EHR Privacy Risk Assessment Using Qualitative Methods Maria Madsen CQUniversity, Gladstone, Queensland
EHR Privacy Risk Assessment A Systems Perspective • Perform privacy risk • Few people have • Perform privacy risk • Few people have assessments on security or system assessments on security or system Compliance Need Compliance Need Compliance Need existing, upgraded, expertise needed existing, upgraded, expertise needed and new health and new health • Laws and standards • Laws and standards information information provide general provide general systems. systems. guidance but not guidance but not Problems Problems detailed methods Problems detailed methods • Full PRA consumes • Full PRA consumes time and other time and other resources resources 2 HIC 2008 MM
Privacy Risk Assessment A Systems Perspective • Make privacy risk assessment easier & • Make privacy risk assessment easier & more consistent using a checklist more consistent using a checklist Possible Possible approach – a method commonly used approach – a method commonly used for WHS risk assessments for WHS risk assessments Solution Solution • Provide a Risk Management Tool (e.g. • Provide a Risk Management Tool (e.g. WHS Qld. Slips, Trips, and Falls) WHS Qld. Slips, Trips, and Falls) • Qualitative Risk Assessment Approach • Qualitative Risk Assessment Approach Possible Possible • Use existing information from expert • Use existing information from expert sources (Cth Law, AusCert, APF, SAI) Methods sources (Cth Law, AusCert, APF, SAI) Methods • Focus on uses & users (Activity Theory) • Focus on uses & users (Activity Theory) 3 HIC 2008 MM
Privacy Risk Assessment The Risk Management Approach Process Establish the Context Tabulate Tabulate Analysis Analysis Results Results Treat the Identify the Risks Risks 5 Step Cycle 5 Step Cycle Repeat as Repeat as Transform Table Necessary Necessary Transform Table into Risk into Risk Management Tool Management Tool with simple Yes/No with simple Yes/No Evaluate Analyse the questions the Risks Risks questions 4 HIC 2008 MM
Establish the Context Hospital Information Systems Step 1 s e i t i v i t c a n o s u c o F Security Management System f o s r e s u & s • Technical & Human components e s u t e R s s H A a E t a D e p l m a x E The National Hospital Morbidity Two Types of Use Dataset (NHMD) Informati • Authorised on 2 Cases Considered: • Unauthorised Privacy 1. Mandatory Reporting – Aggregated Data has no data depends on elements that directly identify individuals. ( secondary use ) Informati End User Security Behaviours on 2. Record Linkage Study – (Stanton et. al 2005) Security record matching across • Unintentional (In)security health services trialled by • most common/likely Australian Institute of Health • (e.g. leaving computer and Welfare (AIHW 2003) logged in when away from desk) ( tertiary use ) 5 HIC 2008 MM
Identify the Risks Step 2 Four Risk Factors Considered 1. External Access (Internet) 2. Internal Access (Network) Risks 3. Record Linkage (Unrelated Data Sets) • Unauthorised disclosure 4. Patient ‐ held Records (Portable Media) • Discrimination based on disclosed information • Identity Theft • Formal privacy breach complaint Threats • Incorrect Information ( what can go wrong ) disclosed • Authorised access/Unauthorised use • Unauthorised access • Unexpected/Unintended use of collected data • Re ‐ identification from fields in linked records • Data Errors (Sources: APF 2006, Aust. Privacy Act 1988, SAI – HB 167:2006; HB 174-2003; HB 231:2004) 6 HIC 2008 MM
Analyse the Risks Step 3 Consequences For Threats From Secondary Hospitals & Patients & Tertiary Uses Qualitative analysis requires judgement of likelihood and consequences. 7 HIC 2008 MM
Evaluate the Risks Step 4 RISK LEVEL RISK LEVEL HIGH HIGH Unlikely to Almost Certain Likely to Almost Certain Possible Risk Risk MODERATE MODERATE Likelihood Likely Risk Risk Severe Almost Moderate Certain LOW LOW Risk Risk Minor Minor Moderate Major to Critical Severity of Consequences 8 A Risk Assessment Matrix is provided in HB: 174-2003, p. 25 HIC 2008 MM
