Information
security (InfoSec) in the healthcare delivery system relates to the defense
mechanism or risk control strategies, an aspect of risk management, employed to
protect Protected health information (PHI) or Electronic-Protected health
information (e-PHI) “from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction” (Wikipedia.org).
The
control (defense) strategies adopted are more or less dependent on the type and
nature of threats and vulnerabilities a particular PHI or e-PHI could be
exposed to. In general, the following are common threats and defense strategies
faced by PHI or e-PHI: Table 1.0 (adapted from Wikipedia.org, 2016)
Threats
|
Defenses
|
Computer
crime
Vulnerability
Eavesdropping
Employees
Exploits
Out
dated devices, equipment and applications
Trojans
Viruses
and worms
Denial
of service (DoS)
Malware
Payloads
Rootkits
Keyloggers
|
Access
Control Systems
Application
security:
Antivirus
Secure coding
Secure architecture
Secure Operating systems
Secure Network
Authentication
Multi-factor authentication
Two-factor authentication
Authorization
Data-centric
security
Firewall
(computing)
Intrusion
detection system
Intrusion
prevention system
Mobile
secure gateway
Security
training, education and awareness program
|
Layered Security Control: “the most common misconception is that
a firewall will secure your computer facilities and additional steps don't need
to be taken. A firewall is just one component of an effective security model.
Additional components or layers should be added to provide an effective
security model within (the particular healthcare delivery) organization. The
security model that will protect your organization should be built upon the
following layers:
- Security policy of your healthcare delivery organization
- Host system security
- Auditing
- Router security
- Firewalls
- Intrusion detection systems
- Incident response plan
Using multiple layers in a security model is the most effective
method of deterring unauthorized use of computer systems and network services.
Every layer provides some protection from intrusion, and the defeat of one
layer may not lead to the compromise of the whole organization. Each layer has
some inter-dependence on other layers. For example, the intrusion detection
systems and the incident response plan have some interdependencies. Although
they can be implemented independently, it's best when they're implemented
together. Having an intrusion detection system that can alert you to
unauthorized attempts on your system has little value unless an incident
response plan is in place to deal with problems. The most important part of
overall security organization is the security policy. You must know what you
need to protect and to what degree. All other layers of the security model
follow logically after the implementation of the organization security policy. The
overall security integrity of your organization is dependent upon the
implementation of all layers of the security model. The implementation of the
layered approach to security should be undertaken in a logical and methodical
manner for best results and to ensure the overall sanity of the security personnel”
(Watson, Peter).
“Implementation of a Layered
Security Architecture will address: People, Perimeter Entry Points, Connections
between systems, information stores, and Exit Points. Perimeter Security would
include – Firewalls, Router Access List, NAT, Encryption, Operating System
Security, Patch Management, Automated Virus Checking and Updates, Spyware
checking. Mail Security – Open Relay Prevention, Virus Checking, Content
Blocking, Spam Control, Dial-in Security – Authentication, Placement Outside
Firewall, Users – Education, Controlled Distribution of Access, VPN, Intrusion
Detection and Prevention. Results: Reduced downtime, increased productivity,
successful audits, satisfied users, satisfied management” (Mansur,
Hasib) in the healthcare delivery system.
Effective
risk management of PHI or e-PHI involves putting in place necessary
administrative, logical and physical controls; in depth defense mechanism,
information security classification and categorization, access control
(identification, authentication, authorization), cryptography and information
security training, education and awareness in a layered or structured manner,
since no one information security control measure can effectively prevent or
mitigate data breach. The overall goal is to ensure confidentiality, integrity,
and availability of PHI or e-PHI.
In
conclusion, “As the United States and other nations grapple with healthcare
quality and unsustainable costs, health information exchanges, and
collaborative care models, sensitive health information is becoming more
vulnerable. Information that previously remained on paper and accessible only
to the healthcare provider and staff who produced it will increasingly flow
electronically among providers, within and outside a hospital’s walls, and
between providers and other stakeholders, such as payers. Health Information Technology
(HIT) creates fluid information, enabling more people to access and alter
private health information and creating more issues for providers and payers in
managing risks and compliance” (Frost & Sullivan), But, through proper and
well-structured or Layered security control, the risk exposure to PHI and e-PHI
are considerably controlled.
References
Information security. Wikipedia.
(2016-11-2). Retrieved (2016-12-2).
Health Information Technology:
The Imperative of Risk and Compliance Management in
the
HITECH Age. Frost & Sullivan. (n.d.). Retrieved (2016-12-2). http://www.emc.com/collateral/analyst-reports/fs-health-information-technology-ar.pdf
Mansur Hasib.
Combining Policy, Practice, and Technology to Architect Layered
Network Security at UMBI. (2005). Retrieved (2016-2-9). https://net.educause.edu/ir/library/pdf/MAC0504.pdf
Mansur Hasib. Example Incident
Response Plan. Retrieved (2016-2-9) Example Incident Response Plan: http://www.umbi.umd.edu/~hasib/irp.pdf
Peter Watson. Intrusion
Detection, Security Model, and Layered security control: (2016).
Retrieved
(2016-2-10). http://www.sans.org/security-resources/idfaq/layered_defense.php
Multi-Layered
Security Plan. (2016) Retrieved (2016-2-9)
Whitman, M., E., &
Mattord, H., J., (2014). Management of Information Security. 4th ed. Boston: Cengage Learning.
No comments:
Post a Comment