CHAPTER 6 - Privacy and Security
Encryption uses electronic private and public key sets. In other words, each piece of encrypted communication has its own private and public key set. This means that if a user encrypts a file on his or her computer, the user possesses what is known as the private key. To allow someone to be able to decrypt that communication requires providing them with the set's public key, since only those two keys are able to decrypt this specific piece of communication. All communication encrypted using a private key is protected, and only those in possession of the public key can read it.
Describe the way data encryption operates.
Risk analysis or assessment Database backup Database secure storage Data restore plan Disaster recovery plan Critical incident response plan Software inventory Hardware inventory Logs
Disaster Plans Should Be in Writing and Include Plans for:
Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access once it's no longer needed?
Access Policies Should Address These Questions:
The electronic measures may be implemented at the network level through transmission security, at the operating system level through authentication and authorization controls, or at the patient record level through database authentication and data integrity control, or preferably a combination of all three.
At what levels should EHR software implement electronic controls?
Standard codes for health information help protect the privacy of that information and enable it to be transmitted readily and securely. Unique identifiers for users of health information also protect the privacy of that information and help ensure that the right users are accessing the right information. Although complex, it is possible to format health information in a way that maximizes both its privacy and security.
How do standard codes and unique identifiers help?
Macro viruses usually infect Microsoft Office files and install themselves when users click or give focus to Microsoft Office files. A macro is a small program, which is usually written in Visual Basic for Applications (VBA). In fact, all Microsoft Office files have the ability to have VBA code written inside of them, for functionality. VBA code in itself isn't harmful; it is the people who write programs for bad purposes who can cause harm.
How do viruses install themselves via Microsoft Office?
Maintaining an up-to-date hardware inventory not only helps you as you plan out hardware and software upgrades and other administrative tasks, but it also ensures your inventory is properly "locked down" and accounted for. This is essential from a security perspective.
How does maintaining an up-to-date hardware inventory help?
Off-site access of ePHI poses a particularly hazardous risk. In some instances, the use of off-site access can be disallowed completely; for many healthcare institutions, however, it is unacceptable to restrict access by other healthcare institutions or physicians who may be practicing off-site but have a valid need to access these records. In any case, off-site access should be strictly controlled, and any data being transmitted from your site to another off-site location should be adequately protected by the use of encryption and virtual private networks (VPN).
How risky is off-site ePHI?
whether an organization is actually putting into practice its security policy.
In general, what do security audits reveal?
Trojans can scan computer ports. Computer ports can be likened to telephone extensions on a phone system. A computer provides thousands of ports for communication purposes. Ports are used by browsers, installed applications, and the operating system for communication purposes. A Trojan can scan a communication port, look for information to pass through the port, and then send that information to an attacker.
In this context, what are trojans?
Risk analysis should be an ongoing process. Regular reviews should be performed to evaluate the effectiveness of the security measures put in place, and newly identified potential risks to ePHI should be addressed in an ongoing fashion.
Is risk analysis a one-time or ongoing process?
Disaster recovery and critical incident response plans are designed to address emergencies requiring immediate intervention to protect the network or restore the network to operational status after a catastrophic event.
What are disaster recovery and critical incident response plans designed to address?
Is all access of medical records being logged? Are backups being done regularly and stored according to the security policy? Do employees adhere to email policies?
What are important questions to consider during a security audit?
Physical safeguards are written to address issues regarding facility access control, workstation use, workstation security, and device and media controls. This includes limiting physical access to work facilities without impeding access to those requiring access.
What are physical safeguards developed to address?
Restrict the number of network or domain administrators; only people with the need to perform network administration should possess such privileges Make sure all servers and other devices have an uninterruptible power supply (UPS) and power-surge protection at all times to protect the integrity of the data Validate all data that is entered into any database Test data for expected and unexpected field entries to ensure data integrity Test data for non-character-based names to ensure integrity of the data
What are some Advisable Security Measures for a Domain-based Network Environment?
creating a security policy authenticating users using firewalls installing antivirus software on all devices using an intrusion protection system (IPS) device in the network encrypting communications auditing adherence to security policies.
What are some examples of mitigating threats?
when unusual or extreme situations occur, such as a highly publicized accident involving victims treated at your facility, an illness of an employee known to coworkers with access to systems containing the employee's PHI, or the involuntary termination of an employee.
What are some other instances where it is advisable to audit appropriate logs?
