306 · C H A P T E R 9 : PRIVACY AND SECURITY

• Worms are software code that replicates itself and destroys files that are on the host computer, including the operating system.
• Ransomware is an advanced form of malware that hackers use to cripple the organization’s computer systems through malicious code, generally launched via an e-mail that is opened unwittingly by an employee, a method known as The malicious code then encrypts and locks folders and operating systems. The hacker demands money, generally in the form of bitcoins, a type of digital currency, to provide the decryption key to unlock the organization’s systems (Conn, 2016).

Some of the causes of unintentional health information breaches are lack of training in proper use of the health information system or human error. Users may unintentionally share patient information without proper autho­rization. Other examples include users sharing passwords or downloading information from nonsecure Internet sites, creating the potential for a breach in security. Some of the more common forms of internal breaches of security across all industries are the installation or use of unauthorized software, use of the organization’s computing resources for illegal or illicit communi­cations or activities (porn surfing, e-mail harassment, and so forth), and the use of the organization’s computing resources for personal profit. Losing or improperly disposing of electronic devices, including computers and porta­ble electronic devices, also constitute serious forms of unintentional health information exposure. In 2015, the OCR portal, which lists breach incidents potentially affecting five hundred or more individuals, reported more than seventy-five thousand individuals’ data were breached either because of loss or improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fire or flood, are less common than human threats, but they must also be addressed in any comprehensive health care information security program. Loss of information because of environ­mental factors and technical malfunctions must be secured against by using appropriate safeguards.

THE HEALTH CARE ORGANIZATION’S SECURITY PROGRAM

The realization of any of the threats discussed in the previous section can cause significant damage to the organization. Resorting to manual operations if the computers are down for days, for example, can lead to organizational chaos. Theft or loss of organizational data can lead to litigation by the indi­viduals harmed by the disclosure of the data and HIPAA violations. Malware

THE HEALTH CARE O R G A N I Z AT I O N ’ S SECURITY PROGRAM · 307

can corrupt databases, corruption from which there may be no recovery. The function of the health care organization’s security program is to iden­tify potential threats and implement processes to remove these threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organization is balancing the need for security with the cost of security. An organization does not know how to calculate the likelihood that a hacker will cause serious damage or a backhoe will cut through network cables under the street. The organization may not fully understand the consequences of being without its network for four hours or four days. Hence, it may not be sure how much to spend to remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health care information system security and health care data and information avail­ability. As we saw in Chapter Two, the major purpose of maintaining health information and health records is to facilitate high-quality care for patients. On the one hand, if an organization’s security measures are so stringent that they prevent appropriate access to the health information needed to care for patients, this important purpose is undermined. On the other hand, if the orga­nization allows unrestricted access to all patient-identifiable information to all its employees, the patients’ rights to privacy and confidentiality would certainly be violated and the organization’s IT assets would be at considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for health care providers includes a chapter describing a seven-step approach for implementing a security management process. The guidance is directed at physician practices or other small health care organizations, and it does not include specific technical solutions. Specific solutions for security protection will be driven by the organization’s overall plan and will be managed by the organizations IT team. Larger organizations must also develop comprehensive security programs and will follow the same basic steps, but it will likely have more internal resources for security than smaller practices.

Each step in the ONC security management process for health care pro­viders is listed in the following section.

Step 1: Lead Your Culture, Select Your Team, and Learn This step includes six actions:

1. Designate a security officer, who will be responsible for developing

and implementing the security practices to meet HIPAA requirements and ensure the security of PHI.

308 · C H A P T E R 9 : PRIVACY AND SECURITY

2. Discuss HIPAA security requirements with your EHR developer to ensure that your system can be implemented to meet the security requirements of HIPAA and Meaningful Use.
3. Consider using a qualified professional to assist with your security risk analysis. The security risk analysis is the opportunity to

discover as much as possible about risks and vulnerabilities to health information within the organization.

4. Use tools to preview your security risk analysis. Examples of available tools are listed within Step 3.
5. Refresh your knowledge base of the HIPAA rules.
6. Promote a culture of protecting patient privacy and securing patient information. Make sure to communicate that all members of the organization are responsible for protecting patient information.

