Beruflich Dokumente
Kultur Dokumente
I SECURITY
The Santa Fe Group/Shared Assessments Healthcare Working Group Internet Security Alliance (ISA) Health care industry leaders Security and privacy experts
Availability
Integrity
Trust
Confidentiality
WHATS HAPPENING?
THE RAMIFICATIONS
For the first time in history, it is possible to:
Improperly disclose PHI of millions of individuals in a matter of seconds, Steal health information from a virtual location, and Breach PHI in a manner that makes it impossible to restore.
SO WHATS HAPPENING?
PHI PROJECT SURVEY FINDINGS
WHY A MODEL?
Published average cost of a data breach exist, but relevant to all? This model provides an opportunity to:
Be specific to an organization Calculate what a breach might actually cost, and Build a compelling business case for strengthening a compliance program
1. The Progression of the Health Care Ecosystem 2. The Evolution of Laws, Rules, and Regulations 3. PHI Data Breach Landscape 4. Threats and Vulnerabilities 5. Safeguards and Controls 6. Survey Findings: Current Practices and Attitudes 7. PHIve The 5-Step Method of Data Breach Costing 8. Calculating the Cost of a PHI Breach Using PHIve 9. Finale 10. Appendices
Assess the Risks, Vulnerabilities and Applicable Safeguards and Controls for each PHI home.
TABLE 5: DETERMINING THE LIKELIHOOD OF ELECTRONIC DATA BREACHES Applications to be Vulnerabilities to be Considered Safeguards/Controls to Considered be Rated Computer-Based Admit, Discharge & Lack of Encryption/Decryption Authentication of Attack Transfer (ADT) Capabilities Authorized Users Electronic Medication Administration Lack of Reliable Data Back-up Strong Authentication Penetration Record System (MARS) and Recovery Construction Destruction of Order Entry (CPOE) Multiple System Access Documented Files Systems or Applications Processes and Training LAN, WAN or External System Destruction of Imaging (PACS) Systems or Pathways Reviewed and Systems Application Approved Clearance Network Pathways for Authorized Users Sabotage Accounting Systems or No protection against Data Applications Audit Controls for Theft of ePHI Data Interception Identifying Billing and Receivables Unauthorized No protection against Hacking Unauthorized Users Systems or Applications Creation of ePHI No protection against Port Audit Controls for Electronic Record Systems Unauthorized Scanning and Sniffing Identifying or Applications Deletion of ePHI No protection against Social Unauthorized Activity Dictation & Transcription Unauthorized Engineering Encryption and Systems or Applications Modification of Flaws in Technology and Decryption ePHI Systems or Applications Software or Protocol Designs Capabilities used for Utilization Reviews No Protocols for Peer-to-Peer Vandalism Data Integrity Controls Systems or Applications File Sharing Transmission Security Used for Accreditation Missing Security Agents Limited to a Single Systems or Applications Unauthorized Remote-Control System Used for Oversight/Root Software Cause Analysis/Governance No Controls on Media Files LANS, WAN or Purposes External System or is Unnecessary Modems in not Protected Systems or Applications Laptops Used for Auditing, No Network Pathway Unauthorized or Unsecured Credentialing, Litigation or Unprotected Synchronization Software Pathway No protection against Wireless Connectivity No protection against Downloading Files
DETERMINE THE LIKELIHOOD OF A DATA BREACH FOR EACH PHI HOME AND ASSIGN A SECURITY READINESS SCORE
Assign a Relevance Factor to the calculated cost of a data breach for each PHI home that has an unacceptable SECURITY READINESS SCORE
Scoring the Total Impact Insignicant Less than 2% of Revenue Minor 2% of Revenue Moderate 4% of revenue Major 6% of Revenue Severe Greater than 6% of Revenue
EsJmated Total Impact Grand total of breach costs Annual Revenue of EnHty % of Cost to Annual Revenue Impact Score $26,493,617 $241,836,404 11% Severe
IN SUMMARY..