Explanation of the Most Common Types of

Information Assurance Risks Part I

Administrative Risks
Risk 1. Lack of documentation to mitigate threats and
vulnerabilities
Explanation: Not having a formal, documented
program, which is always secondary to thorough
risk analysis, might be the reason why youre not
able to implement effective safeguards to protect
your ePHI against possible vulnerabilities and
security threats. This may compromise your ePHI
security in several ways:
You may face medical identity theft due to
unauthorized access, theft or disclosure of ePHI.
Unauthorized access to your practices ePHI
may leave it inaccessible, compromised and
exposed.
www.netspective.com
The ability of healthcare professionals to
correctly diagnose and treat the patients
may be severely compromised due to the
corruption of your practices ePHI.
Mitigation: Conduct an annual risk analysis
and document all possible threats and
vulnerabilities to your practices ePHI. Based
on the documented risks and vulnerabilities,
implement appropriate security measures
specifically targeted to mitigate the
vulnerabilities to an appropriate level!
Success Criteria: Documentation of possible
risks and implementation of safeguards
leading to reduction in security breaches.
2
Risk 2: Lack of security awareness and training
Explanation: The security of your practices ePHI
might be at risk if your workforce members dont
comply with the standard security protocols, either
due to the lack of awareness or due to the lack of
training. Several factors that may contribute to such
behavior may include:
Workforce members not really knowing what
security really is and why is it so important when
it comes to ePHI.
Lack of sanction policies and procedures that
make it crystal clear to the workplace members
their respective duties to uphold the integrity of
ePHI or lack of compliance on the part of workers
to the sanctioned policies and procedures.
www.netspective.com
Security awareness and training
programs being non-interactive and
inappropriate.
A person not having the right skills,
qualities and knowledge running the
process of security awareness and
training.
Not having enough metrics on
whether all your arrangements are
actually improving security
awareness among your workplace
members.
Unrealistic expectations.
Conducting once a year training
exercise only.
3
Risk 2: Lack of security awareness and training
Mitigation: You can strengthen security
awareness and training among your
workplace members and thereby improve
the security of your practices ePHI by taking
following steps:
Make the sanction policies and
procedures as explanatory as possible.
Apply appropriate sanctions against
members who fail to comply with the
security protocols and policies.
Make security awareness and training
programs more interactive and periodic.
Appoint the right person with the perfect
skill set, heading this process.
www.netspective.com
Collect metrics on periodic basis to see
the progress of your training activities.
While it is important that you collect
metrics to know if your efforts are actually
producing enough results, but in the
meantime, youve to be realistic.
Promoting awareness is not a one day
process, it takes time and patience.
Success Criteria: Improved awareness and
better compliance on part of the workplace
members leading to strengthened security.
4
 Risk 3: Lack of roles delegation
Explanation: Your business associates or workforce
members can, knowingly or unknowingly, access the
confidential ePHI if your practice doesnt clearly define,
along logical lines, the roles and responsibilities allocated
to each member. This is important as this will ensure that
no member has too much authority and makes decisions
on his own that can access critical and confidential systems
and information.
Lets explain this by a simple example. Say one of your
workplace members is responsible to review the access
logs. Due to your practices poor role delegation, the same
person is also responsible for updating patient records. In
this scenario, that member is essentially left to monitor his
own access to ePHI, facilities and systems. This can result in
unauthorized access attempts by the same member to
your practices ePHI.
www.netspective.com
Mitigation: Some important safeguards that may help
solve this issue may include:
Implementing procedures and policies ensuring
that all the workforce members have appropriate
access to ePHI and no member gets too much
authority.
Assigning a senior level manager who authorizes
operations before commencing.
Assigning different duties to the workforce
members.
Developing and distributing among your workplace
members a work control policy that explains to the
members things like their roles, degree of
coordination between members, their
responsibilities, compliance requirements and so on.
Success Criteria: Decrease in the incidence of security
breaches from within the organization.
5
Risk 4: Lack of business associate agreements when it has a
contractor creating, transmitting or storing ePHI
Explanation: The safeguard of your ePHI is
incomplete until enough security safeguards are
provided by the service providers, as per
agreement. If your service provider fails to provide
enough safeguards, it may result in:
Unauthorized access or disclosure of your ePHI.
Compromising the ability of your workplace
members to efficiently serve the patients.
Medical identity theft.
www.netspective.com
Mitigation: Before getting into a contract with your
service provider, make sure that your provider gives
satisfactory assurances regarding the creation,
transmission, storage and handling of ePHI. Such
assurances may include:
Limiting the use/access to ePHI as required by
law.
Employing enough safeguards to prevent
unauthorized use or disclosure of ePHI.
Following the same or substantially similar good
practices followed by your own institution.
Success Criteria: Highest level of security services
further strengthened by the service providers
leading to improved experience and better security.
6
Risk 5: Not having a process for periodically reviewing risk analysis policies
and procedures and making updates as necessary

