Explanation of the Most Common

Types of Information Assurance Risks

Part II
Technical Risks
Risk 1. Lack of unique user identification for every
workforce member prior to obtaining access to ePHI
Explanation: A user identifier is typically a name Secondary Mitigation: User activity in
or a number or a combination of numbers and information systems containing PHI must be
characters put together to form a string of tracked and monitored on a regular basis to watch
characters that uniquely identify a user. This unique for unauthorized access.
user identifier allows the information system to
track the activities that a user makes in the
information system. This is done so that every user Success criteria: Periodic audits need to be
of the system can be held accountable for his/her performed that prove that:
functions performed on the information systems
that have ePHI in it. Unauthorized access to ePHI has not taken
Major Mitigation: Physician practices must place.
determine a user identification strategy that best Regular monitoring of user activity has been
fits with the organization's policies and processes. carried out religiously.
Some organizations use employee codes, variations
of names or even identifiers that have been
randomly generated by using a combination of
characters and numbers. The advantage of using
randomly generated identifiers is that it is difficult
for an unauthorized user to guess it. On the flip
side, it may be difficult for the actual user to
remember it. Physician practices must consider all
these factors while determining a user identifier. 2
www.netspective.com
Risk 2: Lack of unique passwords for each member of the workforce. Sharing of
passwords. Access to ePHI is not based on the job function of the workforce

Explanation: Passwords allow the team to gain
access to information systems using ePHI. Each
password has to be unique and assigned to
individual users. A password given to a user,
whether it is system generated or assigned
should not be shared with anyone. Users in an
organization may require more or less access to
ePHI based on their job function and so all users
will not need equal access to ePHI.
Major Mitigation: Access to systems containing
ePHI should be given to only those individuals
who require the access as part of their job
function. Additionally the access given to the
workforce should be only the minimum access
needed for them to carry out their job function.
Users should have the privilege to change the
passwords and the passwords must be changed
periodically so that the passwords are not
compromised in any way. Each member of the
workforce should be trained on the password
protection policies and should be held
www.netspective.com
Secondary Mitigation: The workforce member's
access to ePHI must be periodically reviewed and
updates made as their job functions change so as
to ensure minimum access to ePHI. Access details
must be documented and updated. Periodic audits
must be carried out. A sanction policy must be
implemented for sharing passwords.
Success criteria: Reports from the periodic
audits will show how the defined policies are
carried out and how they are periodically
updated. User access logs also can be referred to
verify users' access to ePHI based on their job
functions.
3
Risk 3: Lack of policies and procedures in place to provide
appropriate access to ePHI in emergency situations
Explanation: During an emergency situation, it is Success criteria: Emergency situations happen
vital that doctors still have access to ePHI. rarely and hence proof that the procedures and
There must be documented instructions along with policies are in fact working can only be proved for
practices and policies that need to be in place so sure when such an emergency occurs. However,
that they are readily available for access in an every physician practice must be well equipped in
emergency. The authorized personnel must be all aspects to face such an emergency. Frequent
aware of how to get to these emergency audits and periodic emergency drills need to be
procedures and operations in the event of an carried out to mimic emergencies and test out the
emergency. Physician practices must also policies and procedures in place.
determine the various types of emergency
situations that would require access to ePHI.
Major Mitigation: Emergency procedures,
processes and policies should be easily and readily
accessible in the event of an emergency. The
severity of emergencies may vary, for example, an
emergency may result from an electrical power
outage due to a natural or manmade disaster.
Workforce members must be trained on the
procedures and processes so that they are
equipped to handle critical situations. With well
trained workforce members, there is little chance
www.netspective.com 4
 Risk 4: Lack of automatic logoff capability for applications
or workstations accessing ePHI
Explanation: Sometimes users, working on
workstations running applications that access ePHI, may
forget to logoff or sometimes may not have the time to
log off when they move away from their workstation.
This may pose a threat since the workstation is left
unattended and unauthorized users can easily access
ePHI, tamper with it or even steal the data. An effective
way to prevent this kind of unauthorized access is
automatic logoff.
Major Mitigation:The mitigation can be carried out in 2
ways:
Secondary Mitigation: There needs to be a
shorter log off period for computers in high traffic
areas.
Success criteria: Applications that log logoff
activities along with the time when the logoff had
taken place, show if the automatic logoff has
taken place after a specific period of inactivity.
Random and periodic testing of automatic logoff
by the system administrators on all workstations
accessing ePHI can verify if this risk has been
taken care off.

