Information Security Awareness Training in the HealthCare Delivery System

Information Security Awareness Training is critical in the HealthCare Delivery System not just because human lives are involved, but also security breaches are more rampant and costly. Health Insurance Portability and Accountability Act (HIPAA) health information security rule addresses the privacy protection of electronic protected health information (e-PHI) and identifiable health information (hipaa-101.com). HIPAA information security awareness rules include, but not limited to: “Administrative Safeguards – usually assigned to the HIPAA security compliance team; Physical Safeguards – this relate to protection of electronic systems, equipment, devices and data access, and; Technical Safeguards – deals with authentication, encryption, cryptography for data access control.”

Further, these security rules define “confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, integrity means that e-PHI is not altered or destroyed in an unauthorized manner. Availability means that e-PHI is accessible and usable on demand by an authorized person” (hhs.gov). It states also that “the Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA”

However, the most effective and efficient security awareness training program is an ongoing systematic approach that maximizes learning, improves the level of retention, and is simple. For example, HIPAA compliance requirement states clearly:

“Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, incident handling, virus and malware, identification challenge and other mission critical operations” (Studystruct Inc). And a look at “General Penalty for Failure to Comply with Requirements and Standards” of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 states that the Secretary can impose fines for noncompliance as high as $100 per offense, with maximum of $25,000 per year on any person who violates a provision of this part. Under “wrongful Disclosure of Individually Identifiable Health Information.” Section 1177 says that “a person who knowingly

• uses or causes to be used a unique health identifier
• obtains individually identifiable health information relating to an individual
• discloses individually identifiable health information to another person

shall be fined not more than $50,000, imprisoned not more than one year, or both. If the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than five years, or both. If the offense is committed with intent to sell, transfer, or use individually health information for commercial advantage, personal gain, or malicious harm, be fined not more than $25,000, imprisoned not more than 10 years, or both. Health Information” (Studystruct Inc). Health Information Technology for Economic and Clinical Health Act (HITECH) deals with fines that are from $100/violation to 500,000 in any calendar year.

            In conclusion, it is important to conduct information security awareness training program on a regular basis in the healthcare delivery system so as to constantly update the level of management and staff preparedness to detect and mitigate internal and external threats to health information and enhance security of health information. Healthcare personal are critical to achieving this protection and defend PHI. Finally, this is necessary because of the consequences associated with HIPAA and HITECH violation/noncompliance.

References

HIPAA 101 Guide to Compliance Rules & Laws. (n. d). Retrieved (2016-21-1)

http://www.hipaa-101.com/hipaa-security.htm

Summary of the HIPAA Security Rule (n. d.) Retrieved (2016-21-1)

http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Information Systems Security Awareness (2015). HHS Cybersecurity program

Retrieved (2016-20-1). http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/issa.pdf

HIPAA Security Awareness Training (2013-2014). Retrieved (2016-22-1)

http://hipaasecurityawareness.com/privacy-policy

Infosec Incident Response Planning in the healthcare delivery system

In the evolving world of information digitization and migration to mobile devices, especially in the health care sector, health and medical records are attractively becoming target for cybercriminals. According to Barbara Filkins (sans.org. 2014) medical, health, and financial records are critically being targeted by cybercriminals because of their profitability. She reported in her survey that “the growing presence of online personal information, consumer-facing mobile apps, and new methods of accessing and transferring medical data are increasingly putting sensitive protected data at risk. Ultimately, the trend of pushing sensitive data outside an organization’s protected environment via cloud computing, mobile identity and access, and the Internet of (Care) Things such as medical devices that are also subject to regulatory compliance demands that security be pushed closer to the actual data.”

For an effective and efficient incident response planning (IRP) requires a Business Impact Analysis (BIA) to identify the critical resources that actual incident occurrence would affect. That also looks into the weaknesses of “current data breach detection solutions, (infosec) training and awareness and the negligent insider as the chief threat” (Barbara Filkins. 2014). These resource areas range from “Hospitals, Health care delivery system/Health care network, Ambulatory/Outpatients provider, and Clinic, Health plan/payer (insured), Ancillary service provider (laboratory/radiology), Pharmacy/PBM, Health information organization (HIO) and exchange, Public Health Department, Clearinghouse and Critical access or rural hospitals” (Barbara Filkins. 2014). The medical and health information assets that are considered most at risk as Barbra identified, include, but not limited to, “Electronic medical record (EMR)/Electronic health record (EHR), Personal health record (PHR), Patient portals, Supporting infrastructure (underlying middleware, network as a whole), Corporate assets/Intellectual property, Point-of-sales systems, Clinical automation systems (biomedical systems, pharmacy robots), Major clinical applications (ancillary services, laboratory, radiology, pharmacy), Health information exchange (HIE), Mobile medical device applications for workforce ( including contractors), Enterprise data management systems (master person index, provider directory), Mobile applications delivered directly to consumers, Health insurance exchange (HIE), Practice management/Billing systems and Telemidicine/Telehealth capabilities and support systems” ” (Barbara Filkins. 2014).

Incident Response Planning (IRP) and timely recovery in health care delivery system would include: “assess the teams ability to detect, respond to and contain threats” or actual occurrences; Ensure “the organizational incident response (IR) strategy is consistent with organizational security policy; Grant sufficient authority to the IR team to take specified actions; Define roles and responsibilities of the IR team and parties participating in the response process: Establish a list of prioritized information assets and services, as well as acceptable downtime; Develop and communicate procedures for reporting, escalation and other needed activities: Test the IR processes (and make necessary changes); Educate the team on emerging threats and train members to handle both expected and unexpected incidents”; Finally, inform and create awareness on the need for medical asset generators, users and providers to be more security alert to infosec threats, risks and vulnerability. “Review response and update policies—plan and take preventative steps so the intrusion can't happen again.”

  

References

Filkins, Barbara. New Threats Drive Improved Practices: State of Cybersecurity in

health Care Organization. December, 2014. Retrieved December 07, 2016 from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652

Incident response Plan Example – California Department… Retrieved January 8, 2016 from https://www.bing.com/search?q=Infosec+Incident+Response+Planning+in+the+healthcare+delivery+system&FORM=EDGEND

http://nwachukwugwilliamInfoSec.blogspot.com