Treat the Risks Step 5 Technology Treatments Policy Treatments Treatment Type (Barrier Controls) (Behavioural Controls) Treatment Technology Treatments Policy Treatments Risk avoidance Disconnect from network and/or internet Decommissioning equipment procedure Type (Barrier Controls) (Behavioural Controls) � anti-spam filters, � cryptographic controls policies or anti-spam filters, anti-virus software, cryptographic controls policies or procedures, procedures, � anti-virus software, Likelihood digital identifiers or certificates, virtual external network access control policies, user � external network access control � digital identifiers or certificates, Reduction private networks, encrypted logins and responsibility policies, segregation of duties policies, � virtual private networks, sessions, encrypted files, firewalls, policy, change control procedures, and � user responsibility policies, ( Most Likelihood � encrypted logins and sessions, biometrics, smart cards, one time tokens, documented standard operating procedures, � segregation of duties policy, Common ) Reduction reusable passwords, and access control controls against malicious software � change control procedures, and � encrypted files, ( Most � documented standard operating � firewalls, Common ) procedures, Consequence intrusion detection systems, file integrity system audit policy, monitoring system access and � biometrics, reduction assessment tools � controls against malicious software use procedures, � smart cards, Insure against potential risks, Outsource or contract � one time tokens, Risk with 3rd party that has the technology that you need, � reusable passwords, and Not applicable transference [for example using a certificate authority for key � access control management in a system] business continuity management, incident Risk retention Too costly or not available management procedures, forensic plan (Sources: AusCert et. al 2006, SAI HB 231:2004, pp.17-31) 9 HIC 2008 MM
Privacy Risk Assessment Putting it all together… Likelihood Likelihood Consequences Consequences Risk Threat Risk Reduction Risk Threat Risk Reduction Risks Likelihood Risks Likelihood Factors Factors (Example) (Example) Level Level Treatment/ Treatment/ (Loss of consumer + = confidence) Control Control External Poor online Unauthorised Moderate Access via security at Possible Moderate Virtual Private Use/Disclosure /Low Internet user’s end Network Poor security Internal hygiene Unauthorised Almost Moderate User Training Moderate Transformed the assessment results into Use/Disclosure Certain Access (passwords shared) a checklist Patient Loss of storage Unauthorised Patient Held media and Likely High Moderate i.e. The Risk Management Tool Use/Disclosure Education Record records Re ‐ Security Unauthorised Behaviour Record identification Possible High Moderate Linkage from more Use/Disclosure Training for detailed data Record Users A consequence may have different risk level depending on context. 10 HIC 2008 MM
An EHR Privacy Risk Management Tool: Supports Evaluation of Privacy Risks in EHR System PRMT Low Risk Factor High Risk Moderate Risk Risk Less likely to result in Example Risk Assessment Questions Very Likely to Cause Some risk of breach & privacy breach & (Yes/No) Privacy Breach Short term controls possible controls ≈ � Minimal or Basic access � Strong access Are data transmissions 1. missing access control in use (eg. controls in use encrypted? External access to EHR system controls (eg. password only � Encryption is used Are users educated about password only with good 2. � Users are informed identity password hygiene) the risks involved in and trained. verification with accessing EHR using the ≈ Basic network and poor password internet? � Internet & network internet security hygiene) security protocols protocols used Are users trained to use 3. in use � Inadequate ≈ Infrequent the system? network and/or � Data integrity monitoring of internet security checking is used system access Is the system robust 4. � Insufficient against user error? � Virtual Private security training Network in use and education of Are people given the 5. � System audits and users including option to opt out of using access monitoring personnel and the system? active patients Is connection secure end 6. � Encryption is not to end? used for email Based on Controls From Risk Analysis 11 HIC 2008 MM
Recommend
More recommend