Not reusing passwords from a previous login or system Using numbers, punctuation, symbols, and upper and lowercase letters, and not using common dictionary words or parts of a login Encrypting all storage media containing ePHI. The use of password protection instead of encryption is not an acceptable alternative to protecting ePHI. This is particularly true regarding wireless access of ePHI; offsite access of any sort; backup media, particularly media being transported off site, whether physically or digitally through the network. Whenever possible, the strongest methods for encryption should be used, preferably with 256-bit or higher encryption. Backup media should be kept locked away in a secured environment with tight access controls. Policies should be implemented prohibiting the storage of ePHI on workstations, laptops, or any other unapproved device. Measures should be taken to routinely examine these devices for compliance. When disposing of hard drives or other connected media from these devices, they should be rendered completely useless after being thoroughly wiped a minimum of 7 times in a manner consistent with DOD specifications. There are plenty of freeware tools available for this purpose; DBAN (Darik's Boot and Nuke) is popular.
What are some other restrictions to increase password strength?
Training can include newsletters, one-on-one consultation, media presentations, staff meetings, and the like. This training should be adequately documented for auditing purposes, including the time and date of the training, topics covered, and who attended. Training should encompass all users who may interface with ePHI in some manner, including upper management.
What are some ways in which security training can be accomplished?
confidentiality, integrity, availability, accountability, and nonrepudiation.
What are the five key concepts to understand when talking about information security?
Evaluate the likelihood and impact of potential risks to ePHI Implement appropriate security measures to address the risks identified in the risk analysis Document the chosen security measures and, where required, the rationale for adopting those measures Maintain continuous, reasonable, and appropriate security protection
What are the steps to risk analysis?
logical and physical
What are the two types of access control?
Proactive audits can sample from the entire log population or from areas known to be of higher risk. For example, when reviewing access logs to patient records, it may be appropriate to intentionally sample from the population of employee patients, as well as from the patient population as a whole.
What areas should proactive audits address?
Administrative safeguards address the process an organization has for administering the security of the electronic protected health information (ePHI) system. Each organization is required to identify and analyze potential risks to its ePHI, and it must implement security measures that reduce those risks and vulnerabilities to a reasonable and appropriate level. This is done using a risk analysis.
What do administrative safeguards address?
Technical safeguards address access controls, audit controls, integrity controls, and transmission security.
What do technical safeguards address?
AD allows administrators to assign policies, deploy software, and apply access roles, based on users or user groups, to an organization's network. It does this by storing information and settings about users and resources in a central database. Active directory networks are very scalable and are used by small organizations with a few computers, users, and printers, to large organizations with tens of thousands of users.
What does Active Directory (AD) allow for?
healthcare access, portability, and renewability. Title II addresses the prevention of healthcare fraud and abuse, administrative simplification, and medical liability reform. This section of the law also sets policies for privacy and security of all forms of health information and requires that national standards be set for electronic healthcare transactions and for dissemination of health information.
What does Title I of HIPAA address?
Title II of HIPAA contains five rules pertaining to administrative simplification: 1. Privacy Rule 2. Transactions and Code Sets Rule 3. Security Rule 4. Unique Identifiers Rule 5. Enforcement Rule
What does Title II of HIPAA contain?
The Security Rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient's role within the organization. Written policies for granting access to ePHI should be created by the IT security team and then endorsed by management. This includes establishing, documenting, reviewing, and modifying a user's right of access, including termination of access.
What does a Security Rule require?
Implementing a domain-based network environment is another good security measure. In a domain-based world, a server manages users, devices, software, and domain policies. The server manages all objects that are part of its domain and enforces rules on network assets. Think of a domain as a gated community where the gate around the community represents a guarded geographical location. Therefore, a server guards its domain and doesn't allow any other object to enter without permission.
What does a domain-based network environment entail?
each piece of communication and then permits or denies that traffic based on its configured rules. For example, a user will not be able to connect to her brother's personal computer (PC) to copy shared photos unless her brother's firewall is configured to allow that communication
What does a firewall inspect?
An effective logging and monitoring strategy means understanding what to log and what to look for, and devising a method for effectively managing and monitoring vast amounts of data. This is critical for network security. Logs can quickly grow to hundreds of thousands of cryptic entries that, without some sort of strategy or management system in place, would surely overwhelm even the mightiest of IT gurus.
What does an effective logging and monitoring strategy look like?
relates to sharing information with a focus on sharing information on a "need to know" basis.
What does confidentiality refer to?
refers to the right of an individual to be left alone and to keep his or her personal information secret.
What does privacy refer to?
refers to the mechanisms to assure the safety of data and the systems in which the data reside.
What does security refer to?
The HIPAA Security Rule defines administrative, physical, and technical measures that covered entities must have in place to protect electronic health information. This rule does not require the use of any specific technology. The intent is that organizations should be free to keep up with the rapid changes in electronic communications and security technologies.
