Objective Vulnerability Assessment Risks for Unauthorized Disclosure of Patient Information Farrokh Alemi, PhD

Confusion on What Works Vulnerability assessment is a large and growing industry Vulnerability assessment is a large and growing industry Best practices are not clear Best practices are not clear Consensus models perpetuate claims of vulnerability Consensus models perpetuate claims of vulnerability Consensus models are static as opposed to dynamic and evolutionary Consensus models are static as opposed to dynamic and evolutionary Objective data is needed

Misleading Assessments Without objective data we do not know if risk priorities are accurate Without objective data we do not know if risk priorities are accurate Like children fighting imaginary foes, organizations are asked to protect against vulnerabilities that may not exist Like children fighting imaginary foes, organizations are asked to protect against vulnerabilities that may not exist Objective data is needed

Money Is Wasted Can’t secure all operations, have to pick and choose Can’t secure all operations, have to pick and choose More security is not better More security is not better Security may reduce productivity Security may reduce productivity Business builds on trust not fear Business builds on trust not fear No point to secure a process if the business fails No point to secure a process if the business fails Objective data is needed

Why Not Base Vulnerability Assessment on Data? It can’t be done It can’t be done Rare events Rare events Risk is not quantifiable Risk is not quantifiable Data is not available Data is not available Historical precedents are not relevant as terrorists and criminals innovate Historical precedents are not relevant as terrorists and criminals innovate

Accurate Probabilities for Rare Events Time to event Time to event p(V i ) = 1 / (1+ t i ) p(V i ) = 1 / (1+ t i ) Allows calculation very small probabilities Allows calculation very small probabilities

It Can be done: Application to Unauthorized Disclosure p(U) = ∑ i=1,.., n p(U | V i ) p(V i ) p(U) = ∑ i=1,.., n p(U | V i ) p(V i ) p(U | V i ) = p(V i | U) p(U) / p(V i ) p(U | V i ) = p(V i | U) p(U) / p(V i ) Where Where p(V i ) is probability of the vulnerability p(V i ) is probability of the vulnerability p(U) is probability of unauthorized disclosure p(U) is probability of unauthorized disclosure p(V i | U) is prevalence of vulnerability among reported unauthorized disclosures p(V i | U) is prevalence of vulnerability among reported unauthorized disclosures

Sources of Data Incidence database Prevalence of vulnerabilities Among violations List of vulnerabilities Prevalence of violations Assessment surveys Risk Score

Construction of Incidence Database Legal case reviews Legal case reviews Office of Civil Rights database Office of Civil Rights database Published reports Published reports Private surveys Private surveys

Probability of Unauthorized Disclosure

Vulnerabilities Derived from the Database Clinician using unsecured environment Clinician gather information from patients’ family and friends after the visit Discussion of patient care with co- workers not engaged in care Medical reports or records with wrong recipient information Caring for employees’ friends and family members Benefit Organizations or employers request employee information Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others Clinician discusses patient care in a setting where others can easily hear Employee removes patient records from secure location or workplace without authorization Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care External infection of computers / password / network Systems (e.g. computer hacker) Theft of computers or hard drives Sale of patient records Blackmail/Extortion of organization or an employee Patient using identity of another person to gain insurance benefits Changes in custody or family relationships not revealed by the patient Audit of business practices by outside firm without clinicians’ approval Business Associate violates Chain of Trust Agreement Legal System/Law Enforcement requests, subpoenas or seizes patient records Error in patient identity during data transfer to third party insurers

Prevalence of Vulnerabilities Among Unauthorized Disclosures Hazard Category Description of the Hazard p(V i | U) Impermissible sharing of patient health information Clinician using unsecured environment 0.01 Clinician attempting to gather information from patients' family and friends 0.14 Discussion of patient with co-workers not engaged in care 0.08 Medical reports or records with wrong recipient information 0.07 Caring for clinicians’ friends and family members and discussing the care outside of the work environment 0.03 Benefit Organizations or employers request patient information 0.04

CategoryHazardP(H|U) Lack of Physical safeguards for PHI Lack of Physical safeguards for PHI Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others 0.14 Patient records or information discussed in a setting where others can easily hear 0.05 Inappropriate access to patient health information Employee removes patient records from secure location or workplace without proper authorization or just cause 0.01 Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care 0.1 Illegal Activities Illegal Activities External infection of Computers/Password/Network Systems (e.g. Computer Hacker) 0.01 Theft of computers or hard drives 0.02 Sale of patients records 0.06 Blackmail/Extortion of your organization or an employee 0.02 Prevalence of Vulnerabilities Among Unauthorized Disclosures

CategoryHazardP(U|H) Patient Causes Patient using identity of another person to gain insurance benefits 0.01 Changes in custody or family relationships not revealed by the patient rd Party Causes 3 rd Party Causes Audit of clinical practices by outside firm without clinician approval 0.01 Business Associate violates Chain of Trust Agreement 0.02 Legal System/Law Enforcement requests, subpoenas or seizes medical records 0.12 Error in patient identity during transfer of data to third party insurers 0.01 Prevalence of Vulnerabilities Among Unauthorized Disclosures

Best Practice Vulnerability Assessment Tool Derived from incidence database Derived from incidence database Relying on time between events Relying on time between events Asking questions like: Asking questions like: When were the last two times that you ed a patient in an unsecured environment?

Unprecedented Vulnerabilities Assessed based on similarity to actual events Assessed based on similarity to actual events Where Where

Advantages Applies to privacy as well as security violations Applies to privacy as well as security violations Produces a quantitative score for overall risk, useful for benchmarking Produces a quantitative score for overall risk, useful for benchmarking Based on objective data Based on objective data Focuses attention on vulnerabilities that are real and likely to occur Focuses attention on vulnerabilities that are real and likely to occur Reduces unnecessary fear and security interference with business processes Reduces unnecessary fear and security interference with business processes Can be used to set fair insurance premiums Can be used to set fair insurance premiums

Objective Vulnerability Assessment is Possible It is Faster & More Accurate than Consensus-based Vulnerability Assessments