HIM 615 security risk analysis
HIM 615 security risk analysis
Protected Health Information (PHI) refers to any form of data or information on health status. PHI may also be defined as the medical histories, demographic information, laboratory outcomes, personal health information, and insurance information collected by healthcare professionals to enhance an individual’s identity and establish appropriate care. PHI is essential for research and clinical scientists when it comes to the studies of health and healthcare trends. PHI can also be applied to develop value-based care programs in the delivery of quality care. Some of the patient’s information considered PHI protected include health plan beneficiary number, medical record number, and social security number (Chernyshev et al., 2019). Due to this sensitive information, PHI is often faced with a lot of threats that arise both internally and externally. The purpose of this paper is to discuss the top three external and internal risks currently threatening PHI data within Arnold Palmer Hospital for Children.
Top Three Internal and Top Three External Risks Currently Threating PHI Data
Authorized access to PHI data is one of the internal threats that Arnold Palmer Hospital for Children currently faces. Employees may have unauthorized access to PHI data for varied reasons. Unauthorized acquired PHI data/information can be used as retaliation by the discontented workers. These data may also be used for financial gains. Some of the reasons for unauthorized access to PHI data may include curiosity, criminal intent, demanding ransom, etc. The use of Unauthorized devices is among the top three internal threats that impact PHI data. Portable devices such as USB and mobile devices can be easily used to transfer data from the company or healthcare institution (Yeng et al., 2019). Arnold Palmer Hospital for Children has recorded some incidences where employees transfer data from the organization to outside sources. Finally, Shadow IT is among the top three internal threats to PHI data/information; the practice involves the application of unauthorized third-party software.
The top three external threats to PHI data in Arnold Palmer Hospital for Children include social engineering often applied to deceive employees or other stakeholders into giving out information, Sabotage by individuals, and hacking by individuals. The most common form of social engineering in the hospital is the use of phishing emails, whereby an email is sent to an individual employee with the sole objective of obtaining information. Individual sabotage often includes activities such as distribution of malware, compromising of networks, and denial of service attacks. Finally, hacking often involves the exploitation of vulnerabilities such as the presence of improperly configured software and lack of system security.
How Risk Assessments Are Conducted In Arnold Palmer Hospital for Children
The risk assessment involves five major stages that have to be followed or considered to ensure effective/proper outcomes. The first step involves the determination of the PHI that an organization has access to and where the e-PHI is kept/stored in the organization. The first stage also involves the determination of different approaches or devices used in the transmission of data (Jiang & Bai, 2019). The second step involves the assessment of current security measures, including software and the general programs that may be prone to attacks. The third step often involves the identification of where the organization is vulnerable and the probability of threats occurring. Besides, there is always an analysis of possible gaps that can be exploited within the organization’s system. The fourth step involves the determination of evaluation of the levels of risks; this is possible through the evaluation of the likelihood of all the threats and the effects/impacts on the system. The final step involves the documentation of all the processes and procedures above.
Discuss Who Conducts These Assessments and With What Frequency
Undertaking assessment on the system security requires experts in information and communication technology. In Arnold Palmer Hospital for Children hospital, the assessments are always done by system analysis in collaboration with data managers, computer experts, programs developers, and expert security analysis, whose main work is to determine and avert possible vulnerabilities in the system constantly. The security analysis/assessment may also be done in collaboration with the system vendors. In Arnold Palmer Hospital for Children, the security assessment is done frequently due to constant internal and external threats. There are automated security apparatus that constantly analyze possible vulnerabilities and any form of attack on the system.
How Assessments Mitigate the Risks Identified
The assessment is necessary for revealing the risks and possible vulnerabilities in the systems. Besides, through these assessments, system analysts are able to identify the gaps that hackers, both internal and external, can exploit to gain access to the system and compromise information. Also, through risk assessments, one is able to determine possible unauthorized devices linked into the system; appropriate measures can therefore be undertaken to reduce or mitigate the gaps created by these devices. Finally, through security assessment, system analysts are able to identify possible threats caused by unauthorized access to the PHID data or information.
Conclusion
Protected Health Information (PHI) refers to any form of data or information on health status. PHI may also be defined as the medical histories, demographic information, laboratory outcomes, personal health information, and insurance information collected by healthcare professionals to enhance an individual’s identity and establish appropriate care. Authorized access to PHI data is one of the internal threats that Arnold Palmer Hospital for Children currently faces. The top three external threats to PHI data in Arnold Palmer Hospital for Children include social engineering often applied to deceive employees or other stakeholders into giving out information, Sabotage by individuals, and hacking by individuals.
References
Chernyshev, M., Zeadally, S., & Baig, Z. (2019). Healthcare data breaches: Implications for digital forensic readiness. Journal of medical systems, 43(1), 1-12. https://link.springer.com/article/10.1007/s10916-018-1123-2
Jiang, J. X., & Bai, G. (2019). Evaluation of causes of protected health information breaches. JAMA internal medicine, 179(2), 265-267. https://jamanetwork.com/journals/jamainternalmedicine/article-abstract/2715158
Yeng, P., Yang, B., & Snekkenes, E. (2019, July). Observational Measures for Effective Profiling of Healthcare Staffs’ Security Practices. In 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC) (Vol. 2, pp. 397-404). IEEE. https://ieeexplore.ieee.org/abstract/document/8754403