What does the HIPAA Security Rule define?
The access control technical requirement mandates that "a covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information."
What does the access control technical requirement mandate?
the system users and their habits, practices, and willingness to support the security goals of the organization.
What does user security ultimately depend upon?
A model of access control where it is completely up to the owner of the objects who has access to them, and what access they have.
What is Discretionary access control (DAC)?
TH E HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) a multipart act designed to help workers maintain health insurance when they move from one job to another, to protect group health insurance policyholders with preexisting conditions from being denied coverage, and to improve the overall effectiveness of the U.S. healthcare system. It establishes standards for the electronic submission of claims data and for protecting the privacy and security of health information.
What is HIPAA?
the encoding of data so it cannot be accessed without authorization. Wireless networks, private networks, virtual private networks (VPN), ports and services, firewalls, and network intrusion detection also fall under the umbrella of network security.
What is Network Security?
the protection of physical assets, such as computer systems, network hardware, and storage media. This type of security is not just protection from intruders; it also includes protection from natural causes, such as fire and floods.
What is Physical Security?
access based on the role a person plays in an organization. Access is given to a particular role inside of an organization, and then users are associated with those roles. They inherit the access from that role.
What is Role based access control (RBAC)?
A virtual local area network (VLAN) is an administrative division on network equipment to separate devices and data, such that the data cannot be intercepted by a device on a separate VLAN.
What is a VLAN?
software or hardware that blocks unauthorized communication to and from a computer or from one network to another network.
What is a firewall?
a periodic record of system parameters (like software versions and configuration details) that can be compared to determine if any vulnerabilities have been newly discovered. These lists should be updated periodically and compared against publicly known exploits and vulnerabilities.
What is a security baseline?
several different technologies are employed concurrently to protect the network instead of relying solely on one approach. That way, if an attacker finds his way through one layer, he still has to overcome additional obstacles before he is successful.
What is a security practice's layered approach?
keeping a reliable hardware inventory
What is also an important safeguard to preventing physical theft of a system?
a hardware device similar to a firewall but provides much more protection. The IPS monitors all network traffic in real time for malicious activity. It examines every packet passing through the network and then determines if that packet has bad intent. The purpose of the IPS is to stop intrusions and then alert network administrators to the threat.
What is an INTRUSION PROTECTION SYSTEM ( IPS)?
An IDS is a device or application that monitors the network (or the system it is installed on) for malicious activities. The monitoring is done based on predefined patterns or policies, and IDS reports the malicious activities to the network administrator.
What is an Intrusion detection system (IDS)?
a user might encrypt an email sent to a doctor by using a private key through the installation of a program in the email client. For example, a Microsoft Outlook private key encrypts outgoing email. The email sent to the doctor includes its public key so that the doctor can read the email.
What is an example of email encryption?
Application security requires an understanding of services, hardening, application permissions, input validation techniques, software patches and updates, and software logs. Security hardening, the configuring of components and developing applications in such a way as to prevent, block, or mitigate different forms of attack, makes systems more secure by removing unnecessary accounts, services, and features. Computer configuration settings, users' personal information and other sensitive data are stored in files. File security means keeping files safe and protected and is a crucial part of any computer security program.
What is application security?
software defects that may compromise security and to establish reasonable safeguards and policies to prevent abuse and security breaches.
What is important to look for before implementing new electronic health record (EHR) software?
Logical access control is managing access to data files, programs, and networks. Methods for controlling logical access include access control lists (ACLs), account restrictions, and authentication.
What is logical access control?
A model of access control where an owner or administrator cannot decide who has what access. Access is controlled by a numeric access level. This is used in the military. For example, if a document is classified as top secret, only those users with clearance to top-secret documents will be able to access the document.
What is mandatory access control (MAC)?
When security policies prove that a user or program performed an action beyond a reasonable doubt, this is known as nonrepudiation. Therefore, the user cannot deny having entered data in a database, removal of an item from inventory, or any other action.
What is nonrepudiation?
where a user enters credentials or username and password. This is the simplest authentication process.
What is one-factor authentication?
The purpose of a data backup policy is to set into motion a method for implementing a backup strategy and procedures that adequately addresses the needs of the institution and maintains compliance with regulations.
What is the purpose of a data backup policy?
With three-factor authentication, all three authentication types are required—a username and password combination, a smart card or badge, and some kind of a biometric reader, like a fingerprint reader.
What is three-factor authentication?
In addition to a username and password, two-factor authentication requires another authentication type such as a smart card or a fingerprint reader.
