Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004

Why Assess Risks? Based on experienced incidences across the industry Allows benchmarks against peer organizations If repeated overtime, measures progress in reducing risks Can be used to set premiums for HIPAA insurance Not an imagined risk

Definitions Risk assessment Threat Vulnerability Security controls Hazard Risk mitigation

How to Assess Risks for Unauthorized Disclosures? p(U) = ∑ i=1,.., n p(U | H i ) p(H i ) p(H i ) = 1 / (1+ t i ) p(U | H i ) = p(H i | U) p(U) / p(H i )

Sources of Data

Assessment of Probability of Unauthorized Disclosure

List of Hazards Clinician using unsecured environment Clinician gather information from patients’ family and friends after the visit Discussion of patient care with co-workers not engaged in care Medical reports or records with wrong recipient information Caring for employees’ friends and family members Benefit Organizations or employers request employee information Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others Clinician discusses patient care in a setting where others can easily hear Employee removes patient records from secure location or workplace without authorization Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care External infection of computers / password / network Systems (e.g. computer hacker) Theft of computers or hard drives Sale of patient records Blackmail/Extortion of organization or an employee Patient using identity of another person to gain insurance benefits Changes in custody or family relationships not revealed by the patient Audit of business practices by outside firm without clinicians’ approval Business Associate violates Chain of Trust Agreement Legal System/Law Enforcement requests, subpoenas or seizes patient records Error in patient identity during data transfer to third party insurers

Prevalence of Hazards Among Unauthorized Disclosures Hazard CategoryDescription of the Hazard p(H i | U) Impermissible sharing of patient health information Clinician using unsecured environment 0.01 Clinician attempting to gather information from patients' family and friends 0.14 Discussion of patient with co-workers not engaged in care 0.08 Medical reports or records with wrong recipient information 0.07 Caring for clinicians’ friends and family members and discussing the care outside of the work environment 0.03 Benefit Organizations or employers request patient information 0.04

Prevalence of Hazards Among Unauthorized Disclosures CategoryHazardP(H|U) Lack of Physical safeguards for PHI Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others 0.14 Patient records or information discussed in a setting where others can easily hear 0.05 Inappropriate access to patient health information Employee removes patient records from secure location or workplace without proper authorization or just cause 0.01 Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care 0.1 Illegal Activities External infection of Computers/Password/Network Systems (e.g. Computer Hacker) 0.01 Theft of computers or hard drives0.02 Sale of patients records0.06 Blackmail/Extortion of your organization or an employee 0.02

Prevalence of Hazards Among Unauthorized Disclosures CategoryHazardP(U|H) Patient CausesPatient using identity of another person to gain insurance benefits 0.01 Changes in custody or family relationships not revealed by the patient rd Party Causes Audit of clinical practices by outside firm without clinician approval 0.01 Business Associate violates Chain of Trust Agreement 0.02 Legal System/Law Enforcement requests, subpoenas or seizes medical records 0.12 Error in patient identity during transfer of data to third party insurers 0.01

Assessment of Hazards at Health Care Organizations How often does a clinician in your organization a message in an unsecured environment? Unlikely2-3 times / 5 years <=once / year <=once / 6 months <=once / month =>once / month =>once / day NegligibleVery LowLowMediumHighVery HighExtreme Indicate the two most recent times, (enter number of days, weeks, months or years) prior to today when a clinician ed a message in an unsecured environment: Please indicate the last two times when a clinician ed a message in an unsecured environment: Enter date in the format DD/MM/YY

Assignment Answer the online survey for an imaginary health care organization Analyze responses to calculate probability of unauthorized disclosure Discuss the assessment procedure

Take Home Lesson Better rely on experienced hazards rather than imaginary ones It is possible to estimate probability of rare events It is possible to assess risk of unauthorized disclosures at our organizations