Explanation: In something as dynamic as Secondary Mitigation: Risk analysis and making

healthcare security, the nature of risks and threats changes in your policies and procedures is not a
changes with time. Thats why the efficacy of the one time job. Make sure to repeat the same routine
safeguards you put to mitigate those risks declines periodically have daily, weekly, monthly, quarterly,
with time. The security of your ePHI might be at risk and annual checklists to review different types of
if you fail to periodically assess the nature of risks, risks.
the validity of your policies and procedures and Success Criteria: Successive risk analysis reports will
undermine the importance of making regular show that the changes made in the policies and
updates for improving the safeguards. subsequently in ePHI safeguards led to significant
decrease in security breaches.
Primary Mitigation: Do a periodic risk analysis to
determine the nature and severity of emerging risks
to your ePHI. Keeping in mind the result of the
analysis, make upgrades in your policies and
procedures. Once youre done with the paperwork,
translate what youve learned from the risk analysis
and the changes youve made in your policies into
actually strengthening the safeguards of your ePHI.

www.netspective.com 7
Risk 6: Not having a senior-level person whose job it is to develop and implement
security policies and procedures or act as a security point of contact.

Explanation: Not having a senior level person who
manages your security team can be jeopardizing
the safety of your operations. Although security
implementation and maintenance is a team effort,
but having a capable person who leads that team is
equally important. Moreover, the head of your
security will act as a liaison between the security
department and the policy makers. If that link is
missing, you might not be able to influence the
decisions of your higher ups when it comes to
defining policies and procedures.
Primary Mitigation: Identify the security official who
is responsible for heading the security team. Define
her role as being an individual who actively takes
part in policy making. Finally, she should be
responsible for the implementation of the policies
for strengthening ePHI security.
Success Criteria: Having a senior security officer
who actually influences policy making, reviews
documentation, runs scans, establishes a secure
infrastructure, and strengthens ePHI security as a
result.

www.netspective.com 8
Risk 7: Not having an emergency mode operations plan to ensure the continuation of critical
business processes that must occur to protect the availability and security of ePHI immediately
after a crisis situation

Explanation: The functioning of healthcare
processes, including ePHI, is always a tug of war
between the security safeguards and security
threats. The security can be compromised anytime,
both by extrinsic or intrinsic threats, which might
compromise the functioning of your entire business
operations.
Having an emergency mode helps you carry out
critical operations and assists you practice
operation and secure the integrity of your ePHI in
the event of an emergency. Emergency operation
allows you to access controls, backup the data,
access logging and allows encryption while other
things go down. If your practice is not having an
effective emergency mode, you might not be able
to provide services to the end users in the event of
an emergency. In addition, you not being able to
carry out important business processes may
compromise the security of your process and ePHI
even further.

www.netspective.com 9
Risk 7: Not having an emergency mode operations plan to ensure the continuation of critical
business processes that must occur to protect the availability and security of ePHI immediately
after a crisis situation

Primary Mitigation: Primary mitigation of this risk
may include:
Establish and implement the set of procedures
that enable you to carry out important business
processes, like the functioning and security of
ePHI, when operating in an emergency mode.
Employ audited and automated override of
access control mechanism and implement Role
Based Access Control (RBAC) for an emergency.
Establish a plan that determines the activities
and related requirements, for instance, process,
roles and responsibilities for full system
restoration.
Secondary Mitigation: Test the continuity of
operations during an emergency mode, on regular
intervals, so that the system can be promptly
shifted to the emergency mode in case of need.
Success Criteria: Your ability to readily shift to the
emergency mode in cases of system collapse, run
critical operations and maintain ePHI security all
mark the success of emergency mode
establishment and implementation.

www.netspective.com 10
Risk 8: The practice of not having policies and procedures for the creation and secure storage
of an electronic copy of ePHI that would be used in the case of system breakdown or disaster

