Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Similar presentations


Presentation on theme: "Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004."— Presentation transcript:

1 Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004

2 Why Assess Risks? Based on experienced incidences across the industry Allows benchmarks against peer organizations If repeated overtime, measures progress in reducing risks Can be used to set premiums for HIPAA insurance Not an imagined risk

3 Definitions Risk assessment Threat Vulnerability Security controls Hazard Risk mitigation

4 How to Assess Risks for Unauthorized Disclosures? p(U) = ∑ i=1,.., n p(U | H i ) p(H i ) p(H i ) = 1 / (1+ t i ) p(U | H i ) = p(H i | U) p(U) / p(H i )

5 Sources of Data

6 Assessment of Probability of Unauthorized Disclosure

7 List of Hazards Clinician using unsecured email environment Clinician gather information from patients’ family and friends after the visit Discussion of patient care with co-workers not engaged in care Medical reports or records with wrong recipient information Caring for employees’ friends and family members Benefit Organizations or employers request employee information Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others Clinician discusses patient care in a setting where others can easily hear Employee removes patient records from secure location or workplace without authorization Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care External infection of computers / password / network Systems (e.g. computer hacker) Theft of computers or hard drives Sale of patient records Blackmail/Extortion of organization or an employee Patient using identity of another person to gain insurance benefits Changes in custody or family relationships not revealed by the patient Audit of business practices by outside firm without clinicians’ approval Business Associate violates Chain of Trust Agreement Legal System/Law Enforcement requests, subpoenas or seizes patient records Error in patient identity during data transfer to third party insurers

8 Prevalence of Hazards Among Unauthorized Disclosures Hazard CategoryDescription of the Hazard p(H i | U) Impermissible sharing of patient health information Clinician using unsecured email environment 0.01 Clinician attempting to gather information from patients' family and friends 0.14 Discussion of patient with co-workers not engaged in care 0.08 Medical reports or records with wrong recipient information 0.07 Caring for clinicians’ friends and family members and discussing the care outside of the work environment 0.03 Benefit Organizations or employers request patient information 0.04

9 Prevalence of Hazards Among Unauthorized Disclosures CategoryHazardP(H|U) Lack of Physical safeguards for PHI Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others 0.14 Patient records or information discussed in a setting where others can easily hear 0.05 Inappropriate access to patient health information Employee removes patient records from secure location or workplace without proper authorization or just cause 0.01 Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care 0.1 Illegal Activities External infection of Computers/Password/Network Systems (e.g. Computer Hacker) 0.01 Theft of computers or hard drives0.02 Sale of patients records0.06 Blackmail/Extortion of your organization or an employee 0.02

10 Prevalence of Hazards Among Unauthorized Disclosures CategoryHazardP(U|H) Patient CausesPatient using identity of another person to gain insurance benefits 0.01 Changes in custody or family relationships not revealed by the patient 0.01 3 rd Party Causes Audit of clinical practices by outside firm without clinician approval 0.01 Business Associate violates Chain of Trust Agreement 0.02 Legal System/Law Enforcement requests, subpoenas or seizes medical records 0.12 Error in patient identity during transfer of data to third party insurers 0.01

11 Assessment of Hazards at Health Care Organizations How often does a clinician in your organization email a message in an unsecured environment? Unlikely2-3 times / 5 years <=once / year <=once / 6 months <=once / month =>once / month =>once / day NegligibleVery LowLowMediumHighVery HighExtreme Indicate the two most recent times, (enter number of days, weeks, months or years) prior to today when a clinician emailed a message in an unsecured environment: Please indicate the last two times when a clinician emailed a message in an unsecured environment: Enter date in the format DD/MM/YY

12 Assignment Answer the online survey for an imaginary health care organization Analyze responses to calculate probability of unauthorized disclosure Discuss the assessment procedure

13 Risk Assessment Should Focus on ProcessEvents

14 Security Management Process Analyzing and managing risk, Developing a sanction policy for violations Reviewing information systems activities None ProcessEvent

