Probabilistic Risk Analysis

Farrokh Alemi, Ph.D.April 12, 2004

Why Assess Risks?Based on experienced incidences across the industry Allows benchmarks against peer organizations If repeated overtime, measures progress in reducing risks Can be used to set premiums for HIPAA insurance

Not an imagined risk

DefinitionsRisk assessmentThreatVulnerabilitySecurity controlsHazardRisk mitigation

How to Assess Risks for Unauthorized Disclosures?

p(U) = ∑ i=1, .., n p(U | Hi) p(Hi)

p(Hi) = 1 / (1+ ti)

p(U | Hi) = p(Hi | U) p(U) / p(Hi)

Sources of Data

Assessment of Probability of Unauthorized Disclosure

Databases Searched

Records found

Number of unauthorized disclosures Dates

Probability of unauthorized

disclosureLexisNexis Academic

47 2 01/01/03 -12/31/03

0.005

Health Reference Center-Academic

Infotrac

141 8 01/01/90 -12/31/03

0.022

DHHS reports 22 16 01/01/03-12/31/03

0.044

3 3 01/01/03-12/31/03

0.008

Total 213 29 01/01/90-12/31/03

0.079

List of HazardsClinician using unsecured email

environmentClinician gather information from patients’

family and friends after the visitDiscussion of patient care with co-workers

not engaged in careMedical reports or records with wrong

recipient informationCaring for employees’ friends and family

membersBenefit Organizations or employers request

employee informationEmployees engaged in whistle blowing to

uncover illegal or unacceptable business or clinical practices

Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others

Clinician discusses patient care in a setting where others can easily hear

Employee removes patient records from secure location or workplace without authorization

Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care

External infection of computers / password / network Systems (e.g. computer hacker)

Theft of computers or hard drivesSale of patient recordsBlackmail/Extortion of organization or an

employeePatient using identity of another person to

gain insurance benefitsChanges in custody or family relationships

not revealed by the patientAudit of business practices by outside firm

without clinicians’ approvalBusiness Associate violates Chain of Trust

AgreementLegal System/Law Enforcement requests,

subpoenas or seizes patient recordsError in patient identity during data transfer

to third party insurers

Prevalence of Hazards Among Unauthorized

DisclosuresHazard Category Description of the Hazard p(H i| U)

Impermissible sharing of patient health information

Clinician using unsecured email environment

0.01

Clinician attempting to gather information from patients' family and friends

0.14

Discussion of patient with co-workers not engaged in care

0.08

Medical reports or records with wrong recipient information

0.07

Caring for clinicians’ friends and family members and discussing the care outside of the work environment

0.03

Benefit Organizations or employers request patient information

0.04

Prevalence of Hazards Among Unauthorized

DisclosuresCategory Hazard P(H|U)

Lack of Physical safeguards for PHI 

Patient records (paper documents) not kept in secure environment or sealed envelope; or documents displayed in plain view of others

0.14

Patient records or information discussed in a setting where others can easily hear

0.05

Inappropriate access to patient health information

Employee removes patient records from secure location or workplace without proper authorization or just cause

0.01

Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care

0.1

Illegal Activities 

External infection of Computers/Password/Network Systems (e.g. Computer Hacker)

0.01

Theft of computers or hard drives 0.02

Sale of patients records 0.06

Blackmail/Extortion of your organization or an employee

0.02

Prevalence of Hazards Among Unauthorized

Disclosures

Category Hazard P(U|H)

Patient Causes Patient using identity of another person to gain insurance benefits

0.01

Changes in custody or family relationships not revealed by the patient

0.01

3rd Party Causes  Audit of clinical practices by outside firm without clinician approval

0.01

Business Associate violates Chain of Trust Agreement

0.02

Legal System/Law Enforcement requests, subpoenas or seizes medical records

0.12

Error in patient identity during transfer of data to third party insurers

0.01

Assessment of Hazards at Health Care Organizations

How often does a clinician in your organization email a message in an unsecured environment?

