Quickly made presentation in two hours Security Risk Management in Healthcare on Cloud using NIST guidelines
More details: (blog: http://sandyclassic.wordpress.com , linkedin: ie.linkedin.com/in/sandepsharma/)
SCENARIO: You are the Chief Information Security Officer for an organization that develops tools
for medical clinics and centers so that they can view medical records electronically.
Your organization is considering a move to the cloud so that patients (customers of the medical
clinics and centers) can also view their records online. You are tasked with conducting a risk
analysis that will include a risk assessment and risk management plan. Make any relevant
assumptions that will guide you in the balance of this work. Be thoughtful, but let your imagination
run wild. Design the scope of your analysis, making sure to consider its viability within the scope of a
2-week effort. Next, decide on the approach you will take – which risk methodology(ies) will you
use/follow? Who are the participants (roles and responsibilities) – members of the team, upper
management sponsors, the project manager, etc.?
Risk Identification : provisioning Software on Cloud comes with following risk:
Software should meet requirement of various legislation ascertaining health and safety of patients
PHR patient health record, EMR Electronic medical Record, PHI Patient Health Information.
This liability concern was of special concern for small EHR system makers. Some smaller
companies may be forced to abandon markets based on the regional liability climate.Larger EHR
providers (or government-sponsored providers of EHRs) are better able to withstand legal assaults.
Although only federal agencies are required to follow guidelines set by NIST, the guidelines
represent the industry standard for good business practices with respect to standards for securing e-
Risk associated with Software list below:
Risk #1: electronic time stamps:
Many physicians are unaware that EHR systems produce an electronic time stamp every time the
patient record is updated. If a malpractice claim goes to court, through the process of discovery, the
prosecution can request a detailed record of all entries made in a patient's electronic record. Waiting
to chart patient notes until the end of the day and making addendums to records well after the
patient visit can be problematic, in that this practice could result in less than accurate patient data or
indicate possible intent to illegally alter the patient's record.
In some communities, hospitals attempt to standardize EHR systems by providing discounted
versions of the hospital's software to local healthcare providers. A challenge to this practice has
been raised as being a violation of Stark rules that prohibit hospitals from preferentially assisting
community healthcare providers.
Risk #2. Under HIPAA Health care insurance probability and accountability Act, Privacy Act.
PHR patient health record privacy, EMR electronic medical record safety, confidentiality so patient
information is not disclosed to unauthorized person.
Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based
on the following list of 18 identifiers must be treated with special care during transmission ,
Electronic Exchange EDI Electronic data exchange, security at user interface level from Top 10
OWASP vulnerability at client End:.
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code
if, according to the current publicly available data from the Bureau of the Census: the
geographic unit formed by combining all zip codes with the same three initial digits contains
more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
12.Vehicle identifiers and serial numbers, including license plate numbers;
13.Device identifiers and serial numbers;
14.Web Uniform Resource Locators (URLs)
15.Internet Protocol (IP) address numbers
16.Biometric identifiers, including finger, retinal and voice prints
17.Full face photographic images and any comparable images
18.Any other unique identifying number, characteristic, or code except the unique code
assigned by the investigator to code the data
Risk #3 :
Under Patient Safety and Quality Improvement Act: Software Must Ascertain following privacy and
confidentiality provisions for Patient safety work product which includes any data, reports, records,
memoranda, analyses (such as root cause analyses), or written or oral statements (or copies of any
of this material), which could improve patient safety, health care quality, or health care outcomes,
that are assembled or developed by a provider for reporting to a PSO and are reported to a PSO.
Consideration under Act: Report
Institute of medicine Report to Congress 1999:
The Report cited studies that found that at least 44,000 people and potentially as many as 98,000
people die in U. S. hospitals each year as a result of preventable medical errors. Based on these
studies and others, the Report estimated that the total national costs of preventable adverse events,
including lost income, lost household productivity, permanent and temporary disability, and health
care costs to be between $17 billion and $29 billion, of which health care costs represent one-half.
One of the main conclusions was that the majority of medical errors do not result from
individual recklessness or the actions of a particular group; rather, most errors are caused by faulty
systems, processes, and conditions that lead people to make mistakes or fail to prevent adverse
events. Thus, the Report recommended mistakes can best be prevented by designing the health
care system at all levels to improve safety—making it harder to do something wrong and easier to do
Patient Safety Organization (PSO) must certify that it lists the requirements in the PSQIA and
be listed on the Agency for Healthcare Research and Quality (AHRQ) web site.
The definition of Patient Safety Work Product (PSWP) is quite broad. Patient safety work product
includes any data, reports, records, memoranda, analyses (such as root cause analyses), or written
or oral statements (or copies of any of this material), which could improve patient safety, health care
quality, or health care outcomes, that are assembled or developed by a provider for reporting to a
PSO and are reported to a PSO. It also includes information that is documented as within a patient
safety evaluation system that will be sent to a PSO and information developed by a PSO for the
conduct of patient safety activities.
However, patient safety work product does not include a patient’s medical record, billing and
discharge information, or any other original patient or provider information; nor does it include
information that is collected, maintained, or developed separately, or exists separately, from a
patient safety evaluation system.
Privilege and confidentiality protections
Patient Safety Work Product must not be disclosed, except in very specific circumstances and
subject to very specific restrictions.
Note: the Patient Safety Activities Exception is the most common one that providers and PSOs
will be working with.
Risk #3: Integration with HIE Health information Exchange and provisions of HL7 :
Health Level Seven (HL7) and its members provide a framework (and related standards) for the
exchange, integration, sharing, and retrieval of electronic health information
Inoperable systems with Exposed Web services can be consumed by and Components and
Application programming Interfaces of other disparate systems which may lead to unidentified
API misused or not properly integrated with existing system.