15 Assigned Security Responsibility Assigning a person at the facility to oversee and implement the HIPAA security plan Security official is not available during an incident ProcessEvents

16 Workforce Security Authorizing or supervising employees’ access to ePHI Implementing a clearance policy and adjusting access if employment is terminated or changed. Employee performs a job not appropriate for his/her access level Conducting insufficient background checks Employee termination incorrectly recorded Checklist not used to verify access termination ProcessEvents

17 Information Access Management Isolating clearinghouse functions Determining criteria for establishing access Determining who should access ePHI and evaluating existing security measures Employee exceeds the “greater than minimum” access necessary for his/her job role ProcessEvents

18 Security Awareness and Training Conduct a training needs assessment Develop a training strategy Develop appropriate awareness training content and best delivery methods Implement the training Monitor training plan Traveling employee has an unsecured machine Failure to apply security patches to systems ProcessEvents

19 Security Incident Procedures Determine goals of Incident Response Develop and deploy Incident Response Team Develop Incident Response Procedures Post-Incident analysis procedures Incident response team is not available during an incident ProcessEvents

20 Contingency Plan Developing a plan Conducting Impact and Data Criticality analyses Identifying preventive measures Developing a recover strategy No call list of emergency responders during an incident ProcessEvents

21 Evaluation Performing periodic technical and non technical evaluations in response to environmental and operational changes affecting the security of ePHI. None ProcessEvents

22 Business Associate Agreements Identifying Business Associates Executing new agreements or updating current ones. Measuring contract performance and violations Business Associate violates security policies New vendors are not listed on contracts Audit log does not contain complete record Business Associate activities ProcessEvents

23 Facility Access Controls Analyze existing physical vulnerabilities Identify corrective measures Develop a facility security plan Develop access control procedures Establish Contingency operations procedures Employee bypassed physical security control Physical environment around facility contains risk to security controls Emergency personnel cannot access facility during an emergency Natural disasters ProcessEvents

24 Workstation Use Identify workstation types and functions Identify expected performance of each workstation Analyze physical surrounding for physical attributes Workstations with different functions kept in the same area ProcessEvents

25 Workstation Security Identify all methods of physical access to workstations Analyze the risk associate with each type of access Identify physical safeguards Workstations are kept in public areas Unauthorized viewing of workstations ProcessEvents

26 Access Controls Analyze workloads and operations to identify the access needs of all users Identify data and systems where access control is required Assign Unique Identifier Develop access control policy Implement access control procedures Review and update user access Establish and emergency access procedure Terminate access if no longer needed Sharing of User ID or password Access not changed in conjunction with change in employment status Machine fails to auto-log off ProcessEvents

27 Audit Controls Determine the systems or activities that will be tracked or audited Select auditing tools Develop system/activity review policy Develop appropriate standard operating procedures Implement the audit/system review process Audit logs do not accurately or completely track users’ actions ProcessEvents

28 Integrity Identify all users who have been authorized to access ePHI Identify any possible unauthorized sources that may be able to intercept the information and modify it. Develop Integrity policy Implement procedures Establish a monitoring process Foreign entity intercepts and modifies data ProcessEvents

29 Person or Entity Authentication Determine authentication applicability to current systems/applications Evaluate authentication options available Select and implement authentication option Identity of information source is not verified ProcessEvents

30 Transmission Security Identify any possible unauthorized sources that may be able to intercept and/or modify the information Develop a transmission security policy Implement procedures for transmitting ePHI Sending Unencrypted messages ProcessEvents

31 Device and Media Controls Evaluate methods for final disposal of ePHI Develop procedures for reuse of electronic media Maintain records of hardware, media and personnel Develop backup procedures to ensure data integrity during equipment relocation Electronic media is re- used or discarded without modification ProcessEvents

32 Take Home Lesson Better rely on experienced hazards rather than imaginary ones It is possible to estimate probability of rare events It is possible to assess risk of unauthorized disclosures at our organizations


Download ppt "Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004."

Similar presentations


Ads by Google