device identifiers and serial numbers; 14.Web Uniform Resource Locators (URLs) 15.Internet Protocol (IP) address numbers 16.Biometric identifiers, including finger, retinal and voice prints 17.Full face photographic images and any comparable images 18.Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data , Risk #3 : Under Patient Safety and Quality Improvement Act: Software Must Ascertain following privacy and confidentiality provisions for Patient safety work product which includes any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any
  • 3. of this material), which could improve patient safety, health care quality, or health care outcomes, that are assembled or developed by a provider for reporting to a PSO and are reported to a PSO. Consideration under Act: Report Institute of medicine Report to Congress 1999: The Report cited studies that found that at least 44,000 people and potentially as many as 98,000 people die in U. S. hospitals each year as a result of preventable medical errors. Based on these studies and others, the Report estimated that the total national costs of preventable adverse events, including lost income, lost household productivity, permanent and temporary disability, and health care costs to be between $17 billion and $29 billion, of which health care costs represent one-half. One of the main conclusions was that the majority of medical errors do not result from individual recklessness or the actions of a particular group; rather, most errors are caused by faulty systems, processes, and conditions that lead people to make mistakes or fail to prevent adverse events. Thus, the Report recommended mistakes can best be prevented by designing the health care system at all levels to improve safety—making it harder to do something wrong and easier to do something right. Patient Safety Organization (PSO) must certify that it lists the requirements in the PSQIA and be listed on the Agency for Healthcare Research and Quality (AHRQ) web site. The definition of Patient Safety Work Product (PSWP) is quite broad. Patient safety work product includes any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any of this material), which could improve patient safety, health care quality, or health care outcomes, that are assembled or developed by a provider for reporting to a PSO and are reported to a PSO. It also includes information that is documented as within a patient safety evaluation system that will be sent to a PSO and information developed by a PSO for the conduct of patient safety activities. However, patient safety work product does not include a patient’s medical record, billing and discharge information, or any other original patient or provider information; nor does it include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Privilege and confidentiality protections Patient Safety Work Product must not be disclosed, except in very specific circumstances and subject to very specific restrictions. Note: the Patient Safety Activities Exception is the most common one that providers and PSOs will be working with. Risk #3: Integration with HIE Health information Exchange and provisions of HL7 : Health Level Seven (HL7) and its members provide a framework (and related standards) for the exchange, integration, sharing, and retrieval of electronic health information Inoperable systems with Exposed Web services can be consumed by and Components and Application programming Interfaces of other disparate systems which may lead to unidentified
  • 4. API misused or not properly integrated with existing system. The privacy threat posed by the interoperability of a is a key concern. Threat/Vulnerability/Control Analysis: ( important threat-vulnerability pairs have been identified along with a thoughtful control analysis) 1. Legal Liability under the provisions of health care regulation governing operations performed by software like Failure or damages caused during installation or utilization of an EHR/PHI system has been feared as a threat in lawsuits.once we have identified risk To Handle risk we have following methods: NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule: -PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit. -PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI? threats to information systems that contain e-PHI? Vulnerability As covered above as well accidental disclosure of patient information. Like disclosure of e- PHI by use of accidental or intentionally triggered exploit which can disclose e-PHI. Threats: from NIST SP 800-30 Threats categorized Natural Threat :Like floods, earthquake may make machine loos data or data breahes by physical access to machine hence BCP Business Continuity plan and DRS Disaster recovery Plan. Human Threat: intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to e-PHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions. Environmental threats such as power failures, pollution, chemicals, and liquid leakage Determine the Potential Impact of Threat Occurrence Legal Liabilities as discussed above can occur any time. The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. ( Controls Controls as defined by provisions like Anonymization which helps is privacy protection:
  • 5. Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data. De-identification under the Health Insurance Portability and Accountability Act Privacy rule occurs when data has been stripped of common identifiers by two methods: 1. The removal of 18 specific identifiers (Safe Harbor Method):  Names  Geographic data  All elements of dates  Telephone numbers  FAX numbers  Email addresses  Social Security numbers  Medical record numbers  Health plan beneficiary numbers  Account numbers  Certificate/license numbers  Vehicle identifiers and serial numbers including license plates  Device identifiers and serial numbers  Web URLs  Internet protocol addresses  Biometric identifiers (i.e. retinal scan, fingerprints)  Full face photos and comparable images  Any unique identifying number, characteristic or code 2. Obtain the expertise of an experienced statistical expert to validate and document the statistical risk of re-identification is very small (Statistical Method).[4][5] De-identified data is coded, with a link to the original, fully identified data set kept by an honest broker. Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized. Coded de-identified data is not protected by the HIPAA Privacy Rule, but is protected under the Common Rule. The purpose of de- identification and anonymization is to use health care data in larger increments, for research purposes. Universities, government agencies, and private health care entities use such data for research, development and marketing purposes
  • 6. Risk Analysis : Matrix of Risks Important risks have been identified along with reasonable impact and likelihood ratings. Risks are prioritized based on this analysis.The matrix part is covered in provisions above like HIPAA NIST GUIDELINES Question help us categorize severity of risk,priority ranking and rating of risk.
  • 7. Controls of anomization, EHR safety provisions. Risk Management (Steps 7-8): Disposition of Risks All top risks have been identified along with a clear disposition (i.e., assume, avoid, limit, plan, or transfer) for each one. A rationale should be provided to explain why each recommended course of action was chosen Reduction (optimize – mitigate) Meaningful use The main components of Meaningful Use are:  The use of a certified EHR in a meaningful manner, such as e-prescribing.  The use of certified EHR technology for electronic exchange of health information to improve quality of health care.  The use of certified EHR technology to submit clinical quality and other measures. In other words, providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity The meaningful use of EHRs intended by the US government incentives is categorized as follows:
  • 8.  Improve care coordination  Reduce healthcare disparities  Engage patients and their families  Improve population and public health  Ensure adequate privacy and security Avoidance (eliminate, withdraw from or not become involved) Avoid Risk of privacy by scientific methods of Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data Risk avoidance by meaningful useCore Requirements: 1. Use computerized order entry for medication orders. 2. Implement drug-drug, drug-allergy checks. 3. Generate and transmit permissible prescriptions electronically. 4. Record demographics. 5. Maintain an up-to-date problem list of current and active diagnoses. 6. Maintain active medication list. 7. Maintain active medication allergy list. 8. Record and chart changes in vital signs. 9. Record smoking status for patients 13 years old or older. 10.Implement one clinical decision support rule. 11.Report ambulatory quality measures to CMS or the States. 12.Provide patients with an electronic copy of their health information upon request. 13.Provide clinical summaries to patients for each office visit. 14.Capability to exchange key clinical information electronically among providers and patient authorized entities. 15.Protect electronic health information (privacy & security) Menu Requirements: 1. Implement drug-formulary checks. 2. Incorporate clinical lab-test results into certified EHR as structured data. 3. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach. 4. Send reminders to patients per patient preference for preventive/ follow-up care
  • 9. 5. Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) 6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate. 7. Perform medication reconciliation as relevant 8. Provide summary care record for transitions in care or referrals. 9. Capability to submit electronic data to immunization registries and actual submission. 10.Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.