@ShahidNShah
Physical Risks in Medical Practice and Their Mitigation
EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS
PHYSICAL RISKS
Risk: Lack of procedures and contingency plans in the event of an emergency
Explanation: In the event of an emergency, a well defined contingency plan helps the team to allow for data restoration in addition to providing physical security. A contingency plan is usually used when there is an emergency, for example when there is an outage. During the crisis it is important that the doctors still have access to ePHI so that the quality of care is not compromised.
Major Mitigation: Based on the size of the physician’s practice, the contingency plans in place may vary. For small doctor’s offices, the whole staff may need to be involved in restoration. In the case of large physician practices, authorized personnel may need to be accompanied into the buildings by guards.
A contingency plan should be in place that ensures the right people have access to where the PHI is physically housed. This would mean that there needs to be procedures and processes that are well established so that in the case of an emergency, authorized people that have access can retrieve the PHI or even make a back up copy of the PHI data. For example, this can mean bringing up the application in another data center if the primary data center housing the application becomes inaccessible. This should be done so that the physician’s have uninterrupted access to their patient’s PHI even in the event of an emergency.
Success criteria: Periodic third party audits of contingency plans and mock emergency drills can help ensure that this risk has been taken care of.
Risk: Lack of controls to prevent unauthorized physical access, tampering, and theft.
Explanation: The physician’s facility should be secure so that PHI and related equipment cannot be tampered with in any way. Securing PHI would mean that only the staff that is authorized to access PHI must access it. This would mean securing equipments, workstations and in some cases entire facilities so that only authorized staff is allowed to enter these facilities.
Major Mitigation: Review of risk data on anyone requiring access to ePHI, whether they are staff, patients, visitors or business partners need to be done.
The following are some methods for mitigating this kind of risk as suggested by the Department of Health and Human Services in their HIPAA Security Series [9, 10 and 11]:
- Locked doors, signs warning of restricted areas, surveillance cameras, alarms.
- Property controls such as property control tags, engraving on equipment.
- Personnel controls such as identification badges, visitor badges and/or escorts for large offices.
- Private security service or patrol for the facility.
Secondary Mitigation: All persons accessing PHI must be well aware of their roles in maintaining security in the facility. Procedures and processes would also need to be kept up to date when there are changes in the information systems or the environment.
Success criteria: Periodic monitoring of facilities to ensure that policies and procedures are being followed. Third party audit of physician practices.
Risk: Lack of procedures defining the use of electronic devices.
Explanation: Different electronic devices are used to access ePHI. These devices include desktops, laptops, mobile devices and tablets. These electronic devices may be used within the practice building, or from homes and other places. If there is not defined procedure on how to use these devices to access ePHI, including what not to do using these devices, then there is a risk of ePHI being compromised.
Major Mitigation: Specific policies and procedures must be defined that spells out how ePHI needs to be accessed. In other words, a clear description of what can be done and what cannot be done in the devices that are used to access ePHI. For example, it can be defined that in the devices that are used to access ePHI, no other software program without prior permission can be installed and used. Or it can be defined that no personal emails or social media sites can be accessed through these devices. These policies can be defined to the level of detail as deemed appropriate. For example, a policy can just define what can be done or what cannot be done by the device types. Or it can very specific, detailing each electronic device by their ID, and describing how it must be used. Also separate policies must exist for those devices which are used to access ePHI remotely. Also the scenarios where the staff brings in their own devices to the workplace needs to considered, and policies governing their use must be defined.
Secondary Mitigation: The environment surrounding the devices used to ePHI is also to be considered. Policies and procedures describing how the environment must be that houses the devices when they are used to access ePHI must be written down. For example, a policy can be defined that privacy filters needs to be installed on desktop monitors to so that ePHI is not visible to others nearby. Another example is, a policy that mentions that all ePHI information access is done only on a particular floor of the building, where unauthorized persons will not have entry.
Success criteria: Regular audits and reports of these audits along with the risk assessment reports can be used to know whether there is risk of ePHI being compromised in this manner.
Risk: Lack of guidelines governing the physical protection of electronic devices
Explanation: The electronic devices used to access ePHI needs to be protected physical from theft and unauthorized access. If not done so, these devices will be accessed by unauthorized persons and ePHI will be compromised. Physical protection of devices is as important as other security mechanisms used to protect ePHI. Physical protection is often not taken into consideration, while other security measures like authorization, authentication etc are given more importance. But the loss of a mobile device or a laptop or tablet poses the same degree of risk as any other unauthorized access.
