Chapter 10- Data Security

Security

The practice or means by which privacy is preserved and protected

Data Security

Process of keeping data, both in transit and at rest, safe from unauthorized access, alteration, or unauthorized destruction

Unauthorized Access

Access to data by individuals who should not have access

Alteration

Unauthorized modification

Unauthorized Destruction

Destroying data without permission

Security Controls

Protect the privacy of data by limiting the access to personal and sensitive information and protecting the data from unauthorized access, use, and disclosure as well as protect the data from anauthorized alteration and destruction

What do security controls include?

• Administrative

• Physical

• Technical safeguards

Data Integrity

Data are complete, accurate, consistent, and up to date so the data is reliable

Ensures data recoverability and searchability by ensuring the accuracy and consistency of stored data

A part of data governance and information governance

Data Availability

Making sure the organization can depend on the information system to perform as expected and to provide information when and where it is needed

Security Breaches

Unauthorized data or system access, by people from both inside and outside the healthcare organization

Can occur through hardware or software failures and when an intruder hacks into the information system

Data Loss Prevention Strategy

Assists organizations with controlling and limiting what data are moved or transferred outside of an organization’s information technology infrastructure by individuals

An essential element of data availability and contributes to the overall effectiveness of a data security program

Internal Threats

Threats that can originate within an organization

External Threats

Threats that originate outside an organization

What are the 5 general classifications of data security threats?

1. Threats from insiders who make unintentional errors

2. Threats from insiders who abuse their access privileges to information

3. Threats from insiders who access information or computer systems for spite or profit

4. Threats from intruders who attempt to access information or steal physical resources

5. Threats from vengeful employees or outsiders who mount attacks on the organization’s information systems

Threats from insiders who make unintentional errors

Employees who accidentally make a typographical error, or inadvertently delete files on a computer disk, or unknowingly disclose confidential information

One of the major causes of security breaches

Threats from insiders who abuse their access privileges to information

Employees who knowingly disclose information about a patient to individuals who do not have proper authorization

Employees with access to computer files who purposefully snoop for information they do not need to perform their jobs

Employees who store information on a thumb drive, remove it from the organization on a laptop or other storage device, and subsequently lose the device or have it stolen

Threats from insiders who access information or computer systems for spite or profit

Employees seek information to commit fraud or theft

Threats from intruders who attempt to access information or steal physical resources

Individuals may physically come onto the organization’s property to access information or steal equipment such as laptop computers or printers

Loiter in the org buildings hoping to access information from unprotected computer terminals or to read or take paper documents. computer disks, or other information

Threats from vengeful employees or outsiders who mount attacks on the organization’s information systems

Disgruntled employees might destroy computer hardware or software, delete or change data, or enter data incorrectly into the information system

Might mount attacks that can harm the org information resources

Ex. Malicious hackers can plant viruses in a computer system or break into telecommunications systems to degrade or disrupt information system availability

Social Engineering

The most common way that hackers breach the security of data

Manipulation of individuals (or targets) to freely disclose personal information or account credentials to hackers

Hackers pose as someone or something that the target is familiar with to gain access to information that would otherwise be private and secure

What are the 4 main types of social engineering?

1. Phishing

2. Spear phishing

3. Baiting

4. Tailgating

Phishing

Most common type of social engineering technique

Accomplished using email

Hacker sends a target what appears to be a legitimate email correspondence from a legitimate company or org requesting that the target click a link within the email and provide log-in and password credentials to an information system or application

Spear Phishing

Requires a little more work on the part of the hacker

The hacker researches the individual whose identity the hacker will assume by looking up social media accounts and researching the individual activity on the web

Takes on the identity of an individual of a high-level leadership position or an org. While assuming this online identity , the hacker will then target other individuals within the org to try to obtain personal info from them

Baiting

Involves hackers leaving an infected USB or flash drive in a public area in the hope that someone will come by, pick it up, and use it out of curiosity.

