Security Risk Analysis: Threats in Healthcare Organizations

Verified

Added on 2022/12/15

AI Summary

This report provides a comprehensive analysis of security risk analysis in healthcare, focusing on the protection of Protected Health Information (PHI). It begins by defining PHI and its importance, emphasizing the role of HIPAA in regulating its security. The report then delves into internal threats, such as malicious and non-malicious activities by employees, and external threats like ransomware and human errors. It outlines the steps involved in conducting a security risk assessment, including defining the scope, data collection, threat identification, and risk prioritization. The report also discusses the frequency of risk assessments and the role of risk managers in mitigating identified risks, with recommendations for reducing patient health risks, financial risks, and liability risks. Finally, the report references key sources on healthcare security and risk management.

Running Head: Security Risk Analysis 1
Security Risk Analysis
Student Details

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Security Risk Analysis 2
Contents
Security Risk Analysis.....................................................................................................................1
Introduction......................................................................................................................................3
Internal Threats in Healthcare......................................................................................................3
Top three internal threats..........................................................................................................3
External Threats in Healthcare.....................................................................................................4
Top Three External Threats......................................................................................................4
Conduction of Risk Assessment in Healthcare............................................................................4
Accomplishment and Frequency of Risk Analysis Assessment..................................................5
Reduction of Identified Risks......................................................................................................6
Bibliography....................................................................................................................................8

Security Risk Analysis 3
Introduction
Protected Health Information (PHI) is also known as Personal Health Information which refers to
medical histories, demographic information, mental health conditions, test and laboratory results,
and any other data to identify and determine patient’s information. The information is treasured
because when pinched can be sold somewhere else. PHI is maintained via paperwork or
Electronic Health Record (EHR) system.
HIPPA is a Health Insurance Portability and Accountability Act is the primary law for all rules
and regulations related to PHI. All the organizations have to adhere to the rules and amendment
stated in HIPPA (Rouse, 2016). As per HIPAA, PHI requires tracking, reporting, and
documentation for the safety of the data.
Internal Threats in Healthcare
Internal Threats refers to the threats which come from inside an organization. Individuals
with malicious intent can access resources like email accounts, healthcare networks, and EMRs.
Internal malicious activity can be performed by an employee, business associates, researchers,
and volunteers. As per HIPPA, healthcare receives a heavy fine if someone breaches patient
privacy. Internal breaches can damage a patient’s confidence, leave healthcare open to charges
and can damage an organization’s reputation (Journal, 2018).
Top three internal threats
Top three internal threats in Healthcare organization are:
Malicious Internal Threats
Malicious internal threats in healthcare refer to intentional attempts to cause damage. A
malicious internal threat includes robbery of secured health information such as intellectual
property, interference, personal information, and social security numbers.
Internal breaches are mostly operated for financial gain, selling of healthcare data on high
prices. Mostly dissatisfied employees attempt to steal the data as they do not have fear of
termination.

