WEEK 5 ANNOTATED BIBLIOGRAPHY

Assignment Questions

Chapter 13:
Security Threats and Controls
Fundamentals of for Health Informatics and Information Management, Third Edition

Overview
Healthcare organizations must address circumstances that threaten privacy and security of patient information.
The HIPAA Security Rule requires implementation of security safeguards to protect ePHI.
NIST and other standards are also covered in the chapter

Types of Security Threats
Threats to health information can be categorized as
Human
Natural
Environmental
Both human and natural/environmental threats can also be categorized as:
Internal threats
External threats

Human Security Threats
Human threats
Can be intentional
For example, theft, intentional alteration and destruction, virus attacks
May be due to disgruntled employees (internal)
May be due to external hackers or pranksters (cybersecurity, phishing, ransomware)
Can be unintentional
For example, employee error, unintentional alteration and destruction
Internal breaches caused by humans are more common than external breaches.

Figure 13.1 has an example of employee breach
4

Natural and Environmental Security Threats
Are generally unintentional
Examples of external threats:
Hurricanes, tornadoes, lightning
Examples of internal threats:
Fire, water damage from an internal source
Highlight the need for disaster recovery/ business continuity/planning to minimize downtime and restore data

Vulnerabilities
Weaknesses that impact security
It is something that can be exploited
Threat vector—The path taken to exploit the vulnerability

Identity Theft: A Security Threat
Identity theft
Made possible due to ease by which electronic information can be stolen
Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit identity theft
Federal Trade Commission has oversight of identity theft regulations

Medical Identity Theft
Two main types
Use of name and other personal identifiers without knowledge or consent of the victim to obtain medical services
In some circumstances, victim’s consent may be obtained, but victim doesn’t realize the consequences
Example: Victim gives permission to another to use the victim’s insurance card to obtain medical services
Use of name and other personal identifiers to obtain money by falsifying claims for medical services

Medical Identity Theft
Medical identity theft can be internal or external
Internal (most common): Committed by organization insiders
Examples: Clinical or administrative staff with access to patient information, sophisticated crime rings infiltrating an organization by posing as staff
External: Committed by outsiders
Example: A patient who uses another’s medical insurance information (with or without permission)

Medical Identity Theft
If a patient’s information is altered but the patient’s identity is not abused, this is not medical identity theft.
If a patient’s financial information is used to purchase goods or services that are not medical in nature, this is not medical identity theft.

Implications of Medical Identity Theft
Financial consequences
Debt collection
Monetary losses
Damaged credit
Insurance denials
Medical consequences
Possibility of wrong care
Incorrect medical history

Detecting Theft of One’s Own Medical Identity
HIPAA
Accounting of disclosures (all covered entities) and accounting of payment disclosures for covered entities with EHRs
Weak; requires patient to make request
HITECH
Breach notification requirement
Application of HIPAA to personal health record vendors and third-party service providers

Reporting Medical Identity Theft
HIPAA breach notification requirement
Fair and Accurate Credit Transactions Act (FACTA)
Requires financial institutions and creditors to develop and implement written identity theft programs to identify, detect, and respond to red flags that may signal presence of identity theft (Red Flags Rule)
Red flag: Pattern, practice, or specific activity that could indicate identity theft

13

FACTA and the Red Flags Rule
FACTA and the Red Flags Rule do not specifically address medical identity theft, but many healthcare organizations must follow it because they meet the definition of creditor.
The Red Flags Rule went into effect December 31, 2010.

Examples are in Figure 13.2
14

Red Flags Rule
Five categories of red flags that trigger an alert of possible identity theft:
Alerts, notifications, or warnings from a consumer reporting agency
Suspicious documents
Suspicious personally identifying information such as a suspicious address
Unusual use of, or suspicious activity relating to, a covered account
Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
Red slags should be incorporated into healthcare provider policies and procedures

Prevention, Detection, and Mitigation of Medical Identity Theft
Prevention challenges
Ensuring that preventive safeguards are in place to protect the privacy and security of patient information
Balancing patient privacy protections with disclosure of identity theft events to victims, law enforcement, and federal agencies
Identifying resources to assist healthcare organizations, providers, and patients who are victims of identity theft

16

Prevention of Medical Identity Theft
Ensure appropriate background checks of employees and business associates who may have access to business and patient protected health information (PHI).
Minimize the use of Social Security numbers for identification. Whenever possible, redact or replace some of the digits in the number. Avoid displaying the entire number on any document, screen, or data collection field.
Store patient information in a secure manner, ensuring that physical safeguards such as restricted access and locks are in place. Consider securing a release of liability from patients who refuse to use facility-provided lockboxes or other storage for personal items.

Prevention of Medical Identity Theft
Implement and comply with organizational policies for the appropriate disposal, destruction, and reuse of any media used to collect and store patient information.
Implement and comply with organizational policies and procedures that provide safeguards to ensure the security and privacy of patient information collected, maintained, and transmitted electronically.
Train staff on organizational policies and practices developed to provide protection and appropriate use and disclosure of patient information, as well as appropriate responses to identity theft events.
Develop a proactive identity theft response plan or policy that clearly outlines the response process and identifies the organization’s obligations to report or disclose to law enforcement or government agencies information related to such crimes.

