What is Information Security Risk Management?

Hospitals are some of the finest examples of practical risk management.  Every day choices are weighed and actions are taken in clinical care and administrative support to achieve the best possible outcomes.  Part of the reason for the amazing impact modern hospitals have on our daily lives is due to the application of sound decision making processes that are well documented, measured, and evaluated.  This process is what constitutes management, and it does not detract from the talents of so many dedicated individuals that make up the staff of the hospital, but rather enhances the combined effectiveness of the entire team.

One of the cornerstones of good management is risk management.  Most hospitals have a risk management committee.  But for those who do not participate on the committee, it may seem far removed from the daily goings-on of the hospital, so I would like to explain what risk management is, within the narrow application of information security.

If you read my previous blog on information security, you already have an understanding of the importance of this field on hospitals, insurers, and managed care organizations. Information security risks can be documented and measured based on several methodologies, but here is a quick reference to help everyone understand how those methodologies work, and the language used to describe them.

To start, information faces certain threats and vulnerabilities (to clarify, threats are from outside your organization, and vulnerabilities are inside your organization).  Sometimes, threats and vulnerabilities work together, and the end result of one or both achieving their purpose is called an impact.  When talking about information security, impacts are usually described in terms of confidentiality, integrity, and availability (more about these below).  Along with impacts, the probability that an impact will occur is also factored in.  To determine the risk posed by the threats and vulnerabilities, the probability and impact are used to arrive at a risk score.  If it is too high a risk, controls are put in place to reduce the risk to an acceptable level.

Why does any of this matter if you are not on a risk committee?  Because we all manage risk every day, even if you don’t call it by this name.  For example, when you are preparing to go to work, you hear the weather report and it says there is a 50% chance of rain by noon, becoming freezing rain by the evening.  So there is a threat of rain.  Combined with your vulnerability to cold wet conditions (hypothermia, etc.) leading to sickness, you decide the risk (the impact combined with the probability) are too high for you to accept.  You decide to bring a rain coat and umbrella, as well as a change of shoes, and now the risk is greatly reduced that you will be sick due to the weather.

When it comes to information security, rather than hypothermia, the concerns are disclosure of patient information (confidentiality), the usefulness and clarity of the information (integrity), and the ability to pull up patient information when and where it is needed (availability).  Without this information, every patient contact would require re-examination, there would be no records to reference, and patient privacy could not exist.

So the rules and policies imposed by the IT department, while seemingly a cumbersome pile of techno-speak, are really responses to the risks faced by medical facilities with regard to patient information and treatment, whose end goal is to reduce the risks to acceptable levels while allowing everyone to continue to do their part for successful patient care and ongoing hospital administration.


A 25-Worst List to Make Your Eyes Roll

Is your password a Boov password?  If you have seen the movie Home as many times as my children, you know the best password in the world is, “My name is Oh and Captain Smek is great and anyone who does not think that is a poomp1.”  Do you ever wonder what the worst passwords are?  The ones that are easily guessed or likely to be hacked?  Due to all of the breaches in 2015, researchers at SplashData have compiled a list of the 25 worst passwords for the past year.  Word to the wise, if you see your password on the list, change it.

Which brings us to the problem with passwords – they are out of date.  What you should be using are pass phrases, or complete sentences with numerals and punctuation, whenever possible.  There are many advantages to using longer phrases and sentences rather than passwords:

  • They are easier to remember,
  • They are easier to change when you are required to,
  • They are more secure.

Most IT departments no longer limit your “password” to ten or twelve characters, so making a pass phrase is easy to do.  Consider these as examples – all include at least one upper case, lower case, a numeral and punctuation:

  • I live on 1st Street. (21 characters, because spaces count)
  • Never eat 3 soggy waffles! (26 characters)
  • I am 2x as smart as you. (24 characters)

Do not use one of these as your pass phrase, but think of a phrase that would work for you.  And if you were wondering what the worst were, here is the list, with their change in rank from 2014:

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 12345678 (Up 1)
  4. qwerty (Up 1)
  5. 12345 (Down 2)
  6. 123456789 (Unchanged)
  7. football (Up 3)
  8. 1234 (Down 1)
  9. 1234567 (Up 2)
  10. baseball (Down 2)
  11. welcome (New)
  12. 1234567890 (New)
  13. abc123 (Up 1)
  14. 111111 (Up 1)
  15. 1qaz2wsx (New)
  16. dragon (Down 7)
  17. master (Up 2)
  18. monkey (Down 6)
  19. letmein (Down 6)
  20. login (New)
  21. princess (New)
  22. qwertyuiop (New)
  23. solo (New)
  24. passw0rd (New)
  25. starwars (New)

What is Information Security?

Simply put, information security is about protecting information.  In the medical field, there are numerous types of information that need protection whether you are in the clinical environment, or behind the scenes.  Regardless what your position may be, 2016 is the year that information security is going to be bigger than ever.  And there are two reasons why.

The first reason has to do with HIPAA, a law passed in 1996.  Anyone who works around healthcare has heard of HIPAA, but few understand what is really in the law.  There are two parts to it, a Privacy Rule (which covers patient privacy) and a Security Rule (which covers electronic health records), but few have paid much attention to it, because unless something comes up in the news nobody was likely to feel the sting if either rule was broken.  However, starting in 2009, that started to change.  When President Obama signed the American Recovery and Rehabilitation Act (the large economic stimulus plan) into law, it contained provisions that gave HIPAA some teeth and those teeth have bite.  Consider these examples:

These are just some enforcement examples from 2015.  Look for more in this year.

There are worse things than a government penalty, and this is the second reason why information security will be important for all of us in 2016.  One year ago this month, one of the largest health insurers in California announced they were the target of a data breach, and approximately 80 million people were affected.  In July, a well-known university medical center announced they had been breached, affecting 4.5 million people.  According to one report, the first half of 2015 saw more than 89 million patient and staff records hacked nationwide, up from 12 million for the same time in 2014.  At an average cost of $154 per patient record to fix the mess caused by data breaches, this amounts to over $13.7 billion in damages caused to hospitals, insurers, HMOs, and others in just six months.

HIPAA is just one of the best known information security requirements, but there are other regulations, industry standards, and laws that apply to the areas covered by information security.  This is because the credit card industry has requirements for payment collection, the federal government has requirements for anything affecting collections and credit, and many states have their own unique requirements.  Any or all of these requirements may overlap anywhere where there is information that needs protection: frontline/patient admit, revenue recovery, billing, patient records, and human resources.  No matter where in a healthcare you work, you have a role to play.

There are reasons with technical sounding names for why hackers are able to wreck such havoc, but the bottom line is there are no signs they are going to stop trying.  So for this reason, 2016 will be a very important year for everyone to pay attention to information security.