Understanding Administrative Risks in Medical Practice

EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS

ADMINISTRATIVE RISKS

Risk: Lack of documentation to mitigate threats and vulnerabilities

Explanation: Not having a formal, documented program, which is always secondary to thorough risk analysis, might be the reason why you’re not able to implement effective safeguards to protect your ePHI against possible vulnerabilities and security threats. This may compromise your ePHI security in several ways:

• You may face medical identity theft due to unauthorized access, theft or disclosure of ePHI.
• Unauthorized access to your practice’s ePHI may leave it inaccessible, compromised and exposed.
• The ability of healthcare professionals to correctly diagnose and treat the patients may be severely compromised due to the corruption of your practice’s ePHI.

Mitigation: Conduct an annual risk analysis and document all possible threats and vulnerabilities to your practice’s ePHI. Based on the documented risks and vulnerabilities, implement appropriate security measures specifically targeted to mitigate the vulnerabilities to an appropriate level!

Success Criteria: Documentation of possible risks and implementation of safeguards leading to reduction in security breaches.

Risk: Lack of security awareness and training.

Explanation: The security of your practice’s ePHI might be at risk if your workforce members don’t comply with the standard security protocols, either due to the lack of awareness or due to the lack of training. Several factors that may contribute to such behavior may include:

• Workforce members not really knowing what security really is and why is it so important when it comes to ePHI.
• Lack of sanction policies and procedures that make it crystal clear to the workplace members their respective duties to uphold the integrity of ePHI or lack of compliance on the part of workers to the sanctioned policies and procedures.
• Security awareness and training programs being non-interactive and inappropriate.
• A person not having the right skills, qualities and knowledge running the process of security awareness and training.
• Not having enough metrics on whether all your arrangements are actually improving security awareness among your workplace members
• Unrealistic expectations.
• Conducting once a year training exercise only.

Mitigation: You can strengthen security awareness and training among your workplace members and thereby improve the security of your practice’s ePHI by taking following steps:

• Make the sanction policies and procedures as explanatory as possible.
• Apply appropriate sanctions against members who fail to comply with the security protocols and policies.
• Make security awareness and training programs more interactive and periodic.
• Appoint the right person with the perfect skill set, heading this process.
• Collect metrics on periodic basis to see the progress of your training activities.
• While it is important that you collect metrics to know if your efforts are actually producing enough results, but in the meantime, you’ve to be realistic. Promoting awareness is not a one day process, it takes time and patience.

Success Criteria: Improved awareness and better compliance on part of the workplace members leading to strengthened security.

Risk: Lack of roles delegation.

Explanation: Your business associates or workforce members can, knowingly or unknowingly, access the confidential ePHI if your practice doesn’t clearly define, along logical lines, the roles and responsibilities allocated to each member. This is important as this will ensure that no member has too much authority and makes decisions on his own that can access critical and confidential systems and information.

Let’s explain this by a simple example. Say one of your workplace members is responsible to review the access logs. Due to your practice’s poor role delegation, the same person is also responsible for updating patient records. In this scenario, that member is essentially left to monitor his own access to ePHI, facilities and systems. This can result in unauthorized access attempts by the same member to your practice’s ePHI.

Mitigation: Some important safeguards that may help solve this issue may include:

• Implementing procedures and policies ensuring that all the workforce members have appropriate access to ePHI and no member gets too much authority.
• Assigning a senior level manager who authorizes operations before commencing.
• Assigning different duties to the workforce members.
• Developing and distributing among your workplace members a work control policy that explains to the members things like their roles, degree of coordination between members, their responsibilities, compliance requirements and so on.

Success Criteria: Decrease in the incidence of security breaches from within the organization.

Risk: Lack of business associate agreements when it has a contractor creating, transmitting or storing ePHI

Explanation: The safeguard of your ePHI is incomplete until enough security safeguards are provided by the service providers, as per agreement. If your service provider fails to provide enough safeguards, it may result in:

• Unauthorized access or disclosure of your ePHI.
• Compromising the ability of your workplace members to efficiently serve the patients.
• Medical identity theft.

Mitigation: Before getting into a contract with your service provider, make sure that your provider gives satisfactory assurances regarding the creation, transmission, storage and handling of ePHI. Such assurances may include:

• Limiting the use/access to ePHI as required by law.
• Employing enough safeguards to prevent unauthorized use or disclosure of ePHI.
• Following the same or substantially similar good practices followed by your own institution.

Success Criteria: Highest level of security services further strengthened by the service providers leading to improved experience and better security.

Risk: Not having a process for periodically reviewing risk analysis policies and procedures and making updates as necessary

Explanation: In something as dynamic as healthcare security, the nature of risks and threats changes with time. That’s why the efficacy of the safeguards you put to mitigate those risks declines with time. The security of your ePHI might be at risk if you fail to periodically assess the nature of risks, the validity of your policies and procedures and undermine the importance of making regular updates for improving the safeguards.

Primary Mitigation: Do a periodic risk analysis to determine the nature and severity of emerging risks to your ePHI. Keeping in mind the result of the analysis, make upgrades in your policies and procedures. Once you’re done with the paperwork, translate what you’ve learned from the risk analysis and the changes you’ve made in your policies into actually strengthening the safeguards of your ePHI.

Secondary Mitigation: Risk analysis and making changes in your policies and procedures is not a one time job. Make sure to repeat the same routine periodically – have daily, weekly, monthly, quarterly, and annual checklists to review different types of risks.

Success Criteria: Successive risk analysis reports will show that the changes made in the policies and subsequently in ePHI safeguards led to significant decrease in security breaches.

Risk: Not having a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact.

