Security+Risk

=Security Risk=

Security is being free from danger. The term can be used with reference to crime, accidents of all kinds, etc. Security is a vast topic including security of countries against terrorist attack, security of computers against hackers, home security against burglars and other intruders, financial security against economic collapse and many other related situations.

Security risks are often at the base of many other risks associated with eHealth. Many privacy risks stem from security issues associated with maintaining the confidentiality of information. Unfortunately, many eHealth security risk assessments stop at issues of confidentiality. Just as important, and perhaps even more so, are issues of availability and integrity that can cause or exacerbate safety risk (e.g. corruption of data leading to medical errors), operations risk (e.g. loss of service due to virus attacks) and business risk (e.g. disasters disrupting business operations).

=Information Security=

Information Security is concerned with the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.


 * Confidentiality** is concerned with ensuring that information is protected from unauthorized access, use and disclosure. Protection of confidentiality is achieved by such measures as controlling access to the information, encrypting the information while it is being stored or communicated, training staff about their responsibilities and obligations for keeping patient information confidential, and by requiring staff to read, understand and sign confidentiality agreements. Confidentiality is the objective that most people associate with the privacy of information. Many of the security safeguards implemented to support the privacy of personal health information will focus on ensuring the confidentiality of the information.


 * Integrity** is concerned with ensuring that the information is complete, accurate and up-to-date and that the information is not corrupted in any way while it is being input, processed, stored or communicated. Integrity is particularly critical to health information because the information is often used in circumstances where the health, safety and life of the patient and health care providers are at stake. An incorrect lab value or dose of medication can have disastrous consequences for the patient. Protection of integrity is achieved through input controls, audits, check sums and other mathematical techniques.


 * Availability** is concerned with ensuring that personal health information is available to authorized users when it is needed. Health information systems are vulnerable to internal and external threats such as computer viruses, denial of service attacks (hackers), and natural disasters that can destroy data or interrupt critical services. As health care providers and organizations become more and more dependent on computer systems and electronic health records to obtain and manage the critical information necessary for care delivery, ensuring that information is available to authorized people when it is needed will become the most important priority for health information professionals.


 * Authentication** is concerned with confirming the identity of people to a system. This is necessary so that we know who is accessing health information systems and who the true originator of a message is. The most common form of electronic authentication is user ID and password. Strong authentication systems use additional measures such as tokens or biometrics (e.g. fingerprint or iris scan) to provide greater certainty. Most health information transactions are made on the basis of trust. Authentication systems provide some measure of assurance that the right people are accessing personal health information and that you know the identity of a person who has sent a message.

=eHealth Security Risks=


 * Risk || Examples ||
 * Loss of Personal Health Information || * Loss or theft of a device containing PHI (e.g. laptop, hard drive and other computer media, PDA, USB token)
 * Virus attack that destroys PHI
 * Natural or man made disaster that destroys equipment and facilities that contain PHI
 * Malicious employee who destroys data ||
 * Corruption or unauthorized modification of Personal Health Information || * Virus attack that corrupts PHI
 * Malicious employee who corrupts data
 * Communications failure ||
 * Loss of critical ICT services || * Natural or man made disaster that destroys or renders ICT services inoperable
 * Malicious attack by internal or external agent
 * Network/communications failure
 * Hardware/software malfunction ||
 * Unauthorized Disclosure || * Attack of information system by hackers
 * Identity theft
 * Social engineering of staff (i.e. staff conned into disclosing PHI to someone masquerading as someone with a legitimate purpose for the information
 * Staff discussing patient information in public places
 * Portable computing devices (e.g. laptops, PDAs) lost or stolen
 * Staff coerced or blackmailed into releasing PHI ||

=Security Standards and Controls=

Security controls for eHealth can be derived from security standards such as ISO/IEC 27002:2005 (formerly ISO/IEC 17799-2005) //Code of Practice for Information Security Management// and its companion standard ISO/IEC 27001-2005 Information Security Management Systems – Requirements. A draft international standard titled, ISO/DIS 27799 Information security in health using ISO/IEC 27002 is under development and will impact priorities for security in health care. These international standards address the complete range of security considerations including:

• Security policy • Organizing information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Information security incident management • Business continuity management • Compliance

=Threat and Risk Assessment=

The Threat and Risk Assessment (TRA) is the primary tool for determining the security risk posture of an organization or system. It is a well-established and mature process in government and in select commercial sectors such as banking and finance. Conducting a TRA in a complex environment is a highly specialized task that requires specialized expertise. However, in small or even mid-size organizations the basic principles of the TRA can be applied quite successfully by most health information professionals. For large organizations or very complex systems, it may be more appropriate to engage expert security resources to conduct a TRA.

The TRA is a logical and structured process that guides the security professional from an identification of those assets that may be subject to theft, destruction, unauthorized access and other perils, through to recommendations that reduce the risks to a tolerable level. Like other risk management techniques it is a management process that gives managers and executives the information needed to make informed choices about the allocation of scarce resources while minimizing risks and maximizing opportunities. While the TRA focuses exclusively on security risk, other risk issues are often identified at the same time.