Step 2: Document Your Process, Findings, and Actions

Documenting the processes for risk analysis and implementation of safe­guards is very important, not to mention a requirement of HIPAA. The fol­lowing are some examples cited by the ONC of records to retain:

• Policies and procedures
• Completed security checklists (ESET, n.d.)
• Training materials presented to staff members and volunteers and any associated certificates of completion
• Updated business associate (BA) agreements
• Security risk analysis report
• EHR audit logs that show utilization of security features and efforts to monitor users’ actions
• Risk management action plan or other documentation that shows appropriate safeguards are in place throughout your organization, implementation timetables, and implementation notes
• Security incident and breach information

Step 3: Review Existing Security of ePHI
(Perform Security Risk Analysis)

Risk analysis assesses potential threats and vulnerabilities to the “confiden­tiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent

THE HEALTH CARE O R G A N I Z AT I O N ’ S SECURITY PROGRAM · 309 Table 9.3 Resources for conducting a comprehensive risk analysis

OCR’s Guidance on Risk                        http://www.hhs.gov/hipaa/for-professionals/security/

Analysis Requirements under                  guidance/final-guidance-risk-analysis/index.html the HIPAA Rule

OCR Security Rule Frequently               http://www.hhs.gov/hipaa/for-professionals/faq Asked Questions (FAQs)

ONC SRA (Security Risk                       https://www.healthit.gov/providers-professionals/

Assessment) Tool for small                     security-risk-assessment
practices

National Institute of Standards               https://scap.nist.gov/hipaa/

and Technology (NIST) HIPAA

Security Rule Toolkit

government-sponsored guides and toolsets available for conducting a compre­hensive risk analysis are listed in Table 9.3 with a corresponding web address. The three basic actions recommended for the organization’s first compre­hensive security risk analysis are as follows:

1. Identify where ePHI exists.
2. Identify potential threats and vulnerabilities to ePHI.
3. Identify risks and their associated levels.

Step 4: Develop an Action Plan

As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which allows an organization to take into account its specific needs. The action plan should include five components. Once in place, the plan should be reviewed regularly by the security team, led by the security officer.

1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards
4. Organizational standards
5. Policies and procedures

Table 9.4 lists common examples of vulnerabilities and mitigation strat­egies that could be employed.

310 · C H A P T E R 9 : PRIVACY AND SECURITY

Table 9.4 Common examples of vulnerabilities and mitigation strategies

Security                                                                                 Examples of Security

Component            Examples of Vulnerabilities                Mitigation Strategies

No security officer is designated.

Workforce is not trained or is unaware of privacy and security issues.

Facility has insufficient locks and other barriers to patient data access.

Computer equipment is easily accessible by the public.

Portable devices are not tracked or not locked up when not in use.

Poor controls enable inappropriate access to EHR.

Audit logs are not used enough to monitor users and other HER activities.

No measures are in place to keep electronic patient data from improper changes.

No contingency plan exists.

Electronic exchanges of patient information are not encrypted or otherwise secured.

No breach notification and associated policies exist.

BA agreements have not been updated in several years.

Security officer is designated and publicized.

Workforce training begins at hire and is conducted on a regular and frequent basis.

Security risk analysis is performed periodically and when a change occurs in the practice or the technology.

Building alarm systems are
installed.

Offices are locked.

Screens are shielded from secondary viewers.

Secure user IDs, passwords, and appropriate role-based access are used.

Routine audits of access and changes to EHR are conducted.

Anti-hacking and anti-malware software is installed.

Contingency plans and data backup plans are in place.

Data are encrypted.

Regular reviews of agreements are conducted and updates made accordingly.

THE HEALTH CARE O R G A N I Z AT I O N ’ S SECURITY PROGRAM · 311

Security                                                                                 Examples of Security

Component            Examples of Vulnerabilities                Mitigation Strategies

Source: ONC (2015).

Step 5: Manage and Mitigate Risks

The security plan will reduce risk only if it is followed by all employees in the organization. This step has four actions associated with it.

1. Implement your plan.
2. Prevent breaches by educating and training your workforce.
3. Communicate with patients.
4. Update your BA contracts.

Step 6: Attest for Meaningful Use Security Related Objective

Organizations can attest to the EHR Incentive Program security-related objective after the security risk analysis and correction of any identified deficiencies.

Step 7: Monitor, Audit, and Update Security
on an Ongoing Basis

The security officer, IT administrator, and EHR developer should work together to ensure that the organization’s monitoring and auditing functions are active and configured appropriately. Auditing and monitoring are neces­sary to determine the adequacy and effectiveness of the security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015, p. 54) patients’ ePHI is accessed.