Explanation: Like any other form of data, ePHI may
be lost in case of system breakdown or disaster, if a
proper backup in not kept and maintained. Backup
of an ePHI is important as it allows you to create
and maintain the retrievable copies of ePHI in case
of emergency. The exact retrievable copies of ePHI
can be established and maintained in media like
physical, removable media (e.g. CDs, USBs) or
virtual media (e.g. cloud storage).
Primary Mitigation: Establish and implement
policies and procedures for making copies of ePHI
on either physical or virtual media that can be
retrieved when there is a breakdown of system.
Secondary Mitigation: Make sure that the
retrievable copies of ePHI are safe and protected
against unauthorized use and disclosure.

Success Criteria: Being able to retrieve ePHI from

the backup sources when the main source breaks or
faces a disaster.

www.netspective.com 11
Risk 9: Not having policies and procedures for the review of
information system activity
Explanation: Reviewing the activity of information
system enables one to identify and investigate
irregular use of system, which might be due to
some breach in your security protocols or maybe a
violation of your security policies. Reviewing the
activity of information system includes:
Analyzing the audit reviews.
Analyzing system activities and incident reports.
Analyzing the audit logs.
Reviewing the exception reports.
www.netspective.com
If you dont have defined procedures or policies to
analyze these activities, you might not be able to
detect and analyze security violations, unauthorized
disclosure or use of ePHI.
Mitigation: Establish a system for reviewing the
records of activity of information security system.
This includes reviewing incident tracking reports,
audit logs, access reports and so on.
Success Criteria: Being able to detect and analyze
any anomalies after reviewing information security
system activity records.
12
Risk 10: A practice that doesn't identify members of its incident response team and assure
workforce members are trained and that incident response plans are tested
Explanation: An incident response consists of defining,
clearly, what constitutes a security incident and a step
by step approach to how to deal with the situation
afterwards. Without an effective incident response and
training of the workforce involved, the security of ePHI
will always be a far cry. In the absence of incident
response and workforce training, the security of your
system will be compromised. Not to mention, it will also
increase the cost, time of recovery and will exacerbate
the damage done to your critical processes.
Primary Mitigation: An effective incident response plan
would consist of following components:
Identifying the roles that will participate in incident
reporting and response.
Providing role based training to the workforce
involved.
www.netspective.com
Incident response testing.
Making observations and recommendations on how
to improve incident response.
Identifying who will speak to the law enforcement,
business associates, the media and the patients in the
event of an incident.
Carefully training the members of the incident
response team.
Secondary Mitigation: Training and increasing
awareness regarding incident in other workforce
members too.
Success criteria: Successfully identifying which situations
qualify to be labeled as an incident and successfully
handling those uneventful events without
compromising the security and mitigating the cost and
time of recovery.
13
Risk 11: Not implementing the information systems security
protection tools to protect against malware
Explanation: It is important that you complete Documenting these incidents and their potential
regular and real time scans of your servers, outcomes.
workstations (including laptops and other electronic Employing automated mechanisms and tools to
devices), and information systems so that youre assist you in keeping a track of the incidents
able to identify and respond to the known or and collection and analysis of the information
suspected cases of security incidents. If youre not gathered as the result.
implementing these protocols, the security of your
ePHI and other critical business operations may get
compromised. Success Criteria: Improved protection against
malware, decrease in the incidence of malware
attacks and mitigation in the compromise of the
Mitigation: Mitigation steps may include: sensitive business components as the result of
malware attacks.
Identifying the known or suspected cases of
security incidents.
Decreasing, as much as possible, the harmful
effects of these incidents.

www.netspective.com 14
Risk 12: Not regularly reviewing information system activity
Explanation: Reviewing the activity of your business
operations and system activity is a periodic process
that you have to do on day to day basis. If youre
not doing that then perhaps youre overlooking
some very crucial threats to your system security.
www.netspective.com
Mitigation: Establish a system for reviewing the
records of activity of information security system on
day to day basis. This includes reviewing incident
tracking reports, audit logs, access reports and so
on.
Success Criteria: Being able to detect and analyze
any anomalies after reviewing information security
system activity records on daily basis.
15
Visit
http://www.netspective.com/opsfolio
E-mail : enquires@netspective.cc
Call : 202 656-6379

Thank You