HIM 650 Security Risk Analysis
HIM 650 Security Risk Analysis
Privacy and security within data and health care records are essential aspects of health information technology for healthcare organizations and providers. The frequency of healthcare data breaches, level of exposed records and information, and resultant financial losses are rising exponentially (Abouelmehdi et al., 2018). Healthcare data is considered highly valuable and health organizations need risk management protocols to ensure that no breaches occur. Healthcare data security issues affect an organization’s full compliance to legal requirements based on the provisions of Health Insurance Portability and Accountability Act (HIPAA). Data security and privacy threats can be external and internal (Wager et al., 2017). The purpose of this paper is to offer an analysis of risk assessments and their impact within healthcare organizations like my current organization.
Top Three Internal and External Risks Threatening PHI Data within the Organization
Researchers assessing the Verizon’s 2018 protected health information data breach found that close to 60% of healthcare security incidents entailed internal breaches while the rest emanated from external sources (Verizon, 2018). Healthcare staff for different reasons violate HIPAA and cause data breaches that compromise protected health information (PHI). The implication is that healthcare is the only sector where internal risks to PHI data is highest with the internal breaches constituting the greatest threat to private and confidential information.
The top three internal risks that threaten PHI data within the organization include weak passwords by healthcare employees, poor disposal of PHI like inability to shred the information, and employees and business associates deliberately taking advantage of their access to the vital patient details for personal and selfish reasons (Jiang & Bai, 2019). Employees and vendors can also access information in the organization through lost and stolen mobile devices as they contain stored and old login credentials.
External data breaches in the organization emanate from outside sources who may have interest with the stored PHI. These include hackers using malware to access the system to steal vital PHI, and disgruntled former employees who may have knowledge on the working of the organization’s system. Hackers may also use phishing attempts that plan malicious scripts to steal login credentials to compromise the entire system. The third external threat include vendors working with the organization and have access to PHI because of the nature of their contractual engagements with the facility.
Risk Assessment within the Organization
Organizational risk management on PHI is essential as it identifies areas of weakness and vulnerability that individuals can use to access patient data. More than 50% of healthcare data breaches are attributed to malicious insiders (Freundlich et al., 2018). Therefore, having a risk assessment protocols within the organization is essential to improving security and protection of the critical health information. Risk assessment in the organization occurs through mapping out the flow of PHI and it allows the system to know the generation, transfer, and transmission of data. Through this approach, the organization can identify potential vulnerabilities. Further, knowledge on the procedures that patients undertake in filling information, its processes and storage is vital. Common storage places include computers, cloud-based servers and even dedicated cabinets which are all at risk of exposure and accessibility.
Click here to ORDER an A++ paper from our Verified MASTERS and DOCTORATE WRITERS: HIM 650 Security Risk Analysis
The second aspect entails identification of threats and risks as the possibility of threats depends on the workplace
environment and access protocols of PHI. Vulnerabilities consist of absence of policies, computing devices in open areas like reception and poorly-structured measures like lack of CCTVs. The third aspect is to analyze the level of risk (Jiang & Bai, 2019). Considering the possibility of a data breach occurring is a critical measure in the development of a risk plan since it shows the degree of susceptibility and potential effects. The potential impacts include losses that may be incurred if the breach occurs. Such risks can include leakage or exposure of confidential information to the public. Other risks can lead to the collapse of an organization and its reputation.
The next step in IT risk assessment and management to protect patient information is developing a plan. The plan entails how to conduct an analysis and implement security controls. It also entails development of measures to address the greatest vulnerabilities and testing if the security controls can mitigate their occurrence based on their effectiveness (Pussewalage & Oleshchuk, 2017). The final step is documentation of risk analysis for future use and reference as the standard measure and compliance to HIPAA and other HIT provisions.
Conducting the Assessment and Frequency
Assessing systems’ vulnerabilities and potential harm is essential to ascertaining the protection of PHI. HIPAA provisions mandate health care organizations to conduct an annual assessment of their IT systems to identify weak and vulnerable areas. However, frequent and programmed assessments are vital to the data security in the organization. In this case, the IT personnel and department are responsible for the assessment. These professionals also enlist vendors’ services to conduct the assessment based on set protocols and processes (Jiang & Bai, 2019). The assessment focuses on improving the system, reducing vulnerabilities, and training employees on emerging trends and potential threats and risks from both internal and external sources. The organization conducts these assessments after two months based on internal reports and any new information or requirements by regulatory bodies. The assessment can also happen when there is a large scale breach in the industry targeting multiple organizations. Therefore, the IT personnel conduct assessment based on the set protocols, compliance requirements, and on a needs-based model.
Assessments Mitigating Identified Risks
The assessments are critical in reducing and mitigating the identified risks since they allow the organization to prepare for any susceptibilities and place in measures to protect PHI. The assessments also identify new areas that require employees’ training on aspects like developing strong passwords, adherence and compliance to hospital policies and in disposing PHI wastes. The assessments evaluate the level of involvement and loyalty of different stakeholders that include vendors in following the set protocols to reduce risk exposure (Pussewalage & Oleshchuk, 2017). Engagement of all stakeholders, both internal and external, is important as it allows the organization to develop better security controls for long-term data protection.
Common breaches in health information systems occur mainly from internal breaches. Hospital systems can mitigate the occurrence of these breaches by having risk assessments and effective personnel to identify vulnerabilities and train employees. Risk assessments occur in the organization based on existing legal health provisions by HIPAA and organizational policy mandates to protect PHI. The implication is that assessments should occur more frequently to secure vital data to avoid both internal and external violations.
Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: preserving
security and privacy. Journal of Big Data, 5(1), 1-18. DOI: https://doi.org/10.1186/s40537-017-0110-7
Bowman, M. A., & Maxwell, R. A. (2018). A beginner’s guide to avoiding protected health
information (PHI) issues in clinical research–with how-to’s in Redcap data management software. Journal of biomedical informatics, 85, 49-55. https://doi.org/10.1016/j.jbi.2018.07.008.
Freundlich, R. E., Freundlich, K. L., & Drolet, B. C. (2018). Pagers, smartphones, and HIPAA:
finding the best solution for electronic communication of protected health information. Journal of medical systems, 42(1), 1-3. https://doi.org/10.1007/s10916-017-0870-9.
Jiang, J. X., & Bai, G. (2019). Evaluation of causes of protected health information breaches. JAMA internal medicine, 179(2), 265-267. https://doi.org/10.1001/jamainternmed.2018.5295
Pussewalage, H. S. G., & Oleshchuk, V. A. (2017). Privacy preserving mechanisms for enforcing security and privacy requirements in E-health solutions. International Journal of Information Management, 36(6), 1161-1173. https://doi.org/10.1016/j.ijinfomgt.2016.07.006
Verizon (2018). Whiter Paper: Protected Health Information Data Breach Report.
Wager, K. A., Lee, F. W., & Glaser, J. P. (2022). Health care information systems: a practical
approach for health care management. John Wiley & Sons.