Objective Vulnerability Objective Vulnerability AssessmentAssessment

Risks for Unauthorized Disclosure of Risks for Unauthorized Disclosure of Patient InformationPatient InformationFarrokh Alemi, PhDFarrokh Alemi, PhD

Confusion on What WorksConfusion on What Works

Vulnerability assessment is a Vulnerability assessment is a large and growing industry large and growing industry

Best practices are not clearBest practices are not clear Consensus models perpetuate Consensus models perpetuate

claims of vulnerabilityclaims of vulnerability Consensus models are static as Consensus models are static as

opposed to dynamic and opposed to dynamic and evolutionaryevolutionary

Objective data is needed

Misleading AssessmentsMisleading Assessments

Without objective data we do not Without objective data we do not know if risk priorities are know if risk priorities are accurateaccurate

Like children fighting imaginary Like children fighting imaginary foes, organizations are asked to foes, organizations are asked to protect against vulnerabilities protect against vulnerabilities that may not existthat may not exist

Objective data is needed

Money Is WastedMoney Is Wasted

Can’t secure all operations, Can’t secure all operations, have to pick and choosehave to pick and choose

More security is not betterMore security is not better Security may reduce productivitySecurity may reduce productivity Business builds on trust not fear Business builds on trust not fear

No point to secure a process if No point to secure a process if the business failsthe business fails

Objective data is needed

Why Not Base Vulnerability Why Not Base Vulnerability Assessment on Data?Assessment on Data?

It can’t be doneIt can’t be done Rare eventsRare events Risk is not quantifiableRisk is not quantifiable Data is not available Data is not available

Historical precedents are not Historical precedents are not relevant as terrorists and relevant as terrorists and criminals innovatecriminals innovate

Accurate Probabilities for Rare Accurate Probabilities for Rare EventsEvents Time to eventTime to event p(Vp(Vii) = 1 / (1+ t) = 1 / (1+ tii) ) Allows calculation very small Allows calculation very small

probabilitiesprobabilitiesISO 17799

word assignment 

Frequency of event 

Rating by ISO 17799 

Calculated probability 

Negligible  Unlikely to occur* 

0 0.0003

Very low  2-3 times every 5 years 

1 0.0014

Low  <= once per year 

2 0.0027

Medium  <= once per 6 months 

3 0.0056

High  <= once per month 

4 0.0333

Very high  => once per month** 

5 0.1429

Extreme  => one per day  6 1

It Can be done: Application to It Can be done: Application to Unauthorized DisclosureUnauthorized Disclosure

p(U) = ∑ p(U) = ∑ i=1, .., ni=1, .., n p(U | V p(U | Vii) p(V) p(Vii) ) p(U | Vp(U | Vii) = p(V) = p(Vii | U) p(U) / p(V | U) p(U) / p(Vii) ) WhereWhere

p(Vp(Vii) is probability of the vulnerability) is probability of the vulnerability p(U) is probability of unauthorized p(U) is probability of unauthorized

disclosuredisclosure p(Vp(Vii | U) is prevalence of vulnerability | U) is prevalence of vulnerability

among reported unauthorized disclosuresamong reported unauthorized disclosures

Sources of DataSources of Data

Incidence database

Prevalence of vulnerabilities

Among violations

List of vulnerabilities

Prevalence of violations

Assessment surveys

RiskScore

Construction of Incidence Construction of Incidence DatabaseDatabase

Legal case reviewsLegal case reviews Office of Civil Rights databaseOffice of Civil Rights database Published reportsPublished reports Private surveysPrivate surveys

Probability of Unauthorized Probability of Unauthorized DisclosureDisclosure

Databases Searched

Records found

Number of unauthorized disclosures Dates

Probability of unauthorized

disclosureLexisNexis Academic

47 2 01/01/03 -12/31/03

0.005

Health Reference Center-Academic

Infotrac

141 8 01/01/90 -12/31/03

0.022

DHHS reports 22 16 01/01/03-12/31/03

0.044

3 3 01/01/03-12/31/03

0.008

Total 213 29 01/01/90-12/31/03

0.079

Vulnerabilities Derived from Vulnerabilities Derived from the Databasethe DatabaseClinician using unsecured email Clinician using unsecured email

environmentenvironmentClinician gather information from Clinician gather information from

patients’ family and friends after the patients’ family and friends after the visitvisit

Discussion of patient care with co-Discussion of patient care with co-workers not engaged in careworkers not engaged in care

Medical reports or records with wrong Medical reports or records with wrong recipient informationrecipient information

Caring for employees’ friends and Caring for employees’ friends and family membersfamily members

Benefit Organizations or employers Benefit Organizations or employers request employee informationrequest employee information

Employees engaged in whistle blowing Employees engaged in whistle blowing to uncover illegal or unacceptable to uncover illegal or unacceptable business or clinical practicesbusiness or clinical practices

Patient records (paper documents) not Patient records (paper documents) not kept in secure environment or kept in secure environment or sealed envelope; or documents sealed envelope; or documents displayed in plain view of othersdisplayed in plain view of others

Clinician discusses patient care in a Clinician discusses patient care in a setting where others can easily setting where others can easily hearhear

Employee removes patient records from Employee removes patient records from secure location or workplace secure location or workplace without authorizationwithout authorization

Employee views paper documents or Employee views paper documents or manipulates computer passwords to manipulates computer passwords to view medical records of patients not view medical records of patients not under his/her careunder his/her care

External infection of computers / password External infection of computers / password / network Systems (e.g. computer / network Systems (e.g. computer hacker)hacker)