Involves the hacker sending out emails with embedded links to random recipients. When the link is clicked, it load malicious software that can then transfer sensitive data to the hacker without the individual’s knowledge

Tailgating

Allows a hacker, imposter, or other unauthorized individual to use an authorized individual’s access privileges to gain access to a restricted physical area

Ex. An imposter/hacker wants to gain access to a building that requires badge access. This individual follows closely behind an individual who just swiped his or her badge and gains access by simply following the other individual inside that building

Malware

Any type of software attack designed to disrupt mobile or computer operations

Can take partial or full control of a computer and can compromise data security and corrupt both data and hard drives

What are examples of malware?

• Phishing

• Computer virus

• Computer worm

• Trojan horse

• Spyware

• Backdoor program

• Rootkit

• Ransomware

Computer Virus

A program that reproduces itself and attaches itself to a legitimate programs on a computer

Can be programmed to change or corrupt data

Can slow down the performance of the computer

Computer Worm

Copies itself and spreads throughout a network

Does not need to attach itself to a legitimate program, it can execute and run itself

Trojan Horse

Gains unauthorized access to a computer and masquerades as a useful function.

Capable of compromising data by copying confidential files to unprotected areas of the computer system

May also copy and send themselves to email addresses in a user’s computer

Spyware

Tracks an individual’s activity on a computer system

Can capture private information such as a password, credit card, usernames, or account numbers

Backdoor Program

Bypasses normal authentication processes and allows access to computer resources, such as programs, computer networks, or entire computer systems

Rootkit

Designed to gain unauthorized access to a computer and assume control of and modify the operation system

Ransomware

Hackers employ to block access to a computer system or particular computer files.

Chief Security Officer

Someone in the organization who coordinates the development of security policies and to make certain that they are followed

Works closely with the information security committee

Information Security Committee

Works with the CSO

Evaluates the healthcare org. security needs, establish a security program, develop associated policies and procedures, including monitoring and sanction policies, and ensures the policies are followed

HIPAA Security Rule

Established a national standard for the protection of individually identifiable electronic health records that are created, received, and used by a CE

Security Incident

Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system

Information Technology

A computer technology combined with telecommunications technology

Confidentiality, Integrity, and Availability (CIA) Triad of Information Security

A baseline standard for determining whether a security program is effective

Allows for the implementation and evaluation of a security program based upon 3 goals

Confidentiality

Only authorized and appropriate individuals access the data within an information system

Integrity

The data within the system can be trusted

Availability

The data within the system is available to the end user wherever and whenever

An effective security program contains:

• Employee awareness including ongoing education and training

• Risk Management program

• Access safeguards

• Physical and administrative safeguards

• Software application safeguards

• Network safeguards

• Disaster planning and recovery

• Data quality control processes

Employee Awareness

Includes training, Procedure refreshers, Tips on how to identify suspicious emails, general information about the employees’ obligations from a data security perspective

Risk Management

A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries do not occur

Includes processes in place to identify, evaluate, and control risk, defined as the org’s risk of accidental financial liability

Mitigation

The steps taken to reduce the impact that a violation of the HIPAA Security Rule has on a patient

Risk Analysis

Involves assessing security threats and vulnerabilities, and the likely impact of any vulnerability

Likelihood Determination

An estimate of the probability of threats occurring

Impact Analysis

An estimate of the impact of threats on information assets

Incident Detection

Should be used to identify both accidental and malicious events

Access Safeguards

Fundamental security strategy

Identification of which employees should have access to what data

Role-based Access Control (RBAC)

Every role in the CE should be identified, along with the type of information required to perform it

User-based Access Control

Grants access based on a user’s individual identity

Context-based Access Control

Limits a user’s access based not only on identity and role, but also on a person’s location and time of access

Access Control

The restriction of access to information and information resources to only those who are authorized, by role or other means

