Physical Security Risk Assessment

Executive summary

This organized submission presents a moderately detailed analysis of various security models as they apply to Happy Health Systems and the healthcare industry at large. Security Risk Assessment in Care Settings are intended to protect and secure health information (electronic protected health information or ePHI) from a wide range of threats, whether in emergency situations or during a system failure that constitutes a risk compromising the confidentiality, integrity, and availability of ePHI.

1. Identify Risk. Your first step is to know your risks
2. Assess Threats and Vulnerability
3. Review Current Site and Facility Security
4. Review Facility Operating Procedures
5. Review Physical Security Systems.

Introduction

A physical security risk assessment takes an in-depth look at the vulnerabilities your business faces. By carefully assessing risks based on these three factors, professional assessors determine which physical security hazards pose the greatest threat, as well as what actions should be taken to mitigate the problem.

Overview of Happy Health Systems

Happy Health Systems (HHS) is an integrated health care entity, comprising a wide range of outlets that facilitate specialized services. Extant literature indicates that HHS operates in four states and comprises four hospitals, one research center, ten clinics and a physician outlet. Research further suggests that HHS users are nearly 2000 in each hospital, 100 in each clinic and 35 in the research center. Moreover, it has 45 practitioners, 300 residents and 200 medical students. Two virtual desktop infrastructures were proposed for HHS to assure confidentiality through access control and information integrity: internal VDI connectivity and Internet Service Provider (ISP). Research suggests that ISP facilitates access from branch offices: research, physician offices and clinics. On the contrary, internal VDI connectivity serves to facilitate authentication of user information for internal access. The two infrastructures use common ESX hosts and vCenter for session (In Bosworth et al., 2014).

Electronic Protected Health Information

ePHI is patient-related data which are created, sent, received, and/or stored electronically. Those data can concern a health condition, health provision, or care services payment information in the past, present or future. They can be connected to individuals through the following identifiers:

1. General information: Name, address, dates (birth/death date, admission/discharge date,), phone numbers, fax numbers, email addresses;
2. Care and insurance information: Social Security number, medical record number, health plan beneficiary number;
3. Financial information: account number, credit or debit card number;
4. Certificate/license number;
5. Property information: car and devices identifiers or serial numbers;
6. IT-related information: URLs, IP addresses;
7. Personal identifiers such as finger or voice print and images;
8. Any other unique identifying number, characteristic, or code.

Threats That Could Affect ePHI

Indeed, ePHI are subject to different threats that can be divided into three categories:

• Natural threats: Defined as disasters that cannot be avoided and that are hard to predict, especially in the context of data protection. Examples are earthquakes, tornadoes, and storms.
• Human threats: They are caused by individuals, whether deliberately, as with cyber-attacks, malware upload, computer and USBs theft, and medical ID theft; or not deliberately, including errors in data entry, unintended deletion, and so forth.
• Environmental threats: Related to exposure to both the external and internal environment. Examples are pollution, chemicals, outages, etc.
• ePHI can be subject to threats in security during storage in IT material (computers, tablets, external portable hard drives, USB memory sticks, CDs, DVDs and other removable storage devices, Smartphones, scanners) and file and email transfer through wireless, Ethernet, modem, DSL, cable connections, or FAX.

Security Risk Analysis or Security Risk Assessment

Security risk analysis is crucial and necessary to identify when and where a security risk exists and its potential impact on the three main health information security objectives behind the HIPAA security rule, which are the confidentiality, integrity, and availability of ePHI.

Security objective of HIPAA

Source: U.S. Department of Health and Human Services.

According to the Legal Information Institute, confidentiality is about who or which process has the authorization to access the ePHI and for whom/which process the data cannot be accessed; while integrity is about the data conservation in terms of quality (not altered) and quantity (not destroyed) from unauthorized events; and availability is about accessibility and usability of the ePHI by an authorized person requesting it.

The Purpose of Security Risk Analysis

1. To meet the requirements of the HIPAA Security rule, which came into force in 2005 and requires all healthcare organizations under it to run a comprehensive and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
2. To help health care organizations identify threatened areas where ePHI could be at risk, evaluate the risk and vulnerabilities, and take adequate measures to reduce it to a reasonable level, which are all seen as good practices in business;
3. To benefit from meaningful use program, thereby receiving Medicare and Medicaid EHR incentives after completion of the analysis and correcting security deficiencies and attesting it

.What Security Risk Analysis Is NOT:

• Security risk analysis is not facultative for small organizations but all the care providers under the HIPAA security rule and who want to benefit from the meaningful use program.
• Security risk analysis is more than just installing a certified EHR, with only a checklist, by only looking at the EHR of the organization, or performed only once. It should be a full analysis (not only what is in EHR), should follow a systematic and documented process, should consider EHR hardware and software as well as other devices that can access the ePHI, and, finally, should be an ongoing and continuous process that adapts to the organization’s changes.
• Security risk analysis should not be outsourced if external help is not needed. It is valuable especially for small providers who are able to run their own analysis and only outsource expertise to check their compliance to the HIPAA security rule.

Conclusion

In conclusion, therefore, Happy Health Systems (HHS) is an integrated health care entity, comprising a wide range of outlets that facilitate specialized services. It operates in four states and comprises four hospitals, one research center, ten clinics and a physician outlet. Objective consideration of the advantages and disadvantages of the four security models discussed above compels the conclusion

To perform a security risk assessment, there are many tools, methods, and best practices tips to help organizations reach compliance with HIPAA security rules. The guidance on risk analysis requirements of the security rule issued by OCR is a good reference for organizations about the best and most effective ways to protect ePHI.

References

1. https://www.google.com/search?safe=active&rlz=1C1CHBF_enPK881PK881&ei=rRc7XtBO4YLV8A_osaLADQ&q=physical+security+risk+assessment+definition&oq=physical+security+risk+assessment+de&gs_l=psy-ab.3.0.0i22i30.168045.175101..176096…0.2..0.274.1777.2-7……0….1..gws-wiz…….0i71j0j0i67.Xb-yVFB7FUk
2. https://www.researchgate.net/publication/300010891_The_Security_Risk_Assessment_Report