Theft of computers or hard drivesTheft of computers or hard drivesSale of patient recordsSale of patient recordsBlackmail/Extortion of organization or an Blackmail/Extortion of organization or an

employeeemployeePatient using identity of another person to Patient using identity of another person to

gain insurance benefitsgain insurance benefitsChanges in custody or family relationships Changes in custody or family relationships

not revealed by the patientnot revealed by the patientAudit of business practices by outside firm Audit of business practices by outside firm

without clinicians’ approvalwithout clinicians’ approvalBusiness Associate violates Chain of Business Associate violates Chain of

Trust AgreementTrust AgreementLegal System/Law Enforcement requests, Legal System/Law Enforcement requests,

subpoenas or seizes patient recordssubpoenas or seizes patient recordsError in patient identity during data Error in patient identity during data

transfer to third party insurerstransfer to third party insurers

Prevalence of Vulnerabilities Prevalence of Vulnerabilities Among Unauthorized DisclosuresAmong Unauthorized Disclosures

Hazard CategoryHazard Category Description of the HazardDescription of the Hazard p(Vp(V i i| U)| U)

Impermissible Impermissible sharing of patient sharing of patient health informationhealth information

Clinician using unsecured email Clinician using unsecured email environmentenvironment

0.010.01

Clinician attempting to gather Clinician attempting to gather information from patients' family and information from patients' family and friendsfriends

0.140.14

Discussion of patient with co-workers Discussion of patient with co-workers not engaged in carenot engaged in care

0.080.08

Medical reports or records with wrong Medical reports or records with wrong recipient informationrecipient information

0.070.07

Caring for clinicians’ friends and family Caring for clinicians’ friends and family members and discussing the care members and discussing the care outside of the work environment outside of the work environment

0.030.03

Benefit Organizations or employers Benefit Organizations or employers request patient informationrequest patient information

0.040.04

CategoryCategory HazardHazard P(H|U)P(H|U)

Lack of Lack of Physical Physical safeguards for safeguards for PHI PHI 

Patient records (paper documents) not kept in Patient records (paper documents) not kept in secure environment or sealed envelope; or secure environment or sealed envelope; or documents displayed in plain view of othersdocuments displayed in plain view of others

0.140.14

Patient records or information discussed in a Patient records or information discussed in a setting where others can easily hearsetting where others can easily hear

0.050.05

Inappropriate Inappropriate access to access to patient health patient health informationinformation

Employee removes patient records from secure Employee removes patient records from secure location or workplace without proper authorization location or workplace without proper authorization or just causeor just cause

0.010.01

Employee views paper documents or manipulates Employee views paper documents or manipulates computer passwords to view medical records of computer passwords to view medical records of patients not under his/her carepatients not under his/her care

0.10.1

Illegal Illegal Activities Activities 

External infection of External infection of Computers/Password/Network Systems (e.g. Computers/Password/Network Systems (e.g. Computer Hacker)Computer Hacker)

0.010.01

Theft of computers or hard drivesTheft of computers or hard drives 0.020.02

Sale of patients recordsSale of patients records 0.060.06

Blackmail/Extortion of your organization or an Blackmail/Extortion of your organization or an employeeemployee

0.020.02

Prevalence of Vulnerabilities Among Prevalence of Vulnerabilities Among Unauthorized DisclosuresUnauthorized Disclosures

CategoryCategory HazardHazard P(U|H)P(U|H)

Patient CausesPatient Causes Patient using identity of another person to Patient using identity of another person to gain insurance benefitsgain insurance benefits

0.010.01

Changes in custody or family relationships Changes in custody or family relationships not revealed by the patientnot revealed by the patient

0.010.01

33rdrd Party Causes Party Causes  Audit of clinical practices by outside firm Audit of clinical practices by outside firm without clinician approvalwithout clinician approval

0.010.01

Business Associate violates Chain of Trust Business Associate violates Chain of Trust AgreementAgreement

0.020.02

Legal System/Law Enforcement requests, Legal System/Law Enforcement requests, subpoenas or seizes medical recordssubpoenas or seizes medical records

0.120.12

Error in patient identity during transfer of Error in patient identity during transfer of data to third party insurersdata to third party insurers

0.010.01

Prevalence of Vulnerabilities Prevalence of Vulnerabilities Among Unauthorized DisclosuresAmong Unauthorized Disclosures

Best Practice Vulnerability Best Practice Vulnerability Assessment ToolAssessment Tool

Derived from incidence Derived from incidence databasedatabase

Relying on time between eventsRelying on time between events Asking questions like:Asking questions like:

When were the last two times that you emailed a patient in an unsecured environment?

Unprecedented VulnerabilitiesUnprecedented Vulnerabilities

Assessed based on similarity to Assessed based on similarity to actual eventsactual events

WhereWhere

p(U | Vn) = (пi = 1, …, n wi p(U| Vi) )1/n

n is the number of vulnerabilities in the database. p(S | Vn) is the likelihood of security violation given the new vulnerability. p(S | Vi) is the likelihood of security violations given vulnerability “i”. wi is the similarity of the new vulnerability to the ith extant vulnerability. These constants are normalized to add to one

AdvantagesAdvantages

Applies to privacy as well as security Applies to privacy as well as security violationsviolations

Produces a quantitative score for Produces a quantitative score for overall risk, useful for benchmarkingoverall risk, useful for benchmarking

Based on objective dataBased on objective data Focuses attention on vulnerabilities that Focuses attention on vulnerabilities that

are real and likely to occurare real and likely to occur Reduces unnecessary fear and security Reduces unnecessary fear and security

interference with business processesinterference with business processes Can be used to set fair insurance Can be used to set fair insurance

premiumspremiums

Objective Vulnerability Objective Vulnerability Assessment is PossibleAssessment is Possible

It is Faster & More Accurate than It is Faster & More Accurate than Consensus-based Vulnerability Consensus-based Vulnerability

AssessmentsAssessments