Objective Vulnerability Assessment - PowerPoint PPT Presentation

Loading...

PPT – Objective Vulnerability Assessment PowerPoint presentation | free to download - id: 45dc98-ZGM3Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Objective Vulnerability Assessment

Description:

Objective Vulnerability Assessment Risks for Unauthorized Disclosure of Patient Information Farrokh Alemi, PhD Confusion on What Works Vulnerability assessment is a ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 19
Provided by: farrok1
Learn more at: http://gunston.gmu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Objective Vulnerability Assessment


1
Objective Vulnerability Assessment
  • Risks for Unauthorized Disclosure of Patient
    Information
  • Farrokh Alemi, PhD

2
Confusion on What Works
  • Vulnerability assessment is a large and growing
    industry
  • Best practices are not clear
  • Consensus models perpetuate claims of
    vulnerability
  • Consensus models are static as opposed to dynamic
    and evolutionary

Objective data is needed
3
Misleading Assessments
  • Without objective data we do not know if risk
    priorities are accurate
  • Like children fighting imaginary foes,
    organizations are asked to protect against
    vulnerabilities that may not exist

Objective data is needed
4
Money Is Wasted
  • Cant secure all operations, have to pick and
    choose
  • More security is not better
  • Security may reduce productivity
  • Business builds on trust not fear
  • No point to secure a process if the business fails

Objective data is needed
5
Why Not Base Vulnerability Assessment on Data?
  • It cant be done
  • Rare events
  • Risk is not quantifiable
  • Data is not available
  • Historical precedents are not relevant as
    terrorists and criminals innovate

6
Accurate Probabilities for Rare Events
  • Time to event
  • p(Vi) 1 / (1 ti)
  • Allows calculation very small probabilities

7
It Can be done Application to Unauthorized
Disclosure
  • p(U) ? i1, .., n p(U Vi) p(Vi)
  • p(U Vi) p(Vi U) p(U) / p(Vi)
  • Where
  • p(Vi) is probability of the vulnerability
  • p(U) is probability of unauthorized disclosure
  • p(Vi U) is prevalence of vulnerability among
    reported unauthorized disclosures

8
Sources of Data
Incidence database
List of vulnerabilities
Prevalence of violations
Prevalence of vulnerabilities Among violations
Assessment surveys
Risk Score
9
Construction of Incidence Database
  • Legal case reviews
  • Office of Civil Rights database
  • Published reports
  • Private surveys

10
Probability of Unauthorized Disclosure
11
Vulnerabilities Derived from the Database
  • Clinician using unsecured email environment
  • Clinician gather information from patients
    family and friends after the visit
  • Discussion of patient care with co-workers not
    engaged in care
  • Medical reports or records with wrong recipient
    information
  • Caring for employees friends and family members
  • Benefit Organizations or employers request
    employee information
  • Employees engaged in whistle blowing to uncover
    illegal or unacceptable business or clinical
    practices
  • Patient records (paper documents) not kept in
    secure environment or sealed envelope or
    documents displayed in plain view of others
  • Clinician discusses patient care in a setting
    where others can easily hear
  • Employee removes patient records from secure
    location or workplace without authorization
  • Employee views paper documents or manipulates
    computer passwords to view medical records of
    patients not under his/her care
  • External infection of computers / password /
    network Systems (e.g. computer hacker)
  • Theft of computers or hard drives
  • Sale of patient records
  • Blackmail/Extortion of organization or an
    employee
  • Patient using identity of another person to gain
    insurance benefits
  • Changes in custody or family relationships not
    revealed by the patient
  • Audit of business practices by outside firm
    without clinicians approval
  • Business Associate violates Chain of Trust
    Agreement
  • Legal System/Law Enforcement requests, subpoenas
    or seizes patient records
  • Error in patient identity during data transfer to
    third party insurers

12
Prevalence of Vulnerabilities Among Unauthorized
Disclosures
Hazard Category Description of the Hazard p(V i U)
Impermissible sharing of patient health information Clinician using unsecured email environment 0.01
Impermissible sharing of patient health information
Impermissible sharing of patient health information Clinician attempting to gather information from patients' family and friends 0.14
Impermissible sharing of patient health information Discussion of patient with co-workers not engaged in care 0.08
Impermissible sharing of patient health information Medical reports or records with wrong recipient information 0.07
Impermissible sharing of patient health information Caring for clinicians friends and family members and discussing the care outside of the work environment 0.03
Impermissible sharing of patient health information Benefit Organizations or employers request patient information 0.04
13
Prevalence of Vulnerabilities Among Unauthorized
Disclosures
Category Hazard P(HU)
Lack of Physical safeguards for PHI  Patient records (paper documents) not kept in secure environment or sealed envelope or documents displayed in plain view of others 0.14
Lack of Physical safeguards for PHI  Patient records or information discussed in a setting where others can easily hear 0.05
Inappropriate access to patient health information Employee removes patient records from secure location or workplace without proper authorization or just cause 0.01
Inappropriate access to patient health information Employee views paper documents or manipulates computer passwords to view medical records of patients not under his/her care 0.1
Illegal Activities  External infection of Computers/Password/Network Systems (e.g. Computer Hacker) 0.01
Illegal Activities  Theft of computers or hard drives 0.02
Illegal Activities  Sale of patients records 0.06
Illegal Activities  Blackmail/Extortion of your organization or an employee 0.02
14
Prevalence of Vulnerabilities Among Unauthorized
Disclosures
Category Hazard P(UH)
Patient Causes Patient using identity of another person to gain insurance benefits 0.01
Patient Causes Changes in custody or family relationships not revealed by the patient 0.01
3rd Party Causes  Audit of clinical practices by outside firm without clinician approval 0.01
3rd Party Causes  Business Associate violates Chain of Trust Agreement 0.02
3rd Party Causes  Legal System/Law Enforcement requests, subpoenas or seizes medical records 0.12
3rd Party Causes  Error in patient identity during transfer of data to third party insurers 0.01
15
Best Practice Vulnerability Assessment Tool
  • Derived from incidence database
  • Relying on time between events
  • Asking questions like
  • When were the last two times that you emailed a
    patient in an unsecured environment?

16
Unprecedented Vulnerabilities
  • Assessed based on similarity to actual events
  • Where

17
Advantages
  • Applies to privacy as well as security violations
  • Produces a quantitative score for overall risk,
    useful for benchmarking
  • Based on objective data
  • Focuses attention on vulnerabilities that are
    real and likely to occur
  • Reduces unnecessary fear and security
    interference with business processes
  • Can be used to set fair insurance premiums

18
Objective Vulnerability Assessment is Possible
  • It is Faster More Accurate than Consensus-based
    Vulnerability Assessments
About PowerShow.com