Chapter 13Security Threats and ControlsFundamentals of Law

Chapter 13:
Security Threats and Controls
Fundamentals of Law for Health Informatics and Information
Management, Third Edition
© 2017 American Health Information Management Association
Overview
Healthcare organizations must address circumstances that
threaten privacy and security of patient information.
The HIPAA Security Rule requires implementation of security
safeguards to protect ePHI.
NIST and other standards are also covered in the chapter
Types of Security Threats
Threats to health information can be categorized as
Human
Natural
Environmental
Both human and natural/environmental threats can also be
categorized as:
Internal threats
External threats
Human Security Threats
Human threats

Can be intentional
For example, theft, intentional alteration and destruction, virus
attacks
May be due to disgruntled employees (internal)
May be due to external hackers or pranksters (cybersecurity,
phishing, ransomware)
Can be unintentional
For example, employee error, unintentional alteration and
destruction
Internal breaches caused by humans are more common than
external breaches.
Figure 13.1 has an example of employee breach
4
Natural and Environmental Security Threats
Are generally unintentional
Examples of external threats:
Hurricanes, tornadoes, lightning
Examples of internal threats:
Fire, water damage from an internal source
Highlight the need for disaster recovery/ business
continuity/planning to minimize downtime and restore data
Vulnerabilities
Weaknesses that impact security
It is something that can be exploited
Threat vector—The path taken to exploit the vulnerability

Identity Theft: A Security Threat
Identity theft
Made possible due to ease by which electronic information can
be stolen
Identity Theft and Assumption Deterrence Act of 1998 makes it
a federal crime to commit identity theft
Federal Trade Commission has oversight of identity theft
regulations
Medical Identity Theft
Two main types
Use of name and other personal identifiers without knowledge
or consent of the victim to obtain medical services
In some circumstances, victim’s consent may be obtained, but
victim doesn’t realize the consequences
Example: Victim gives permission to another to use the victim’s
insurance card to obtain medical services
Use of name and other personal identifiers to obtain money by
falsifying claims for medical services
Medical identity theft can be internal or external
Internal (most common): Committed by organization insiders
Examples: Clinical or administrative staff with access to patient
information, sophisticated crime rings infiltrating an
organization by posing as staff
External: Committed by outsiders
Example: A patient who uses another’s medical insurance
information (with or without permission)

If a patient’s information is altered but the patient’s identity is
not abused, this is not medical identity theft.
If a patient’s financial information is used to purchase goods or
services that are not medical in nature, this is not medical
identity theft.
Implications of Medical Identity Theft
Financial consequences
Debt collection
Monetary losses
Damaged credit
Insurance denials
Medical consequences
Possibility of wrong care
Incorrect medical history
Detecting Theft of One’s Own Medical Identity
HIPAA
Accounting of disclosures (all covered entities) and accounting
of payment disclosures for covered entities with EHRs
Weak; requires patient to make request
HITECH
Breach notification requirement
Application of HIPAA to personal health record vendors and
third-party service providers

Reporting Medical Identity Theft
HIPAA breach notification requirement
Fair and Accurate Credit Transactions Act (FACTA)
Requires financial institutions and creditors to develop and
implement written identity theft programs to identify, detect,
and respond to red flags that may signal presence of identity
theft (Red Flags Rule)
Red flag: Pattern, practice, or specific activity that could
indicate identity theft
13
FACTA and the Red Flags Rule
FACTA and the Red Flags Rule do not specifically address
medical identity theft, but many healthcare organizations must
follow it because they meet the definition of creditor.
The Red Flags Rule went into effect December 31, 2010.
Examples are in Figure 13.2
14
Red Flags Rule
Five categories of red flags that trigger an alert of possible
identity theft:
Alerts, notifications, or warnings from a consumer reporting
agency
Suspicious documents
Suspicious personally identifying information such as a
suspicious address
Unusual use of, or suspicious activity relating to, a covered

