Security Assessment

From OpenEMR Project Wiki

Now that the clinic is preparing to go electronic, the HIPAA Security Rule will apply. Compliance with these regulations and standard backup procedures will be essential.

Risk management

Health information is an asset that needs to be protected. A risk assessment is the first step in continuing to protect this asset. An analysis should be made identifying the information assets, then determining the threats and vulnerabilities along with existing controls. Probabilities of the threats occurring in spite of the controls weighed against the impact of the occurrence will lead to an educated effort to protect the information asset.<ref name="Herzig">Herzig TW. Information Security in Healthcare: Managing Risk. Chicago: Healthcare Information and Management Systems Society; 2010. [1]</ref>

A security risk assessment is a requirement for compliance with HIPAA and Meaningful Use. <ref name="HIMSS">Risk Assessment Toolkit, Healthcare Information and Management Systems Society, 2012 [2]</ref><ref>Health Insurance Portability and Accountability Act of 1996 [3]</ref><ref>Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule, 2010 [4]</ref> The National Institute of Standards and Technology (NIST) outlines a nine step risk process: <ref>National Institute of Standards and Technology, U.S. Department of Commerce, Guide for Conducting Risk Assessments, 2012 [5]</ref>

  • System characterization
  • Threat identification
  • Vulnerability identification
  • Control analysis
  • Likelihood determination
  • Impact analysis
  • Risk determination
  • Control recommendations
  • Results determination

The Healthcare Information and Management Systems Society (HIMSS) provides a Risk Assessment Toolkit for conducting a risk assessment and developing a compliant security plan. Available for download is the Security Risk Assessment Guide/Data Collection Matrix from the Risk Assessment Toolkit that can be tailored to the individual practice setting.

Physical

Physical security protects the providers, the patients, clinic assets, and the physical manifestation of the business, financial, and health information. Traditional security matters involve locks, points of entry, lighting and cameras, fire precautions, power outage procedures, and water protection, and disaster recovery. Only after these measures have been taken can further policies in IT security be developed. The equipment storing PHI and BI should be subject to: Physical access restrictions: Place the server in a protected, locked area and limit access. Environmental precautions:

  • Put equipment on a UPS to prevent data loss and downtime in a power outage, spike, or sag.
  • Place server away from water sprinklers and out from under plumbing.
  • Store physical backups on and off site in areas resistant to fire and water damage.
  • Control static electricity around equipment using antistatic surfaces or sprays.
  • Allow equipment to "breathe," placing away from walls or vents so heat may dissipate.

Anymore, not all of the equipment containing PHI remains within the walls of the clinic. Laptops, tablets, and smart phones all can bear PHI and these items are highly mobile. They should be assigned to responsible parties and loss or theft should be promptly reported and action to protect further security holes should be taken.

Backup and disaster recovery

The organization should have a disaster recovery plan in order to provide continued patient care in the event of an unlikely and catastrophic event. A large part of this plan is a data backup strategy. Not only should the data be backed up, but it should be retrievable. A documented plan should include: <ref name="Herzig">Herzig TW. Information Security in Healthcare: Managing Risk. Chicago: Healthcare Information and Management Systems Society; 2010. [6]</ref>

  • Backup frequency
  • Backup type
  • Media type
  • Labeling convention
  • Storage and transportation
  • Rotation of media
  • Retention
  • Encryption
  • Responsible parties
  • Testing

Backup strategies not only should be compliant with HIPAA Security Rule specifications but with other regulations that oversee financial data (credit cards.)

Access

Access controls ensure that users with a need to know the information in a system are able to access it, while unauthorized users cannot. A secure system has the ability to identify, then authenticate a user. In the most basic form, the identification is a username, and authentication is a password. The three basic authentication factors available for verification if identity are:

  • Something the user knows (password or PIN)
  • Something the user has (smart card or token)
  • Something the user is (biometric)

Two-factor authentication uses two of these methods. For e-prescribing and for CCHIT certification, EHR systems shall have the ability to support two-factor authentication. Even in the most secure systems, there can be a weak link. Human factors are often the cause of access breaches, by some of these mechanisms:

  • Weak passwords
    • Passwords should be held to a standard and be required to change at intervals. Weak policies allow users to set poor, breakable passwords. Stringent policies can frustrate users and lead to workarounds, like visible notes.
  • Password sharing
    • While this is against security policy, users may feel this practice is necessary to deliver optimal patient care. Identify the workflow issue propagating this behavior.
  • Phishing and social engineering
    • Phishing is a method of tricking users into entering or revealing credentials in an insecure location. Social engineering is a skillful manipulation of the user to reveal credentials. Staff must be educated on how to avoid these attacks.

References:

<references />