Configure the applications that access ePHI to

automatically logoff after a predetermined period of
inactivity.
For systems with limited capabilities, activate a
password protected screen saver after a period of
inactivity.

www.netspective.com 5
Risk 5: Lack of audit control mechanisms to record and examine
activity in information systems that contain or use ePHI
Explanation: It is necessary that information
systems be equipped with audit controls that
track and record system activity. This is
important especially for detecting security
violations. Most audit controls also provide audit
reports of the system activity.
Major Mitigation:
Evaluate and understand the current
technical infrastructure, hardware and
software security capabilities
Perform a risk analysis, determine the risks
and possible mitigation/avoidance strategies.
Decide on the audit controls that work for
information systems in the physician's
practice containing ePHI.
www.netspective.com
Secondary Mitigation: The organization
must have more than one person to
conduct the audit process and report the
results. It may also be a good idea to have
IT vendors explain how audits are
conducted and have the process
documented.
Success criteria: Data gathered from
audit controls and periodic review of data
can help verify if the audit control
mechanisms are tracking activity in
information systems. Auditing the audit
control system by outside third party
organizations can verify the proper working
of the audit controls in the organization.
6
Risk 6: Lack of proper mechanisms to authenticate ePHI
Explanation: It is essential that the integrity of ePHI is
given high importance. Compromises to the integrity of
ePHI occurs due to human errors that caused incorrect
information to be stored into database, or due to
system crashes the stored information gets
altered/damaged. ePHI integrity can also be
compromised if the back ups are not ensured to be
accurate. Intentional unauthorized access to ePHI
through hacking can also destroy the integrity of ePHI.
Major Mitigation: Controls to validate human data
entries, and that check for errors must be employed.
Also controls that ensure the accuracy of back-ups of
data must be in place. Intrusion detection services can
be used to detect intrusions or attempts to tamper
data. Vulnerability scanning can also be employed
which will scan the systems on a predetermined basis.
Malware scanning tools must be used and configured to
scan the systems in frequent intervals to ensure no
malware is present. Patches for applications, OS etc
must be tested and ensured to be latest.
www.netspective.com
Secondary Mitigation: Designing policies and
procedures to ensure integrity of ePHI is
maintained. The policies and procedures must
include all the above mentioned mitigation steps,
and additionally can include policy that ensures
data integrity tests are conducted ion regular
basis. All log-in attempts can be logged and
checked to ensure the access controls are in place
as intended.
Success criteria: Audit of the logs from the
different tools/services can help to know whether
the risks have been mitigated. If data integrity
tests are run, those logs can also be audited to
know the exact status. Also the reports of the risk
analysis/risk assessment can be used to
understand whether the risk is mitigated and the
current controls are effective or more controls are
to be added.
7
Risk 7: Lack of proper authentication.

Explanation: The first step to gain access to ePHI Secondary Mitigation: A combination of
must be authentication, which is verifying whether authentication mechanisms can be used for a
the entity trying to access ePHI is really the one it more advanced level of authentication, a
claims to be. If persons or entities (can be other
multifactor authentication.
software programs) are not authenticated, this can
lead to the risk of ePHI being compromised. Proper
authentication also needs to be done, before ePHI is Success criteria: Each and every access to the
shared with anyone in any manner. Without doing so, systems need to be logged. An audit of these logs
ePHI may end up in wrong hands. can give a clear picture. Also the risk
analysis/assessment reports will give a clear
Major Mitigation: In the simplest form, indication whether any risks exists, and whether
authentication mechanism includes a user name and the controls are effective or not.
password, which has to be used to gain access. This
authentication mechanism can be either at the
workstation level or at the application or both,
depending on the level of security that is needed.
There must defined policies and procedures which
lays out the authentication mechanisms to be
followed. These policies and procedures must include
the mechanism to be adopted when sharing ePHI with
another person/entity.

www.netspective.com 8
Risk 8: Lack of encryption of ePHI in transmission and at rest
Explanation: ePHI is vulnerable to be
compromised in all the states it is in. Whether
it is at rest (in databases and files), or in
motion (being transmitted through networks),
or in use (being updated, or read), or is
disposed (discarded paper files or electronic
storage media). Using encryption puts an extra
layer of security to ePHI because even if
someone gains access or reads ePHI, if it is
encrypted then the chances of ePHI getting
compromised diminishes. It makes the data
unreadable and unusable by unauthorized
persons. When ePHI is transmitted through
networks, it is possible that it will be accessed
by unauthorized persons, thus compromising
ePHI. These type of unauthorized access
hacking may not be immediately known, but
can cause many damages.
www.netspective.com
Major Mitigation: ePHI should be encrypted and
there must also be reasonable and appropriate
mechanisms in place to prevent access to ePHI so that
it is not accessed by persons or software programs
that have not been granted access rights.
There are many different encryption methods and
technologies to encrypt data in motion (SSL, VPN) or
at rest. Choose the methods and technologies that
best meet the physician's office requirements.
Success criteria: The risk analysis/assessment
reports will provide a clear indication of whether these
type of risks exists or has been mitigated with
appropriate controls.
Auditing logs that track access to ePHI can be verified
periodically to check if there has been unauthorized
access by persons or software programs that have not
been granted access rights.
9
Visit
http://www.netspective.com/opsfolio
E-mail : enquires@netspective.cc
Call : (202) 657-4064

Thank You