account
Notices from customers, victims of identity theft, law
enforcement authorities, or other businesses about possible
identity theft in connection with an account
Red slags should be incorporated into healthcare provider
policies and procedures
Prevention, Detection, and Mitigation of Medical Identity Theft
Prevention challenges
Ensuring that preventive safeguards are in place to protect the
privacy and security of patient information
Balancing patient privacy protections with disclosure of identity
theft events to victims, law enforcement, and federal agencies
Identifying resources to assist healthcare organizations,
providers, and patients who are victims of identity theft
16
Prevention of Medical Identity Theft
Ensure appropriate background checks of employees and
business associates who may have access to business and patient
protected health information (PHI).
Minimize the use of Social Security numbers for identification.
Whenever possible, redact or replace some of the digits in the
number. Avoid displaying the entire number on any document,
screen, or data collection field.
Store patient information in a secure manner, ensuring that
physical safeguards such as restricted access and locks are in
place. Consider securing a release of liability from patients who
refuse to use facility-provided lockboxes or other storage for
personal items.

Prevention of Medical Identity Theft
Implement and comply with organizational policies for the
appropriate disposal, destruction, and reuse of any media used
to collect and store patient information.
Implement and comply with organizational policies and
procedures that provide safeguards to ensure the security and
privacy of patient information collected, maintained, and
transmitted electronically.
Train staff on organizational policies and practices developed to
provide protection and appropriate use and disclosure of patient
information, as well as appropriate responses to identity theft
events.
Develop a proactive identity theft response plan or policy that
clearly outlines the response process and identifies the
organization’s obligations to report or disclose to law
enforcement or government agencies information related to such
crimes.
© 2017 American Health Information Manageme nt Association
Prevention of External Medical Identity Theft
When a patient presents for service or seeks to obtain benefits
such as medical equipment:
Require a driver’s license to verify identity
Take photograph of patient
Biometric identifiers
Compare patient signature from previous encounters
All measures depend on valid baseline information
If baseline information is fraudulent, all subsequent encounters
will be based on fraudulent information.

Prevention of Internal Medical Identity Theft
Background checks for employees and business associates
Minimize temporary hiring of individuals not licensed,
certified, credentialed, or bound by professional codes of ethics
Avoid using or showing full Social Security numbers on data
collection fields
Stringent access controls and systems controls
Mitigation of Medical Identity Theft
Address breach notification requirements
Separate intermingled health information of victim and
perpetrator
Contact law enforcement
Security Access and Systems Controls
Access controls: Prevent unauthorized individuals from
retrieving, using, or altering information rights
Only individuals with a “need to know” should have access to
ePHI.
Security Access and Systems Controls
Access parameters:
Who has a right to information
How a user can access information
Access Controls

Types of access rights
User-based
Example: Specific access given to an individual
Role-based: Access based on roles that individuals have in an
organization
Example: All nurses given same level of access
Context-based: Most stringent; additional layer beyond user-
based or role-based access and considers context of transaction
Example: Nurses given access to only their units and only
during their assigned shifts
Access Controls: Entity Authentication
Entity authentication: Determining an entity is the one claimed
based on predetermined criteria
User ID (is often logical and/or public)
Authentication methods:
Something you know (for example, password)
Something you are (for example, biometric identifier)
Something you have (for example, tokens and swipe cards)
Telephone call-back can also be used for remote access
25
Access Controls: Entity Authentication
Single-factor authentication
Combines user ID with one of the three authentication methods
Two-factor authentication
Combines user ID with any two of the three authentication

methods
Access Controls: Passwords
Often 4–16 characters
Minimum of 8 characters is common
Easy to remember for the user
Difficult for others to determine
Organizations must develop password guidelines
27
Access Controls: Password Guidelines
Should
Be a combination of letters and numbers
Have at least 8 characters, mixing upper- and lower-case
Be changed frequently
Should not be
Easily guessed (for example, a pet’s name)
A word that is in the dictionary
A word that is newsworthy
Similar to one’s previous password
Shared with others or displayed
Figure 13.3 in text
28
Access Controls: Other Common Security Mechanisms

