objective vulnerability assessment risks for unauthorized disclosure of patient information farrokh...
TRANSCRIPT
Objective Vulnerability Objective Vulnerability AssessmentAssessment
Risks for Unauthorized Disclosure of Risks for Unauthorized Disclosure of Patient InformationPatient InformationFarrokh Alemi, PhDFarrokh Alemi, PhD
Confusion on What WorksConfusion on What Works
Vulnerability assessment is a Vulnerability assessment is a large and growing industry large and growing industry
Best practices are not clearBest practices are not clear Consensus models perpetuate Consensus models perpetuate
claims of vulnerabilityclaims of vulnerability Consensus models are static as Consensus models are static as
opposed to dynamic and opposed to dynamic and evolutionaryevolutionary
Objective data is needed
Misleading AssessmentsMisleading Assessments
Without objective data we do not Without objective data we do not know if risk priorities are know if risk priorities are accurateaccurate
Like children fighting imaginary Like children fighting imaginary foes, organizations are asked to foes, organizations are asked to protect against vulnerabilities protect against vulnerabilities that may not existthat may not exist
Objective data is needed
Money Is WastedMoney Is Wasted
Can’t secure all operations, Can’t secure all operations, have to pick and choosehave to pick and choose
More security is not betterMore security is not better Security may reduce productivitySecurity may reduce productivity Business builds on trust not fear Business builds on trust not fear
No point to secure a process if No point to secure a process if the business failsthe business fails
Objective data is needed
Why Not Base Vulnerability Why Not Base Vulnerability Assessment on Data?Assessment on Data?
It can’t be doneIt can’t be done Rare eventsRare events Risk is not quantifiableRisk is not quantifiable Data is not available Data is not available
Historical precedents are not Historical precedents are not relevant as terrorists and relevant as terrorists and criminals innovatecriminals innovate
Accurate Probabilities for Rare Accurate Probabilities for Rare EventsEvents Time to eventTime to event p(Vp(Vii) = 1 / (1+ t) = 1 / (1+ tii) ) Allows calculation very small Allows calculation very small
probabilitiesprobabilitiesISO 17799
word assignment
Frequency of event
Rating by ISO 17799
Calculated probability
Negligible Unlikely to occur*
0 0.0003
Very low 2-3 times every 5 years
1 0.0014
Low <= once per year
2 0.0027
Medium <= once per 6 months
3 0.0056
High <= once per month
4 0.0333
Very high => once per month**
5 0.1429
Extreme => one per day 6 1
It Can be done: Application to It Can be done: Application to Unauthorized DisclosureUnauthorized Disclosure
p(U) = ∑ p(U) = ∑ i=1, .., ni=1, .., n p(U | V p(U | Vii) p(V) p(Vii) ) p(U | Vp(U | Vii) = p(V) = p(Vii | U) p(U) / p(V | U) p(U) / p(Vii) ) WhereWhere
p(Vp(Vii) is probability of the vulnerability) is probability of the vulnerability p(U) is probability of unauthorized p(U) is probability of unauthorized
disclosuredisclosure p(Vp(Vii | U) is prevalence of vulnerability | U) is prevalence of vulnerability
among reported unauthorized disclosuresamong reported unauthorized disclosures
Sources of DataSources of Data
Incidence database
Prevalence of vulnerabilities
Among violations
List of vulnerabilities
Prevalence of violations
Assessment surveys
RiskScore
Construction of Incidence Construction of Incidence DatabaseDatabase
Legal case reviewsLegal case reviews Office of Civil Rights databaseOffice of Civil Rights database Published reportsPublished reports Private surveysPrivate surveys
Probability of Unauthorized Probability of Unauthorized DisclosureDisclosure
Databases Searched
Records found
Number of unauthorized disclosures Dates
Probability of unauthorized
disclosureLexisNexis Academic
47 2 01/01/03 -12/31/03
0.005
Health Reference Center-Academic
Infotrac
141 8 01/01/90 -12/31/03
0.022
DHHS reports 22 16 01/01/03-12/31/03
0.044
3 3 01/01/03-12/31/03
0.008
Total 213 29 01/01/90-12/31/03
0.079
Vulnerabilities Derived from Vulnerabilities Derived from the Databasethe DatabaseClinician using unsecured email Clinician using unsecured email
environmentenvironmentClinician gather information from Clinician gather information from
patients’ family and friends after the patients’ family and friends after the visitvisit
Discussion of patient care with co-Discussion of patient care with co-workers not engaged in careworkers not engaged in care
Medical reports or records with wrong Medical reports or records with wrong recipient informationrecipient information
Caring for employees’ friends and Caring for employees’ friends and family membersfamily members
Benefit Organizations or employers Benefit Organizations or employers request employee informationrequest employee information
Employees engaged in whistle blowing Employees engaged in whistle blowing to uncover illegal or unacceptable to uncover illegal or unacceptable business or clinical practicesbusiness or clinical practices
Patient records (paper documents) not Patient records (paper documents) not kept in secure environment or kept in secure environment or sealed envelope; or documents sealed envelope; or documents displayed in plain view of othersdisplayed in plain view of others
Clinician discusses patient care in a Clinician discusses patient care in a setting where others can easily setting where others can easily hearhear
Employee removes patient records from Employee removes patient records from secure location or workplace secure location or workplace without authorizationwithout authorization
Employee views paper documents or Employee views paper documents or manipulates computer passwords to manipulates computer passwords to view medical records of patients not view medical records of patients not under his/her careunder his/her care
External infection of computers / password External infection of computers / password / network Systems (e.g. computer / network Systems (e.g. computer hacker)hacker)
Theft of computers or hard drivesTheft of computers or hard drivesSale of patient recordsSale of patient recordsBlackmail/Extortion of organization or an Blackmail/Extortion of organization or an
employeeemployeePatient using identity of another person to Patient using identity of another person to
gain insurance benefitsgain insurance benefitsChanges in custody or family relationships Changes in custody or family relationships