Major Mitigation: The policies laying down the measures to be adopted for each of the electronic device as appropriate, needs to be defined. For example, if it seems appropriate to keep the desktops and other electronic devices are locked rooms to prevent unauthorized access, a policy to that effect should be in place. Policies must also consider the portable electronic devices, and if needed, mechanisms for tracking their use and whether they are returned before the staff leave the workplace can be defined.
Success criteria: Regular audits, and physically checking the environment to see the protections in place can give a clear picture whether the policy is being followed, and whether we need additional measures. So too the risk assessment reports can also be considered to know whether these risks are present.
Risk: Lack of mechanisms that keep an inventory of hardware and electronic media
Explanation: An inventory of all types of hardware and electronic media needs to be tracked and maintained. With the advancement of technology, use of portable devices is on the rise, and hence the movement of these devices needs to be tracked and accounted for. Without having this kind of inventory it is difficult to know when a device is lost and thereby accessed by unauthorized persons, exposing ePHI to unintended persons.
Major Mitigation: Policies and procedures defining the mechanisms to be adopted maintaining the inventory of hardware and electronic media. The policy must define that there must be person who is accountable for this. For example, if a faulty hard disk is taken out to the service center, the necessary book keeping along with the person accountable for it must be logged.
Secondary Mitigation: The procedures can define the tools that are to be used to track and maintain the status of each of these media. Since they are many tools that available in the market, they can be used for easily doing this book keeping. The level and detail of book keeping needed, depends on each organization needs.
Success criteria: Audit of the inventory logs, or if tools are used, the reports from these can provide the status. Also the risk assessment report can give a clearer understanding whether these types of risks are mitigated or not.
Risk: Lack of guidelines on how hardware or electronic media are to be disposed
Explanation: It is not just important to protect and secure the devices is in use. It is equally important to consider what will happen to ePHI stored in these devices, when they are not in use, and are being disposed off. If these media are not properly disposed off, it poses the same level of risk as when they are in use. This is often an overlooked scenario.
Major Mitigation: When each electronic media reaches the stage when it is ready to be disposed off, there must be laid down policies and procedures that describes how ePHI can be completed erased off before the media is disposed off. One of the methods used is degaussing (magnetic field is used to erase the data) to clean up the media before disposal. Or damaging the media beyond repair, so that it cannot be accessed any further can also be done. The policies must also define the need for logs/book keeping of the disposed media and how the data was erased.
Secondary Mitigation: Organizations also may defer the disposal of these media until a period of time, may be years, so that the data contained in there becomes obsolete. But yet, these same policies of erasing these obsolete data before they are disposed off needs to be in place. Also the security of these ‘going to be’ disposed of data must be considered.
Success criteria: Audit of the logs and book keeping records will provide the information on whether the policies are being followed. And the risk assessment report will give a clearer picture whether this risk has been mitigated or not.
Risk: Lack of guidelines on reuse of hardware or electronic media
Explanation: It is a common scenario that the hardware and electronic media are re-used instead of being simply disposed. They can be reused either internally within the organization or they can be resold or donated to other organizations/individuals. Whatever may be the nature of reuse, it is important that all ePHI are completely erased using official government approved wiping methods, before it is given out for re-use. If this is not done, there are fairly high chances of the data being exposed and there by compromising ePHI.
Major Mitigation: Specific policies and procedures needs to be defined which clearly provides guidelines on the measures to be adopted when hardware or electronic media are reused. Often the risks associated with internal reuse of these media are overlooked, and as such there are no guidelines. Even if it is internal reuse, the same level of risks associated with unauthorized access exists here.
Secondary Mitigation: Policies and procedures which advocates the use of logs and book keeping for these reuse would help to track these media in a better way.
Success criteria: Audit of the logs and book keeping records will provide the information on whether the policies are being followed. And the risk assessment report will give a clearer picture whether this risk has been mitigated or not.
ASSESSMENT
It is vital to understand the cyber-security risks associated with medical practice today.
CONCLUSION
This article illustrates some of the medical practice security risks to any small, medium or large physician’s office, or medical clinic, in order to highlight or even eliminate them by securing the environment; and in turn securing ePHI. However, it is not all inclusive due to the fluid nature of contemporary cyber-security risks.