Prevention of External Medical Identity Theft
When a patient presents for service or seeks to obtain benefits such as medical equipment:
Require a driver’s license to verify identity
Take photograph of patient
Biometric identifiers
Compare patient signature from previous encounters
All measures depend on valid baseline information
If baseline information is fraudulent, all subsequent encounters will be based on fraudulent information.

Prevention of Internal Medical Identity Theft
Background checks for employees and business associates
Minimize temporary hiring of individuals not licensed, certified, credentialed, or bound by professional codes of ethics
Avoid using or showing full Social Security numbers on data collection fields
Stringent access controls and systems controls

Mitigation of Medical Identity Theft
Address breach notification requirements
Separate intermingled health information of victim and perpetrator
Contact law enforcement

Security Access and Systems Controls
Access controls: Prevent unauthorized individuals from retrieving, using, or altering information rights
Only individuals with a “need to know” should have access to ePHI.

Security Access and Systems Controls
Access parameters:
Who has a right to information
How a user can access information

Access Controls
Types of access rights
User-based
Example: Specific access given to an individual
Role-based: Access based on roles that individuals have in an organization
Example: All nurses given same level of access
Context-based: Most stringent; additional layer beyond user-based or role-based access and considers context of transaction
Example: Nurses given access to only their units and only during their assigned shifts

Access Controls: Entity Authentication
Entity authentication: Determining an entity is the one claimed based on predetermined criteria
User ID (is often logical and/or public)
Authentication methods:
Something you know (for example, password)
Something you are (for example, biometric identifier)
Something you have (for example, tokens and swipe cards)
Telephone call-back can also be used for remote access

25

Access Controls: Entity Authentication
Single-factor authentication
Combines user ID with one of the three authentication methods
Two-factor authentication
Combines user ID with any two of the three authentication methods

Access Controls: Passwords
Often 4–16 characters
Minimum of 8 characters is common
Easy to remember for the user
Difficult for others to determine
Organizations must develop password guidelines

27

Access Controls: Password Guidelines
Should
Be a combination of letters and numbers
Have at least 8 characters, mixing upper- and lower-case
Be changed frequently
Should not be
Easily guessed (for example, a pet’s name)
A word that is in the dictionary
A word that is newsworthy
Similar to one’s previous password
Shared with others or displayed

Figure 13.3 in text
28

Access Controls: Other Common Security Mechanisms
Automatic log-off
Termination of access
Prior to or at end of employment
When user roles change within organization
Audit trail
Reactive, but shows log-on attempts and successful computer access
Tokens
Biometric identification

29

Access Controls: Other Common Security Mechanisms
Employee nondisclosure agreements and training
Frequent review/modification of individual access
Security training should evolve with new technologies and policy changes

Remote Access Control
Create security policy and train workforce
Issue proper equipment for work purposes only
Deploy virtual private networks
Use two-factor authentication
Do not allow information to be stored locally
Monitor status of all computers
Check virus updates regularly
Require personal firewalls
Require shredders for printed information
Balance security with ease of access

Remote Network Access
SANS recommendations
Acceptable encryption policy
Acceptable use policy
Password policy
Third-party agreement
Hardware and software configuration standards for remote access

Access Controls: Mechanisms for Mobile Devices
Require that laptop always be carried
Use physical security device
Never leave laptop unattended
Never leave laptop visible
Install desktop firewall, antivirus, and intrusion software
Encrypt files on laptop
Do not store password on device

Systems Controls
Protect ePHI in addition to access controls discussed previously
Also addressed by the HIPAA Security Rule
Generally relate to systems hardware or software, and functions such as ePHI transmission (for example, fax and e-mail)

Cybersecurity
“Preventative methods used to protect information from being stolen, compromised or attacked. It requires an understanding of potential information threats, such as viruses and other malicious code. Cybersecurity strategies include identity management, risk management and incident management.”
One of the major causes of data breaches

Systems Controls
Workstation use and security
Screen savers
Screen shields
Screen positioning
Policies and procedures

Systems Controls
Data encryption
Codes or scrambles data being transferred from one location to another
Pretty good privacy
Used to encrypt e-mail messages
Wired equivalent privacy
Used to protect information on wireless networks

Systems Controls
Encryption
Public key: Uses two keys, one private and one public
Data encrypted with public key can be decrypted only by private key
Data encrypted with private key can be decrypted only by public key
Single key
Used more frequently for large files

Systems Controls
Firewall protection
A firewall is hardware or software that examines traffic entering and leaving a network
Most commonly used between healthcare organization’s internal (trusted) network and Internet (untrusted network)
Provides limits
Internal users are limited in accessing the internet.
Internet users are limited in accessing portions of internal network.