Authentication

The act of verifying a claim of identity

Three types: Passwords, Smart cards and tokens, biometrics

Passwords

Frequently used in conjunction with a username
Should be a specific length, include special characters and numbers, should be case sensitive, and should not be words that are included in a dictionary or related to the user’s id or personal info

STRENGTHS: Long passwords are harder to compromise
WEAKNESSES: Easy to search and easily stolen if written down. Easily forgotten if long. Hackers can “sniff” or intercept passwords at various stages of input

Smart Cards

A small plastic card with an embedded microchip that can store multiple id factors for a specific user

Used in combination with a user ID or password

One-Time Password (OTP) Token

A small electronic device programmed to generate and display new passwords at certain intervals

STRENGTHS: Require a pin to be remembered versus a password. Can prevent dictionary attacks whereby the hacker electronically and repeatedly inputs different passwords in the hopes of guessing the correct password
WEAKNESSES: Can be stolen and access can be compromised if a static pin number is assigned to a specific smart card, and the user writes the static pin on the back of the smart card, and the user writes the static pin on the back of the smart card

Biometrics

Identity verification based upon measurements of a person’s physical characteristics

Ex. Palm prints, fingerprints, voiceprints, retinal (eye) scans

STRENGTHS: Require no passwords and are very hard to replicate
WEAKNESSES: Can cause false rejection or false acceptance due to the technology still being somewhat new. There are people who are reluctant to have their fingerprints taken due to privacy concerns

Two-Factor Authentication

Providing information from two of the three different types of authentication information
A stronger method of protecting data access than user identification with passwords

Ex. The individual provides something he knows and something he has

Single Sign-On

Another authorization strategy that allows a user to log in to many separate, although related, information systems

Allows a user to log in one time and be able to access many information systems
Prevents the user from having to log in to each information system individually

Ex. An encoder and an electronic health record

Authorization

A right or permission given to an individual to use a computer resource, such as a computer, or to use specific applications and access specific data

A set of actions that gives permission to an individual to perform specific functions such as read, write, or execute tasks

Is usually managed through special authorization software that uses various criteria to determine if an individual has authorization for access, sometimes referred to as an access control matrix

CAPTCHA

Completely Automated Public Turing Test to tell Computers and Humans Apart

Physical Safeguards

The physical protection of information resources from physical damage, loss from natural or other disasters, and theft
Includes protection and monitoring of the workplace, data center, and any type of hardware or supporting information system infrastructure such as wiring closets, cables, and telephone and data lines

Automatic Logouts

Timed logouts that reduce the chances that one’s account will be used by someone else, can be used to prevent access by unauthorized individuals

Administrative Safeguards

Includes policies and procedures that address the management of computer resources

Information Technology Asset Disposition (ITAD)

Identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal

Application Safeguards

Controls contained in application software or information systems to protect the security and integrity of information

Application Control

Authentication

Important because they are automatic checks that help preserve data confidentiality and intrgrity

Audit Trail

A software program that tracks every single access or attempted access of data in the information system

Logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken

Reviewed periodically, on predetermined schedules or relative to highly sensitive information

System Administrators

Examine audit trails using special analysis software to identify suspicious or abnormal system events or behavior

Edit Check

Help to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer

What are some network safeguards?

• Firewalls

• Cryptography

• Encryption

• Digital Signatures

• Digital Certificates

Firewall

A secure gateway

Part of an information system or network that is designed to block unauthorized access while permitting authorized communications

A software or device the filters information and serves as a buffer between two networks, usually between a private network and a public network

Allow internal users access to an external network while blocking malicious hackers from damaging internal systems

Configured to permit, deny, encrypt, and decrypt computer traffic

Cryptography

A branch of mathematics that is based on the transformation of data by developing ciphers

Used as a tool for data security

Improves the security of information systems and their data

Ex. Encryption, digital signatures, digital certificates

Encryption

A method of encoding data, converting them to a jumble or unreadable scrambled characters and symbols as they are transmitted through a telecommunication network so that they are not understood by persons who do not have a key to transform the data into their original form

