Information security is not a glamorous topic. However, HIPAA (1) has made it an unavoidable concern for those who use healthcare information systems. Unfortunately, this very important topic is often presented in a way that is difficult to understand unless one is a security professional. My goal in this series of posts is to make information security principles, and their practical application, less threatening for those wrestling with HIPAA’s security requirements.
The US legal code defines information security as follows:
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A)integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B)confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C)availability, which means ensuring timely and reliable access to and use of information. (2)
This definition introduces the three basic tenets of information security: confidentiality, integrity, and availability. These three terms are also known as the CIA triad; an acronym seen often in information security literature. Let’s take a closer look at each of them.
Confidentiality refers to the ability of the owner of sensitive information to control access to it. One’s Social Security Number is an example of confidential information. If it falls into the wrong hands, it can be a source of misery for its legitimate owner. However, it is readily shared with those who have a good reason for knowing it, such as a mortgage company, the IRS, or an employer.
While most people have a feel for the meaning of “confidential”, integrity is a less familiar concept—especially when referring to information. Reviewing the above definition points to an important, but often overlooked, aspect of security—preventing unauthorized and/or unintentional changes to information. Consider the chaos that would ensue if the checking account information at a bank became garbled or dosages for patients’ medications were somehow improperly changed in an EHR. Without the assurance of information integrity, computer systems become useless (or even dangerous).
Availability is pretty much self-explanatory. After all, what is the value of having information that one cannot access? Availability issues can occur on a small scale, such as a lost USB drive, or large-scale–a broadband connection used for EHR access goes down.
Now that you have been introduced to the three basic principles of information security, it is time to talk about three more important security concepts — vulnerabilities, threats, and risk. As you learn more about HIPAA security requirements, you will encounter these terms frequently.
Vulnerabilities are weaknesses in your current environment. They can be obvious, such as out of date virus definitions on your computer, or hidden–a fire hazard created by an exposed wire in a closet. Proper security planning requires identifying all vulnerabilities and taking steps to address them.
Examples of common vulnerabilities are:
- Easy to guess passwords
- Inadequate data back ups
- Inadequate security training for employees
- Broken/missing locks
- Lack of a policy to control employees’ access to sensitive data
- No disaster recovery or business continuity plan
- Delays in removing terminated employees’ computer access privileges
Anything that can take advantage of your environment’s security vulnerabilities is referred to as a threat. On hearing the word threat, most people immediately think hacker. However, many threats are environmental such as floods, tornadoes, and fires. In addition, many threats are internal. For example, in healthcare organizations most unauthorized data breaches occur at the hands of employees–not outside hackers.
Examples of common threats :
- Software errors
- Curious employees
- Equipment failure
There is no such thing as a totally secure environment. Therefore, information security is an ongoing process of identifying vulnerabilities and determining the likelihood that a threat will take advantage of them. This is the gist of risk assessment/analysis. Security risk analysis is a requirement for meaningful use. However, anyone who has an EHR or any system that contains electronic protected health information is subject to the HIPAA risk analysis requirement, even if there is no intent to apply for EHR incentives.
Controls are the mechanisms used to manage threats, vulnerabilities, and risks. There are three types of controls: administrative, physical, and technical.
- Administrative controls consist of the rules, policies, and procedures organizations create to provide guidance on proper behaviors and actions.
- Physical controls are used to protect the physical environment where information resides. Locks, security guards, cameras, and fire extinguishers are examples of physical controls.
- Technical safeguards are the computer tools most people associate with security and are comprised of antivirus software, firewalls, encryption, strong passwords, etc.
If you have made it this far in the post without falling asleep, you should have a decent understanding of the most important information security concepts and terms. If nothing else, discussions of the HIPAA security rule should make more sense.
I am particularly interested in how small practices are handling information security issues. If this describes your practice, please let me know if these posts are useful.
- Security 101 for Covered Entities, Centers for Medicaid and Medicare Services. Accessed November 6, 2011. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf.
- US Legal Code: Title 44,3542. Definitions. Legal Information Institute, Cornell University Law School. Accessed November 6, 2011. http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542—-000-.html