Automatic log-off
Termination of access
Prior to or at end of employment
When user roles change within organization
Audit trail
Reactive, but shows log-on attempts and successful computer
access
Tokens
Biometric identification
29
Access Controls: Other Common Security Mechanisms
Employee nondisclosure agreements and training
Frequent review/modification of individual access
Security training should evolve with new technologies and
policy changes
Remote Access Control
Create security policy and train workforce
Issue proper equipment for work purposes only
Deploy virtual private networks
Use two-factor authentication
Do not allow information to be stored locally
Monitor status of all computers
Check virus updates regularly
Require personal firewalls
Require shredders for printed information

Balance security with ease of access
Remote Network Access
SANS recommendations
Acceptable encryption policy
Acceptable use policy
Password policy
Third-party agreement
Hardware and software configuration standards for remote
access
Access Controls: Mechanisms for Mobile Devices
Require that laptop always be carried
Use physical security device
Never leave laptop unattended
Never leave laptop visible
Install desktop firewall, antivirus, and intrusion software
Encrypt files on laptop
Do not store password on device
Systems Controls
Protect ePHI in addition to access controls discussed previously
Also addressed by the HIPAA Security Rule
Generally relate to systems hardware or software, and functions
such as ePHI transmission (for example, fax and e-mail)

Cybersecurity
“Preventative methods used to protect information from being
stolen, compromised or attacked. It requires an understanding of
potential information threats, such as viruses and other
malicious code. Cybersecurity strategies include identity
management, risk management and incident management.”
One of the major causes of data breaches
Systems Controls
Workstation use and security
Screen savers
Screen shields
Screen positioning
Policies and procedures
Systems Controls
Data encryption
Codes or scrambles data being transferred from one location to
another
Pretty good privacy
Used to encrypt e-mail messages
Wired equivalent privacy
Used to protect information on wireless networks
Systems Controls
Encryption
Public key: Uses two keys, one private and one public

Data encrypted with public key can be decrypted only by private
key
Data encrypted with private key can be decrypted only by public
key
Single key
Used more frequently for large files
Systems Controls
Firewall protection
A firewall is hardware or software that examines traffic entering
and leaving a network
Most commonly used between healthcare organization’s internal
(trusted) network and Internet (untrusted network)
Provides limits
Internal users are limited in accessing the internet.
Internet users are limited in accessing portions of internal
network.
Systems Controls
Routers
Routers link different networks
Are responsible for sending network traffic to correct
designation
Not as robust as firewalls, but may filter certain network traffic
Systems Controls
Intrusion detection systems (IDS)
Alarm network for the system

Warn of possible inappropriate access attempts
Intrusion prevention systems (IPS)
Identify malicious network traffic
Apply rules to block its passage
Both IDS and IPS require significant human monitoring to
check for false alarms.
Systems Controls
Antivirus programs
Common types of viruses
File infectors: Attach to program files
System or boot-record infectors: Infect areas of hard disks or
diskettes
Macro viruses: Infects Microsoft Word application, inserting
unwanted words or phrases
Worm: Stores and replicates itself
Trojan horse: Destructive programming code that hides itself in
another piece of programming code
Systems Controls
Antivirus programs
Virus checking is an important system security mechanism.
Antivirus software packages
Virus catalog must be updated frequently
Zero-day exploits may do considerable harm within one day.
Transmission of ePHI

Policies and procedures must be put into place to safeguard data
transmitted via
Faxing
Internet
E-mail
Telehealth/telemedicine
Wireless communication devices
Social media
Faxing Health Records
AHIMA guidelines:
Generally: Only in urgent medical situations or for ongoing
payer certification
Never prudent to fax highly sensitive information
Verify that recipient is authorized to receive, will be on stand-
by to receive, will call to confirm receipt
Preprogram frequent fax numbers
Fax machines in secure locations
Confidentiality statement on cover page
45
Internet
Used more widely to transmit PHI with advent of integrated
healthcare delivery systems
Uses:
Information source
Communication device
Extension of organizational network (functional)