Private Key Infrastructure/Single-key encryption

Two or more computers share the same secret key and that key is used both to encrypt and decrypt a message

Public Key Infrastructure (PKI) or Pretty Good Privacy (PGP)

A common encryption method

Uses both a public and private key, which form a key pair

The sending computer uses a key to encrypt the data and it gives a key to the recipient computer to decrypt the data

Has a registry of keys called certificate authority

Digital Signature

A public key cryptography method that ensures that an electronic document such as an email message or text file is authentic

Data are electronically signed by applying the sender’s private key to the data

Digital Certificates

Used to implement public key encryption on a large scale

An electronic document that uses a digital signature to bind together a public key with an identity such as the name of a person or an organization, address, and so forth

Can be used to verify that a public key belongs to an individual

Certificate Authority (CA)

An independent source

The middleman who the sending and receiving computer trusts. It confirms that each computer is who it says it is and provides the public keys of each computer to the other

Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

Public key cryptography

Most common protocols used to secure communications on the internet between a web browser and a web server

Intrusion Detection

The process of identifying attempts or actions to penetrate an information system and gain unauthorized access.

Can either be performed in real time or after the occurrence of an intrusion

To prevent the compromise of confidentiality, integrity, or availability of a resource

Can be performed manually or automatically

Risk Analysis

Allows for the identification and prioritization of those risks, helps the CE ensure it is maintaining the confidentiality, integrity, and availability of ePHI

Contingency Plan

A set of procedures documented by the CE to be followed when responding to emergencies

Based on information gathered during the risk assessment and analysis

Includes the probability that an unexpected shutdown will occur

The contingency plan is based on the the following steps:

• Identify the minimum allowable time for system disruption

• Identify the alternatives for system continuation

• Evaluate the cost and feasibility of each alterntive

• Develop procedures required for activating the plan

Disaster Recovery Plan

Addresses the resources, actions, tasks, and data necessary to restore those services identified as critical, such as the EHR, as soon as possible, and to manage business recovery processes

Business Continuity Plan (BCP)

A set of policies and procedures that direct the CE how to continue its business operations during an information system shutdown

Emergency Mode of Operations

Prescribes processes and controls to be followed until operations are fully restored

Data Consistency

A component of data integrity, means that data do not change no matter how often or in how many ways they are stored

Data Definition

Describes the data

Every data element should have a clear meaning and a range of acceptable values

What did ARRA do?

It moved the enforcement for HIPAA security compliance from the CMS to the Department of Health and Human Services Office for Civil Rights

What are the categories for the Security Rules?

1. Administrative safeguards

2. Physical safeguards

3. Technical Safeguards

4. Organizational Requirements

5. Policies and procedures and documentation requirements

What are the functions of a chief security officer?

Conduct strategic planning for information system security
Develop a data and information system security policy
Develop data security and information systems procedures
Manage confidentiality agreements for employees and contractors
Create mechanisms to ensure that data security policies and procedures are followed
Coordinate employee security training
Monitor audit trails to identify security security violations
Conduct risk assessment of enterprise information systems
Develop a business continuity plan

General Rules

Provide the objective and scope for the HIPAA Security Rule as a whole

Facility Access Controls

Policies and procedures must be implemented to appropriately manage not only the physical security of information systems, but also the buildings that house those information systems
Accomplished through building infrastructure as well as access management related to the individuals who are and are not permitted to access those facilities
Restoration of data is also required under this provision during and after disaster recovery as well as regular repairs and updating of physical components of the facilities with documentation to demonstrate such maintenance has taken place

Workstation Use

Policies and procedures must relate to workstations that access ePHI and include proper functions to be performed, and the physical environment in which those workstations exist

Workstation Security

Require physical safeguards, as described earlier, be implemented for workstations with access to ePHI