not revealed by the patientnot revealed by the patientAudit of business practices by outside firm Audit of business practices by outside firm
without clinicians’ approvalwithout clinicians’ approvalBusiness Associate violates Chain of Business Associate violates Chain of
Trust AgreementTrust AgreementLegal System/Law Enforcement requests, Legal System/Law Enforcement requests,
subpoenas or seizes patient recordssubpoenas or seizes patient recordsError in patient identity during data Error in patient identity during data
transfer to third party insurerstransfer to third party insurers
Prevalence of Vulnerabilities Prevalence of Vulnerabilities Among Unauthorized DisclosuresAmong Unauthorized Disclosures
Hazard CategoryHazard Category Description of the HazardDescription of the Hazard p(Vp(V i i| U)| U)
Impermissible Impermissible sharing of patient sharing of patient health informationhealth information
Clinician using unsecured email Clinician using unsecured email environmentenvironment
0.010.01
Clinician attempting to gather Clinician attempting to gather information from patients' family and information from patients' family and friendsfriends
0.140.14
Discussion of patient with co-workers Discussion of patient with co-workers not engaged in carenot engaged in care
0.080.08
Medical reports or records with wrong Medical reports or records with wrong recipient informationrecipient information
0.070.07
Caring for clinicians’ friends and family Caring for clinicians’ friends and family members and discussing the care members and discussing the care outside of the work environment outside of the work environment
0.030.03
Benefit Organizations or employers Benefit Organizations or employers request patient informationrequest patient information
0.040.04
CategoryCategory HazardHazard P(H|U)P(H|U)
Lack of Lack of Physical Physical safeguards for safeguards for PHI PHI
Patient records (paper documents) not kept in Patient records (paper documents) not kept in secure environment or sealed envelope; or secure environment or sealed envelope; or documents displayed in plain view of othersdocuments displayed in plain view of others
0.140.14
Patient records or information discussed in a Patient records or information discussed in a setting where others can easily hearsetting where others can easily hear
0.050.05
Inappropriate Inappropriate access to access to patient health patient health informationinformation
Employee removes patient records from secure Employee removes patient records from secure location or workplace without proper authorization location or workplace without proper authorization or just causeor just cause
0.010.01
Employee views paper documents or manipulates Employee views paper documents or manipulates computer passwords to view medical records of computer passwords to view medical records of patients not under his/her carepatients not under his/her care
0.10.1
Illegal Illegal Activities Activities
External infection of External infection of Computers/Password/Network Systems (e.g. Computers/Password/Network Systems (e.g. Computer Hacker)Computer Hacker)
0.010.01
Theft of computers or hard drivesTheft of computers or hard drives 0.020.02
Sale of patients recordsSale of patients records 0.060.06
Blackmail/Extortion of your organization or an Blackmail/Extortion of your organization or an employeeemployee
0.020.02
Prevalence of Vulnerabilities Among Prevalence of Vulnerabilities Among Unauthorized DisclosuresUnauthorized Disclosures
CategoryCategory HazardHazard P(U|H)P(U|H)
Patient CausesPatient Causes Patient using identity of another person to Patient using identity of another person to gain insurance benefitsgain insurance benefits
0.010.01
Changes in custody or family relationships Changes in custody or family relationships not revealed by the patientnot revealed by the patient
0.010.01
33rdrd Party Causes Party Causes Audit of clinical practices by outside firm Audit of clinical practices by outside firm without clinician approvalwithout clinician approval
0.010.01
Business Associate violates Chain of Trust Business Associate violates Chain of Trust AgreementAgreement
0.020.02
Legal System/Law Enforcement requests, Legal System/Law Enforcement requests, subpoenas or seizes medical recordssubpoenas or seizes medical records
0.120.12
Error in patient identity during transfer of Error in patient identity during transfer of data to third party insurersdata to third party insurers
0.010.01
Prevalence of Vulnerabilities Prevalence of Vulnerabilities Among Unauthorized DisclosuresAmong Unauthorized Disclosures
Best Practice Vulnerability Best Practice Vulnerability Assessment ToolAssessment Tool
Derived from incidence Derived from incidence databasedatabase
Relying on time between eventsRelying on time between events Asking questions like:Asking questions like:
When were the last two times that you emailed a patient in an unsecured environment?
Unprecedented VulnerabilitiesUnprecedented Vulnerabilities
Assessed based on similarity to Assessed based on similarity to actual eventsactual events
WhereWhere
p(U | Vn) = (пi = 1, …, n wi p(U| Vi) )1/n
n is the number of vulnerabilities in the database. p(S | Vn) is the likelihood of security violation given the new vulnerability. p(S | Vi) is the likelihood of security violations given vulnerability “i”. wi is the similarity of the new vulnerability to the ith extant vulnerability. These constants are normalized to add to one
AdvantagesAdvantages
Applies to privacy as well as security Applies to privacy as well as security violationsviolations
Produces a quantitative score for Produces a quantitative score for overall risk, useful for benchmarkingoverall risk, useful for benchmarking
Based on objective dataBased on objective data Focuses attention on vulnerabilities that Focuses attention on vulnerabilities that
are real and likely to occurare real and likely to occur Reduces unnecessary fear and security Reduces unnecessary fear and security
interference with business processesinterference with business processes Can be used to set fair insurance Can be used to set fair insurance
premiumspremiums
Objective Vulnerability Objective Vulnerability Assessment is PossibleAssessment is Possible
It is Faster & More Accurate than It is Faster & More Accurate than Consensus-based Vulnerability Consensus-based Vulnerability
AssessmentsAssessments