Unlikely 2-3 times / 5 years

<=once / year

<=once / 6 months

<=once / month

=>once / month

=>once / day

Negligible Very Low Low Medium High Very High Extreme

Indicate the two most recent times, (enter number of days, weeks, months or years) prior to today when a clinician emailed a message in an unsecured environment:

Please indicate the last two times when a clinician emailed a message in an unsecured environment: Enter date in the format DD/MM/YY

AssignmentAnswer the online survey for an imaginary health care organizationAnalyze responses to calculate probability of unauthorized disclosureDiscuss the assessment procedure

Risk Assessment Should Focus on

Process Events

Security Management Process

Analyzing and managing risk, Developing a sanction policy for violationsReviewing information systems activities

None

Process Event

Assigned Security Responsibility

Assigning a person at the facility to oversee and implement the HIPAA security plan

Security official is not available during an incident

Process Events

Workforce Security

Authorizing or supervising employees’ access to ePHI Implementing a clearance policy and adjusting access if employment is terminated or changed.

Employee performs a job not appropriate for his/her access levelConducting insufficient background checksEmployee termination incorrectly recordedChecklist not used to verify access termination

Process Events

Information Access Management

Isolating clearinghouse functions Determining criteria for establishing access Determining who should access ePHI and evaluating existing security measures

Employee exceeds the “greater than minimum” access necessary for his/her job role

Process Events

Security Awareness and Training

Conduct a training needs assessmentDevelop a training strategyDevelop appropriate awareness training content and best delivery methodsImplement the trainingMonitor training plan

Traveling employee has an unsecured machineFailure to apply security patches to systems

Process Events

Security Incident Procedures

Determine goals of Incident ResponseDevelop and deploy Incident Response TeamDevelop Incident Response ProceduresPost-Incident analysis procedures

Incident response team is not available during an incident

Process Events

Contingency Plan

Developing a planConducting Impact and Data Criticality analysesIdentifying preventive measuresDeveloping a recover strategy

No call list of emergency responders during an incident

Process Events

Evaluation

Performing periodic technical and non technical evaluations in response to environmental and operational changes affecting the security of ePHI.

None

Process Events

Business Associate Agreements

Identifying Business AssociatesExecuting new agreements or updating current ones.Measuring contract performance and violations

Business Associate violates security policiesNew vendors are not listed on contractsAudit log does not contain complete record Business Associate activities

Process Events

Facility Access Controls

Analyze existing physical vulnerabilitiesIdentify corrective measuresDevelop a facility security planDevelop access control proceduresEstablish Contingency operations procedures

Employee bypassed physical security controlPhysical environment around facility contains risk to security controlsEmergency personnel cannot access facility during an emergencyNatural disasters

Process Events

Workstation Use

Identify workstation types and functionsIdentify expected performance of each workstationAnalyze physical surrounding for physical attributes

Workstations with different functions kept in the same area

Process Events

Workstation Security

Identify all methods of physical access to workstationsAnalyze the risk associate with each type of accessIdentify physical safeguards

Workstations are kept in public areasUnauthorized viewing of workstations

Process Events

Access Controls

Analyze workloads and operations to identify the access needs of all usersIdentify data and systems where access control is requiredAssign Unique IdentifierDevelop access control policyImplement access control proceduresReview and update user accessEstablish and emergency access procedureTerminate access if no longer needed

Sharing of User ID or password Access not changed in conjunction with change in employment statusMachine fails to auto-log off

Process Events

Audit Controls

Determine the systems or activities that will be tracked or auditedSelect auditing toolsDevelop system/activity review policyDevelop appropriate standard operating proceduresImplement the audit/system review process

Audit logs do not accurately or completely track users’ actions

Process Events

Integrity

Identify all users who have been authorized to access ePHIIdentify any possible unauthorized sources that may be able to intercept the information and modify it.Develop Integrity policyImplement proceduresEstablish a monitoring process

Foreign entity intercepts and modifies data

Process Events

Person or Entity Authentication

Determine authentication applicability to current systems/applicationsEvaluate authentication options availableSelect and implement authentication option

Identity of information source is not verified

Process Events

Transmission Security

Identify any possible unauthorized sources that may be able to intercept and/or modify the informationDevelop a transmission security policyImplement procedures for transmitting ePHI

Sending Unencrypted messages

Process Events

Device and Media Controls

Evaluate methods for final disposal of ePHIDevelop procedures for reuse of electronic mediaMaintain records of hardware, media and personnelDevelop backup procedures to ensure data integrity during equipment relocation

Electronic media is re-used or discarded without modification

Process Events

Take Home LessonBetter rely on experienced hazards rather than imaginary onesIt is possible to estimate probability of rare eventsIt is possible to assess risk of unauthorized disclosures at our organizations