Systems Controls
Routers
Routers link different networks
Are responsible for sending network traffic to correct designation
Not as robust as firewalls, but may filter certain network traffic

Systems Controls
Intrusion detection systems (IDS)
Alarm network for the system
Warn of possible inappropriate access attempts
Intrusion prevention systems (IPS)
Identify malicious network traffic
Apply rules to block its passage
Both IDS and IPS require significant human monitoring to check for false alarms.

Systems Controls
Antivirus programs
Common types of viruses
File infectors: Attach to program files
System or boot-record infectors: Infect areas of hard disks or diskettes
Macro viruses: Infects Microsoft Word application, inserting unwanted words or phrases
Worm: Stores and replicates itself
Trojan horse: Destructive programming code that hides itself in another piece of programming code

Systems Controls
Antivirus programs
Virus checking is an important system security mechanism.
Antivirus software packages
Virus catalog must be updated frequently
Zero-day exploits may do considerable harm within one day.

Transmission of ePHI
Policies and procedures must be put into place to safeguard data transmitted via
Faxing
Internet
E-mail
Telehealth/telemedicine
Wireless communication devices
Social media

Faxing Health Records
AHIMA guidelines:
Generally: Only in urgent medical situations or for ongoing payer certification
Never prudent to fax highly sensitive information
Verify that recipient is authorized to receive, will be on stand-by to receive, will call to confirm receipt
Preprogram frequent fax numbers
Fax machines in secure locations
Confidentiality statement on cover page

45

Internet
Used more widely to transmit PHI with advent of integrated healthcare delivery systems
Uses:
Information source
Communication device
Extension of organizational network (functional)
Protection of data and system:
Policies and procedures
Systems protections (for example, firewalls)

E-mail
Prohibition against sending highly sensitive information
Issues
Potential for broader discovery
Possible interception (compromises privacy) during transmission or by erroneous recipient
Retention periods
May be difficult to determine true identity of sender
Group e-mails compromise confidentiality
Poor communication can trigger patient dissatisfaction/liability
E-mail attachments can contain computer viruses

Medical Device Security
Potential for security risks
FDA has published new guidance based on 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity

Telehealth/Telemedicine
Telemedicine: Electronic exchange of medical information from one site to another to improve patients’ health
Telehealth: The digital use of technologies to deliver medical care, health education, and public health services by connecting multiple users in separate locations

Telehealth/Telemedicine
Issues include privacy during transmission
Videoconferencing
Transmission of still images
e-Health
Patient portals
Remote patient monitoring
Continuing medical education
call centers

Social Media
Texting
Video
Audio
Exponential risks to privacy and security of PHI
Organizations must have policies and procedures regarding what constitutes appropriate and inappropriate posting.

Contingency and Disaster Planning
Continuity plan: Ensures critical business functions can withstand emergencies
Contingency/disaster plan: Includes technical, procedural, and organizational components to follow after a loss. Includes
Risk assessment and analysis
Downtime and contingency planning
Data backup
Data recovery
Emergency mode of operations

52

Data Backup
Backup servers
Storage media such as backup tapes
Data “dump” onto tapes or other media
Removing it to another location outside the vicinity of the event

Data Recovery
Need is not extensive if data backup efforts are successful
If restoration is not possible, efforts should be made to reconstitute the record as much as possible
Upload documents from undamaged databases
Retranscribe documents from dictation system
Obtain copies from recipients of previously distributed copies

Emergency Mode of Operations
In a healthcare organization, may include recording clinical information:
How will the information be collected?
How will the information be secured?

Figure 13.5 includes a sample disaster plan and checklist
Figure 13.6 is a sample contingency plan
55

Emergency Mode of Operations
Determine other core operations (for example, MPI and transcription)
Identify contingency plan for each type of disaster and core process
Consider temporary and long-term effects of disasters
Anticipate operations both with and without electricity

Resources to Assist with Threats
Computer Security Resource Center of National Institute of Standards and Technology (NIST)
National Cyber Security Alliance (NCSA)
SANS Institute
AHIMA

Continue to order Get a quote

Calculate the price of your order

Type of paper needed:

Pages:

550 words

Academic level:

We'll send you the first draft for approval by September 11, 2018 at 10:52 AM

Total price:

$26

The price is based on these factors:

Academic level

Number of pages

Urgency

Basic features

Free title page and bibliography
Unlimited revisions
Plagiarism-free guarantee
Money-back guarantee
24/7 support

On-demand options

Writer’s samples
Part-by-part delivery
Overnight delivery
Copies of used sources
Expert Proofreading

Paper format

275 words per page
12 pt Arial/Times New Roman
Double line spacing
Any citation style (APA, MLA, Chicago/Turabian, Harvard)

WEEK 5 ANNOTATED BIBLIOGRAPHY

Products

Recent Posts

Calculate the price of your order

Our guarantees

Money-back guarantee

Zero-plagiarism guarantee

Free-revision policy

Privacy policy

Fair-cooperation guarantee