Applying Software Threat Analysis and Mitigation
Walter Reed National Military Medical Center is located at 8901 Rockville Pike, Bethesda, MD. The medical center sits on 243 acres. The facility has 274 for total beds. This campus’ information is linked to the other locations within the network, and protecting this information is the number one priority.
Walter Reed has legal requirements to protect the privacy of people’s health information. The information that can be used to identify patients that were created or received from their past, present or future health conditions, what care is received or payment for the health care. Walter Reed would provide the patients with notice about their private practices that explains how, when, and why they use and disclose their patients’ protected health information or PHI for short. With health information, being an asset, hospital information threats and vulnerabilities must be identified.
The threats to the hospital information system are classified into two main categories; internal and external threats, three of each type of threat will be discussed. The internal threats are identified as follows:
• Acts of human error/failure
o Accidental deletion or modification of data o Incorrect data entry
o Misdirection of confidential information o Social engineering attacks
o Storage of information in unprotected areas by employees
o Unauthorized Internet use
• Server malfunction o Software and hardware failure
o Climate control malfunction
• Malware o Adware o Malicious viruses
o Trojan horses
The external threats are identified as follows:
• Power failure o Backup generator failure
o Local power outage
o Regional power outage
• Natural disaster
o Fire o Flood
• Terrorist attacks
o Information espionage
The list above is a common threats and vulnerabilities for most hospitals. This is a combined overall risk that hospitals must face, the risk must be addressed to keep information private. External and internal threats have a rock slide effect, which can make it easy for one vulnerability lead to another one. With a hospital continuing checking their compliance and risk management culture, the ongoing process will use the resources of the hospital more efficiently, by lowering the total cost of operation and start creating revenue-producing prospects and adding value to its services.
Continuous risk management stays in harmony with the legal, regulatory and ethical requirements for protecting data. According to the American Bar Association (Ries, 2010) “ABA Model Rule 1.6 generally defines the duty of confidentiality—and significantly, it broadly extends that duty to “information relating to the representation of a client.” It’s now commonly accepted that this duty applies to client information in computer and information systems as well. In addition, an amendment to Model Rule 1.6, part of the Ethics 2000 revisions, added new Comment 16 to the rule. This comment requires reasonable precautions to protect and preserve confidential information. If you handle personal information about people, you have a several of legal obligations to protect that information under the Data Protection Act 1998; the HIPAA law protects patients by requiring the hospital to protect personal identifiable information. According to the U.S Department of Health and Human Services (U.S department of Health and Human Services, n.d) the hospital must use “…Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule”. The risk analysis process includes:
• Evaluation of the effect and probability of potential risk to protected health information
• Apply appropriate security procedures to deal with the identified risks
• Record the chosen security procedure when required, and should be able to adapt to those procedures
• Maintain continuous, reasonable, and appropriate security protections”
The regulations state clearly that, risk management procedures is federal law and must be an ongoing process that routinely evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
The Ethical aspect of protecting hospital information is governed by the American Health Information Management Association Code of Ethics (AHIMA). This association sets the standard for US hospitals and has specific guidelines for hospitals to maintain its information ethics. The AHIMA code of ethics serves seven purposes:
• Promotes high standards of HIM practice
• Identifies core values on which the HIM mission is based
• Summarizes broad ethical principles that reflect the profession’s core values
• Establishes a set of ethical principles to be used to guide decision-making and actions
• Establishes a framework for professional behavior and responsibilities when professional obligations conflict or ethical uncertainties arise
• Provides ethical principles by which the general public can hold the HIM professional accountable.
• Mentors practitioners new to the field to HIM’s mission, values, and ethical principles (AHIMA HIM Body of Knowledge, 2011)
The code is a guideline that is enforceable, meaning that each principle is enforceable by the professional judgment of those reviewing alleged violations of ethical principle.
To sum up, protecting hospital personal identifiable information is the patients legal and ethical right. To uphold these rights, Walter Reed Medical Center has a legal and ethical obligated to maintain a continuous IT and security risk management program of policy and procedures. By means of continued protection of hospital information, Walter Reed can avoid costly legal action, maintain reputation, and ensure quality care.