What is two-factor authentication?
involves the identification of system users and allowing access to the system by the appropriate users. Identity management relates to the controls and procedures needed for identification of legitimate users and system components.
What is user security?
EHR software should support logging user access, logging data accessed, logging sign-on failures, and any changes to the data.
What logging should EHR software support?
VPN connections may use protocols such as L2TP/IPSec, Open- VPN, or Cisco's client implementations. However, Microsoft's PPTP VPN implementation has vulnerabilities that make it ill-suited for ePHI transmission.
What protocols may a VPN use?
what data will be backed up and how often, as well as how to ensure these archives will be secured but easily accessible if needed. The policy also outlines the hardware and software required to ensure reliable and efficient backup of these production databases.
What should a data backup policy include?
A security officer or person handling network security at a healthcare organization should have knowledge of both HIPAA guidelines and IT security standards. He or she should be willing to take proactive measures to ensure the safety of the ePHI system and be able to communicate effectively with and solicit support from upper management, as well as with staff at all levels of the organization.
What should a security officer's requirements/attributes be?
Disaster plans should include a plan for the off-site storage of data and the prompt return and restoration of the data from backup. It should also include plans for relocation of infrastructure resources, or the operation as a whole, until repairs can be affected.
What should disaster plans include?
Each potential security breach must be thoroughly investigated to determine if it is a breach, whether intentional or not, and the healthcare organization (HCO) must immediately work to mitigate the risk and/or implement the IT contingency plan to address the event. Attempted or successful breaches of patient data are usually detectable.
What should happen at each potential security breach?
A complex password is usually at least six characters in length, and includes at least one uppercase character, one lowercase character, one number, and one special character.
What would a typically complex password look like?
Proactive audits should be performed periodically, with the intent of sampling the data set to look for possible inappropriate use or activity. Log sampling does not have to be random.
When should proactive audits be performed?
In the event something catastrophic does occur, a business continuity plan (BCP) must be in place to ensure the network, along with its valuable data, can be returned to operating status with a minimal amount of downtime. This means ensuring data is reliably and securely backed up, along with a disaster recovery plan containing an emergency contact list of critical players and stakeholders in the organization who will be needed to make decisions and assist with the technical components of restoring the network.
Why must a business continuity plan (BCP) be in place?
This will provide additional insight needed to properly manage and mitigate security risks related to software vulnerabilities. It will also facilitate proper patching and issue mitigation.
Why should one keep a current application inventory?
Who accessed, or tried to access the server What data or databases were successfully accessed and any changes that were made
With regard to audit control, servers should use OS system logging tools to log:
Brute force attacks are just what they seem. An evildoer identifies a server on the net- work— perhaps by scanning for the remote desktop port—then attempts to break into the system using the administrator account and runs specialized utilities that will try an endless number of passwords until it cracks the password.
With regard to hacking, what is "Brute Force"?
An attacker can modify the data in the packet without the knowledge of the sender or receiver. This can lead to erasure or corrupted data.
With regard to hacking, what is "Data modification"?
Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed. Try not to use IP addresses as a method of ensuring connectivity to a particular device. Ensure that the device MAC addresses are utilized for connecting to a domain.
With regard to hacking, what is "Identity Spoofing"
Social engineering is the process where someone is tricked into divulging information that allows an attacker to infiltrate a network. The most common attempt centers around pretending to be a network administrator needing the user's password to repair something in the system.
With regard to hacking, what is "Social Engineering"?
Failure to use strong passwords—whenever possible, using multi-factor identification requiring more than one method of identification to authenticate to a network—can lead to account compromises, potentially compromising data.
With regard to hacking, what is a "Password-based attack"?
This attack targets application servers by causing a fault in a server's operating system or applications. Once compromised, the attacker gains the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of the application, system, or network, leaving data vulnerable.
With regard to hacking, what is an "Application-layer attack"?
The majority of network communications occur in an unsecured or "clear text" format. An attacker who has gained access to your network can "listen in" on the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. Eavesdropping is generally the biggest security problem that administrators face in an enterprise environment. Enabling strong encryption services on sensitive data as it traverses the network can mitigate this risk.
With regard to hacking, what is the "Eavesdropping"?
An overwhelming majority of network security issues center around the organization's own workforce. Not understanding policies, laziness, or disgruntlement among workers are always threats. Training employees on the hazards of mishandling sensitive data and the importance of following both legal regulations and your organization's policies will help mitigate this risk.
With regard to hacking, what is the "inside job"?
Lightweight Directory Access Protocol (LDAP) to allow connectivity and control access to a wide variety of management and query applications.
what protocol does Active Directory use?