Protection of data and system:
Policies and procedures
Systems protections (for example, firewalls)
E-mail
Prohibition against sending highly sensitive information
Issues
Potential for broader discovery
Possible interception (compromises privacy) during
transmission or by erroneous recipient
Retention periods
May be difficult to determine true identity of sender
Group e-mails compromise confidentiality
Poor communication can trigger patient dissatisfaction/liability
E-mail attachments can contain computer viruses
Medical Device Security
Potential for security risks
FDA has published new guidance based on 2014 NIST voluntary
Framework for Improving Critical Infrastructure Cybersecurity
Telehealth/Telemedicine
Telemedicine: Electronic exchange of medical information from
one site to another to improve patients’ health
Telehealth: The digital use of technologies to deliver medical
care, health education, and public health services by connecting
multiple users in separate locations

Telehealth/Telemedicine
Issues include privacy during transmission
Videoconferencing
Transmission of still images
e-Health
Patient portals
Remote patient monitoring
Continuing medical education
Nursing call centers
Social Media
Texting
Video
Audio
Exponential risks to privacy and security of PHI
Organizations must have policies and procedures regarding what
constitutes appropriate and inappropriate posting.
Contingency and Disaster Planning
Continuity plan: Ensures critical business functions can
withstand emergencies
Contingency/disaster plan: Includes technical, procedural, and
organizational components to follow after a loss. Includes
Risk assessment and analysis
Downtime and contingency planning
Data backup
Data recovery
Emergency mode of operations

52
Data Backup
Backup servers
Storage media such as backup tapes
Data “dump” onto tapes or other media
Removing it to another location outside the vicinity of the event
Data Recovery
Need is not extensive if data backup efforts are successful
If restoration is not possible, efforts should be made to
reconstitute the record as much as possible
Upload documents from undamaged databases
Retranscribe documents from dictation system
Obtain copies from recipients of previously distributed copies
Emergency Mode of Operations
In a healthcare organization, may include recording clinical
information:
How will the information be collected?
How will the information be secured?
Figure 13.5 includes a sample disaster plan and checklist
Figure 13.6 is a sample contingency plan
55

Emergency Mode of Operations
Determine other core operations (for example, MPI and
transcription)
Identify contingency plan for each type of disaster and core
process
Consider temporary and long-term effects of disasters
Anticipate operations both with and without electricity
Resources to Assist with Threats
Computer Security Resource Center of National Institute of
Standards and Technology (NIST)
National Cyber Security Alliance (NCSA)
SANS Institute
AHIMA
Annotated Bibliography Worksheet
Student Name:
A. Bibliographical Information:
Author(s) Name:
Title of Article:
Date of Article:

Journal Name:
B. Summary of Article:
C. Evaluation of Article:
D. Reflection on Application to Practice:
Annotated Bibliography Rubric
50 Pts
Exemplary
Developing
Needs Improvement
Written Criteria
10 Points
7 Points
4 Points
Faculty Comments
Bibliographical Information
Bibliographical information is accurately stated and formatted.
Bibliographical information contains 2-3 errors.
Bibliographical information contains more than 3 errors.
Summary of Article

Article is concisely summarized in one paragraph with no more
than one error
Article is more than one paragraph with one error
Article exceeds one paragraph and has more than 2 errors.
Evaluation of Article
Article is evaluated in light of its purpose and credibility
Evaluation is loosely based on evidence but well organized
Evaluation does not relate to purpose of article and is not
evidence-based.
Reflection on Application to Practice
Reflection contains reference to application to current of future
practice merits or lack of merit.
Reflection is vague and only loosely related to current or future
practice.
Reflection does not connect merit or lack of merit to practice.
Grammar, Syntax, APA Format
APA format, grammar, spelling, and/or punctuation are
accurate, or with zero to three errors.
Four to six errors in APA format, grammar, spelling, and syntax
noted.
Paper contains greater than six errors in APA format, grammar,
spelling, and/or punctuation or repeatedly makes the same
errors after faculty feedback.

Chapter 13Security Threats and ControlsFundamentals of Law

Recommended

Recommended

More Related Content

Similar to Chapter 13Security Threats and ControlsFundamentals of Law

Similar to Chapter 13Security Threats and ControlsFundamentals of Law (20)

More from EstelaJeffery653

More from EstelaJeffery653 (20)

Recently uploaded

Recently uploaded (20)

Chapter 13Security Threats and ControlsFundamentals of Law