Security Risk Analysis 4
Non-Malicious Internal Threats
Non-Malicious Internal Threats refers to inquiring on medical records to take a sneak
look at medical records of patients. Employees access medical records or reports out of curiosity.
Other non-malicious threats contains sharing login credentials, replies to phishing emails,
disclosing sensitive or personal information of patients with other patients.
Tech-savvy internal threats
A tech-savvy internal threat refers to the damage of the data wherein individuals use their
knowledge to damage the secured data. This threat is very critical for the health-care
organization.
External Threats in Healthcare
External Threats in Healthcare refers to the threat from outside of the organization.
Organizations are continuously treating digital healthcare data, which includes social security
numbers, electronic medical records, contact information or health insurance ID. Still, the data
and reports are being thieved (Kleyman, 2018).
Top Three External Threats
Top Three External Threats in Healthcare organization are:
Ransom ware
Ransomware is malicious software that is designed in such a way that it can access any computer
system. Ransomware is mainly spread via phishing emails. Therefore, to secure the data from
Ransomware, organizations need to hire strong security for user devices.
Outside Threats
People (Human) are a real external threat. Basically, these types of threat originate
through a doctor. Doctors unintentionally click on malicious links while using devices.
Loss of PHI
Losing patient’s record is the crucial threat to any healthcare association. The worth of
healthcare data is high. Reasons for losing the data include poor data storage, security systems or
equipment’s.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Security Risk Analysis 5
Conduction of Risk Assessment in Healthcare
The maintenance of healthcare data is critical and it is essential to classify the existence
of risk in the security system. As per HIPAA Security rule, three main health data security
objectives are confidentiality, availability of ePHI and integrity. The major aim of the Security
Risk Assessment is to maintain new threats and susceptibilities and to quickly recognize
adversative happenings in security systems (A, 2019).
Below are the steps of Security Risk Assessment in Healthcare organizations:
1. Define the possibility of the threat analysis, by including all ePHI generated,
warehoused, received and communicated by the organizations. This comprises of
third party website, scans, emails, data and offline work.
2. Collection of data, from in what way the ePHI are stored, received, retained and
transferred. Collection of data can completed by using various sources-
 Running interviews and conduction of surveys in different departments
 Policy and procedure review of an organization
 Analyzing and reviewing past security projects and reports
 Network scanning, running vulnerability scan and checking technical data
3. Classify and document possible threats.
4. Review the technical, administrative and physical safeguards to analyze how
effectively they work.
5. Determine the purpose of identified threat. This will help to determine the
applications of HIPAA security rules to secure the system against the threat.
6. Determining the impact of possible threat. This step is very critical, as we have to
analyze the affected zone.
7. After analyzing and studying the threat, classify and prioritize the risk level as
low, medium and high.
8. Formation of a document which includes remedial procedures to overcome the
threat.
9. Updating and reviewing the risk analysis annually.

Security Risk Analysis 6
Accomplishment and Frequency of Risk Analysis Assessment
Maintenance of the patient’s data is a critical factor in Risk Management. Therefore, to
assess, implement, monitor and develop a skilled healthcare risk manager is required. The goal is
to minimize the exposure of risks. Healthcare Risks managers are trained to handle such issues.
Healthcare managers basically classify and evaluate risks to minimize damages to patients,
visitors and staff members in a Healthcare organization. Risk Managers work proactively to
prevent risk incidents. The basic roles of Risk Managers include mandatory federal regulations,
policies, potential medical errors, and patient safety. Strong Risk Management requires qualified
healthcare managers who can develop and implement such plans which are beneficial for the
association (The Purpose of Risk Management in Healthcare, 2019).
As per the Health and Safety Executive (HSE), risk should be evaluated each and every
time when a new machine and procedure is applied which might lead to threats. Elimination of
threats by frequent risk assessment will ensure Protected Health information of patients (Emma,
2019). An employer should conduct a risk assessment when:
 Maximum count of staff is changed and proper training should be provided for secure
working.
 Some threats happen to alert the employer.
 Employee comes back to work after long-leaves.
 An Employee is pregnant or breastfeeds the toddler. This can increase the threat to her
and child’s fitness and protection. (How often should a risk assessment take place?,
2019)
Reduction of Identified Risks
Risk management is essential in healthcare as human lives are on the streak. Reduction of
patient’s health risk, financial and liability risks are implemented by noble healthcare threat
supervision. Possible health error, patient security, regulation effect, compulsory centralized
regulations are certain points that should be always considered in healthcare (What Is Risk
Management in Healthcare?, 2018).
Below are some points to mitigate the identified risks:

Security Risk Analysis 7
 Store complete and correct documents so that it can be considered and used as a reference
for future.
 Healthcare organizations should educate all the employees in every phase to minimize
and prevent the risks.
 To minimize malpractice claims, each and every department should be coordinated and
synchronized. This will accelerate the risk managing process and will add protection.
 Employees should be trained in such way so that they can easily identify the threat and
take preventive steps.
 Employees should avoid all the risks with promptness and precision.
 Employees should learn to handle complaints to diminish the threats.
 To reduce the risks to organization, employees should know to report an incident with
speed and accuracy.