The privacy threat posed by the interoperability of a is a key concern.
Threat/Vulnerability/Control Analysis: ( important threat-vulnerability pairs have been identified
along with a thoughtful control analysis)
1. Legal Liability under the provisions of health care regulation governing operations performed
by software like Failure or damages caused during installation or utilization of an EHR/PHI system
has been feared as a threat in lawsuits.once we have identified risk To Handle risk we have
NIST Special Publication (SP) 800-665 are examples organizations could consider as part of
a risk analysis. These sample questions are not prescriptive and merely identify issues an
organization may wish to consider in implementing the Security Rule:
-PHI within your organization? This includes e-PHI that you create,
receive, maintain or transmit.
-PHI? For example, do vendors or consultants create,
receive, maintain or transmit e-PHI?
threats to information systems that
As covered above as well accidental disclosure of patient information. Like disclosure of e-
PHI by use of accidental or intentionally triggered exploit which can disclose e-PHI.
from NIST SP 800-30 Threats categorized
Natural Threat :Like floods, earthquake may make machine loos data or data breahes by physical
access to machine hence BCP Business Continuity plan and DRS Disaster recovery Plan.
Human Threat: intentional (e.g., network and computer based attacks, malicious software upload,
and unauthorized access to e-PHI) or unintentional (e.g., inadvertent data entry or deletion and
inaccurate data entry) actions.
Environmental threats such as power failures, pollution, chemicals, and liquid leakage
Determine the Potential Impact of Threat Occurrence
Legal Liabilities as discussed above can occur any time. The Rule also requires
consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and
availability of e-PHI. (
Controls as defined by provisions like Anonymization which helps is privacy protection:
Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose
of hindering the possibility of going back to the original data set. This involves removing all
identifying data to create unlinkable data. De-identification under the Health Insurance Portability
and Accountability Act Privacy rule occurs when data has been stripped of common identifiers by
1. The removal of 18 specific identifiers (Safe Harbor Method):
All elements of dates
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers including license plates
Device identifiers and serial numbers
Internet protocol addresses
Biometric identifiers (i.e. retinal scan, fingerprints)
Full face photos and comparable images
Any unique identifying number, characteristic or code
2. Obtain the expertise of an experienced statistical expert to validate and document the
statistical risk of re-identification is very small (Statistical Method).
De-identified data is coded, with a link to the original, fully identified data set kept by
an honest broker. Links exist in coded de-identified data making the data considered
indirectly identifiable and not anonymized. Coded de-identified data is not protected by
the HIPAA Privacy Rule, but is protected under the Common Rule. The purpose of de-
identification and anonymization is to use health care data in larger increments, for research
purposes. Universities, government agencies, and private health care entities use such data
for research, development and marketing purposes
Risk Analysis : Matrix of Risks
Important risks have been identified along with reasonable impact and likelihood ratings. Risks are
prioritized based on this analysis.The matrix part is covered in provisions above like
HIPAA NIST GUIDELINES Question help us categorize severity of risk,priority ranking and rating of
Controls of anomization, EHR safety provisions.
Risk Management (Steps 7-8): Disposition of Risks
All top risks have been identified along with a clear disposition (i.e., assume, avoid, limit, plan, or
transfer) for each one. A rationale should be provided to explain why each recommended course of
action was chosen
Reduction (optimize – mitigate)
Meaningful use The main components of Meaningful Use are:
The use of a certified EHR in a meaningful manner, such as e-prescribing.
The use of certified EHR technology for electronic exchange of health information to improve
quality of health care.
The use of certified EHR technology to submit clinical quality and other measures.
In other words, providers need to show they're using certified EHR technology in ways that can be
measured significantly in quality and in quantity
The meaningful use of EHRs intended by the US government incentives is categorized as follows:
Improve care coordination
Reduce healthcare disparities
Engage patients and their families
Improve population and public health
Ensure adequate privacy and security
Avoidance (eliminate, withdraw from or not become involved)
Avoid Risk of privacy by scientific methods of Anonymization is a process in which PHI
elements are eliminated or manipulated with the purpose of hindering the possibility of going back to
the original data set. This involves removing all identifying data to create unlinkable data
Risk avoidance by meaningful useCore Requirements:
1. Use computerized order entry for medication orders.
2. Implement drug-drug, drug-allergy checks.
3. Generate and transmit permissible prescriptions electronically.
4. Record demographics.
5. Maintain an up-to-date problem list of current and active diagnoses.
6. Maintain active medication list.
7. Maintain active medication allergy list.
8. Record and chart changes in vital signs.
9. Record smoking status for patients 13 years old or older.
10.Implement one clinical decision support rule.
11.Report ambulatory quality measures to CMS or the States.
12.Provide patients with an electronic copy of their health information upon request.
13.Provide clinical summaries to patients for each office visit.
14.Capability to exchange key clinical information electronically among providers and patient
15.Protect electronic health information (privacy & security)
1. Implement drug-formulary checks.
2. Incorporate clinical lab-test results into certified EHR as structured data.
3. Generate lists of patients by specific conditions to use for quality improvement, reduction of
disparities, research, and outreach.
4. Send reminders to patients per patient preference for preventive/ follow-up care
5. Provide patients with timely electronic access to their health information (including lab
results, problem list, medication lists, allergies)
6. Use certified EHR to identify patient-specific education resources and provide to patient if
7. Perform medication reconciliation as relevant
8. Provide summary care record for transitions in care or referrals.
9. Capability to submit electronic data to immunization registries and actual submission.
10.Capability to provide electronic syndromic surveillance data to public health agencies and