In the middle of September, a member of a psychology and technology listserve to which Seth and I belong mentioned his concerns about privacy and security in Microsoft Windows 10. In their efforts to receive ongoing feedback about their products so they can continue to improve those products, Microsoft defaults the setup to sharing crash and other problem information with them. They also notify users that they will turn over information they may be required to under the law, just like you do in your Privacy Practices shared with patients. There are settings you can change that will limit what data are shared with Microsoft.
Below are the comments Seth wrote in response to the discussion in the group. His conclusion [Spoiler Alert]: Most of us have much more basic problems than this, such as, have we even done a risk assessment!
In my opinion, the key to HIPAA risk analysis is to identify the highest risks. To estimate actual risk I must answer two questions:
- What data do I need to protect?
- From whom do I need to protect it?
Clearly what I have to protect is the PHI on my system, but most importantly, I must protect large quantities of aggregated patient/client data containing personal identifiers and clinical information. For most of us that means our databases, and secondarily any other concentrated, organized repositories of patient information.
The ones who are most likely to use that data to harm my patients/clients are those who are specifically in the business of obtaining that data for financial gain. Much lower on the scale would be people trying to discover information about specific people in your care — estranged spouses, their lawyers, private investigators, and maybe reporters who believe you might be treating a celebrity. We can just refer to those people and organizations as “the bad guys”.
So, your risk assessment should be focused, first and foremost, on those factors. In what ways can an interested party obtain my entire database or a significant hunk of it? Physical theft of a computer or media on which the data is stored would, I think, be number one. Number two would be by gaining access to the database electronically.
So, how do we mitigate the threat of losing our databases and electronic repositories of PHI to the bad guys? Physical theft is potentially the worst threat, but is very easy to mitigate by simply using full disk encryption and by encrypting all backups, including the use of a strong encryption method (AES 256 or better) and a suitably long, complex (upper and lower case letters, numerals, and punctuation) encryption key. Preventing electronic intrusion is far more difficult, especially for resource-limited small providers. At minimum, though, we must employ highly rated malware and virus scanning software, robust hardware and software firewalls, and the best perimeter defenses we can reasonably afford. By perimeter defenses I mean devices that the industry often markets as “security gateways”. These devices provide routing functionality, sophisticated firewall technology, and include software to block viruses, certain kinds of malware, and intrusion attempts before they make it to your network.
When sensationalized stories like the ones surrounding the Windows 10 release emerge in the popular press, I recommend that you do further research in the reliable tech media to see what parts of the original hysteria can be verified by impartial sources. Once you are convinced that there is an actual concern, then add the issue(s) to your Risk Assessment list, and objectively consider each one alongside the other potential threats on your list. Chances are very high that there are much more serious risks on your system, such as outdated firmware on your router and unnecessary open ports in your firewall configuration, not to mention unencrypted media. Prioritize the risks and take care of the most serious ones first. By the time you finish those important tasks, last week’s news media alarms will have long since been determined to be a tempest in a teapot.
Please share your comments below.