2. Modern healthcare providers using Electronic Health Records can be targets of security
breaches. MA Healthcare inc. is a large regional healthcare provider and participates using Electronic
Health Records (EHR). It was discovered in a recent audit of the EHR system that multiple user
accounts were created and over the span of 2 weeks, these accounts were elevated to privileges that
would allow access to both clinical and financial records.
Approximately 37,000 to 50,000 records could have been accessed. No apparent damage was
done, an investigation is underway to ascertain the extent of the information breach. There is a lack of
audit logs since they overwrite themselves every two weeks. Though, the accounts were created
sometime ago (6 months), there is a glaring coincidence that the audit logs, which would assist the
investigation in determining the source of the account creation as well as who was elevating these
accounts. This could imply that the breach was done from the inside.
According to the National Institute of Standards and Technologies (NIST) , the Health
Insurance Portability and Accountability Act (HIPAA) indicate that all EHR records and systems are
maintained with security policies that are intended to protect and deter cyber attacks both externally
and internally (NIST Special Publication 800-66 Revision 1). Stephen S. Wu indicates from 42 U.S.C.
1320d-2 of HIPAA “each Covered Entitiy that maintains or transmits health information maintain
reasonable, and appropriate administrative, technical and physical safeguards.(Stephen S. Wu (2007))
There are three security principles that should be adhered to provide safeguards against said breaches.
1. Administrative – is a safeguard policy that is to provide stated and written standards, guidelines,
and procedures that would permit only the most qualified personnel to grant, promote, and
prevent access to system resources. Procedures that indicate how personnel are permitted
access, educated, and awareness of security training policies must be granted by expressed
3. written consent by their management. Requests of this nature would need to be specific to
exactly what kind of account it would be, what permissions the person would be given, and
systems that the user would need access to.
In the case for MA Healthcare Inc., the adoption of the Administrative policy would include a
review of all administrative accounts as well as the employees using these accounts. The review would
further include but not be limited to the review of the existing audit policies, justification, and approval
of senior administrative personnel upon account permission elevation. All administrators would be
required to attend cyber security and awareness training.
2. Technical – A safeguard policy that oversees authentication of its users and ensures that
information protected maintains its confidentiality, integrity, and authenticity (CIA). These
would be defined in (Matthew Scholl, Kevin Stine, Joan Hash, Pauline Bowen, Arnold
Johnson, Carla Dancy Smith, and Daniel I. Steinberg, U.S. Department of Commerce,
National Institute of Standards and Technology (2008).) Multiple methods of authentication
can be verified, this includes:
1. Biometric verification (example: retina or fingerprint scan)
2. Multi factor key authentication (examples: Key “FOB” that autogenerates a new PIN
for users to use along with their passwords)
3. Network and system group/role based access. (example: active directory or Novell
Lightweight directory services (LDAP))
The latter (#3) specifically addresses the access/authentication processes that authorized
personnel would be granted under their respective Group or role. For MA Healthcare, all accounts
would be assigned to a group that would include their respective roles. The application of this policies
would reinforce the Confidentiality, Authentication and Integrity of the Electronic Health Record
4. systems.
3. Physical – An important step in protecting electronic protected health information (EPHI) is to
implement reasonable and appropriate physical safeguards fro information systems and related
equipment and facilities. (U.S. Department of Health & Human Services (2005).) Software
or data backups of core systems like routers, firewalls, servers, etc should have be robust and
routine. Core systems should be enabled to prevent unauthorized access (physical and logical)
from both internal and external threats. Traffic should be encrypted bidirectionally when it
needs to leave the core infrastructure. All users would be prohibited from using USB or
external storage devices of any kind as well as ports such as bluetooth, IR, etc should be
disabled unless expressed permission from an Administrator has been granted
MA Healthcare’s password policy would need the following revision. All passwords would
require a minimum 8-12 characters, non-dictionary or actual words, upper and lower case, 2-4 numbers
and a special character. No standard names or common key patterns (eg. QWERTY) should not be
used. Password recovery would require a management or some kind of administrator to re-approve
account access. Password usage may not include similar patterns of the last ten previously used
passwords. All passwords would require being changed every 90 days or expire automatically however
advanced notice would be provided to inform users of an upcoming expiration with an oppurtunity to
change their passwords.
A well known organization that has a focus on information security, SANS institute, has
security guidance for password protection, complexity, and routine frequency of change of the
password which is documented under the Password Requirements policy (SAN. (nd)). This is also
indicated in ISO 27001:2005 standard. This guidance provides password lockout policies is geared to
prevent password guessing and cracking. The policy outlined makes for a reasonable amount of
security without impeding or creating an administrative nightmare for the administrators.
5. Updating the policies on both users and passwords can dramatically improve the security
position against unauthorized access. Provided that both polices are documented and training for both
new and existing users is essential to ensuring that confidentiality and integrity of the data is protected.
The added security further ensures that users are accountable for how they work and access the data
entrusted to them. Management signatures authorizing access also adds an escalation of responsibility
for the overall new user authentication policy.
EHR's are protected under the guidelines set forth by HIPAA. The three safeguard policies
mentioned above enhance these protections while maintaining “CIA” as described by the NIST. While
these policies will continually be updated to reflect the best practices on current environmental
changes, their core intentions have a solid foundation as described by HIPAA.
References:
Matthew Scholl, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla Dancy Smith, and
Daniel I. Steinberg, U.S. Department of Commerce, National Institute of Standards and Technology
(2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security (Rule NIST Special Publication 800-66 Revision 1).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
Stephen S. Wu, American Bar Association (2007). Guide to HIPAA Security and the Law
U.S. Department of Health & Human Services (2006). HIPAA Security Guidance,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
SANS Institute. Password Policy. Retrieved October 1st
, 2014, from http://www.sans.org/security-
resources/policies/general/pdf/password-protection-policy
U.S. Department of Health & Human Services (2005). HIPAA Security Series,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
Karen Scarfone, Murugiah Souppaya, National Institute of Standards and Technology (2009), Guide to
Enterprise Password Management (Draft). http://csrc.nist.gov/publications/drafts/800-118/draft-