Explanation: Not having a senior level person who manages your security team can be jeopardizing the safety of your operations. Although security implementation and maintenance is a team effort, but having a capable person who leads that team is equally important. Moreover, the head of your security will act as a liaison between the security department and the policy makers. If that link is missing, you might not be able to influence the decisions of your higher ups when it comes to defining policies and procedures.

Primary Mitigation: Identify the security official who is responsible for heading the security team. Define her role as being an individual who actively takes part in policy making. Finally, she should be responsible for the implementation of the policies for strengthening ePHI security.

Success Criteria: Having a senior security officer who actually influences policy making, reviews documentation, runs scans, establishes a secure infrastructure, and strengthens ePHI security as a result.

Risk: Not having an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation.

Explanation: The functioning of healthcare processes, including ePHI, is always a tug of war between the security safeguards and security threats. The security can be compromised anytime, both by extrinsic or intrinsic threats, which might compromise the functioning of your entire business operations.

Having an emergency mode helps you carry out critical operations and assists you practice operation and secure the integrity of your ePHI in the event of an emergency. Emergency operation allows you to access controls, backup the data, access logging and allows encryption while other things go down. If your practice is not having an effective emergency mode, you might not be able to provide services to the end users in the event of an emergency. In addition, you not being able to carry out important business processes may compromise the security of your process and ePHI even further.

Primary Mitigation: Primary mitigation of this risk may include:

• Establish and implement the set of procedures that enable you to carry out important business processes, like the functioning and security of ePHI, when operating in an emergency mode.
• Employ audited and automated override of access control mechanism and implement Role Based Access Control (RBAC) for an emergency.
• Establish a plan that determines the activities and related requirements, for instance, process, roles and responsibilities for full system restoration.

Secondary Mitigation: Test the continuity of operations during an emergency mode, on regular intervals, so that the system can be promptly shifted to the emergency mode in case of need.

Success Criteria: Your ability to readily shift to the emergency mode in cases of system collapse, run critical operations and maintain ePHI security all mark the success of emergency mode establishment and implementation.

Risk: The practice of not having policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster.

Explanation: Like any other form of data, ePHI may be lost in case of system breakdown or disaster, if a proper backup in not kept and maintained. Backup of an ePHI is important as it allows you to create and maintain the retrievable copies of ePHI in case of emergency. The exact retrievable copies of ePHI can be established and maintained in media like physical, removable media (e.g. CDs, USBs) or virtual media (e.g. cloud storage).

Primary Mitigation: Establish and implement policies and procedures for making copies of ePHI on either physical or virtual media that can be retrieved when there is a breakdown of system.

Secondary Mitigation: Make sure that the retrievable copies of ePHI are safe and protected against unauthorized use and disclosure.

Success Criteria: Being able to retrieve ePHI from the backup sources when the main source breaks or faces a disaster.

Risk: Not having policies and procedures for the review of information system activity

Explanation: Reviewing the activity of information system enables one to identify and investigate irregular use of system, which might be due to some breach in your security protocols or maybe a violation of your security policies. Reviewing the activity of information system includes:

• Analyzing the audit reviews.
• Analyzing system activities and incident reports.
• Analyzing the audit logs.
• Reviewing the exception reports.

If you don’t have defined procedures or policies to analyze these activities, you might not be able to detect and analyze security violations, unauthorized disclosure or use of ePHI.

Mitigation: Establish a system for reviewing the records of activity of information security system. This includes reviewing incident tracking reports, audit logs, access reports and so on.

Success Criteria: Being able to detect and analyze any anomalies after reviewing information security system activity records.

Risk: A practice that doesn’t identify members of its incident response team and assure workforce members are trained and that incident response plans are tested

Explanation: An incident response consists of defining, clearly, what constitutes a security incident and a step by step approach to how to deal with the situation afterwards. Without an effective incident response and training of the workforce involved, the security of ePHI will always be a far cry. In the absence of incident response and workforce training, the security of your system will be compromised. Not to mention, it will also increase the cost, time of recovery and will exacerbate the damage done to your critical processes.

Primary Mitigation: An effective incident response plan would consist of following components:

• Identifying the roles that will participate in incident reporting and response.
• Providing role based training to the workforce involved.
• Incident response testing.
• Making observations and recommendations on how to improve incident response.
• Identifying who will speak to the law enforcement, business associates, the media and the patients in the event of an incident.
• Carefully training the members of the incident response team.

Secondary Mitigation: Training and increasing awareness regarding incident in other workforce members too.

Success criteria: Successfully identifying which situations qualify to be labeled as an incident and successfully handling those uneventful events without compromising the security and mitigating the cost and time of recovery.

Risk: Not implementing the information system’s security protection tools to protect against malware.

Explanation: It is important that you complete regular and real time scans of your servers, workstations (including laptops and other electronic devices), and information systems so that you’re able to identify and respond to the known or suspected cases of security incidents. If you’re not implementing these protocols, the security of your ePHI and other critical business operations may get compromised.

Mitigation: Mitigation steps may include:

• Identifying the known or suspected cases of security incidents.
• Decreasing, as much as possible, the harmful effects of these incidents.
• Documenting these incidents and their potential outcomes.
• Employing automated mechanisms and tools to assist you in keeping a track of the incidents and collection and analysis of the information gathered as the result.

Success Criteria: Improved protection against malware, decrease in the incidence of malware attacks and mitigation in the compromise of the sensitive business components as the result of malware attacks.

Risk: Not regularly reviewing information system activity

Explanation: Reviewing the activity of your business operations and system activity is a periodic process that you have to do on day to day basis. If you’re not doing that then perhaps you’re overlooking some very crucial threats to your system security.

Mitigation: Establish a system for reviewing the records of activity of information security system on day to day basis. This includes reviewing incident tracking reports, audit logs, access reports and so on.

Success Criteria: Being able to detect and analyze any anomalies after reviewing information security system activity records on daily basis.