HI300 Unit 7 Assignment
docx
keyboard_arrow_up
School
Purdue Global University *
*We aren’t endorsed by this school
Course
300
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
4
Uploaded by AdmiralElementMink26
SECURITY PLAN MEMO
Rebecca Myers
HI300 Unit 7
Assignment Professor Clemons
To: Chief Security Officer
From: Director of Health Information Technology
Subject: Medium Healthcare Facility Security Plan Recommendations
To determine the current state of our health care facility, I have completed a risk assessment. During the assessment, I identified the following three potential risks to electronic protected health information (e-PHI):
1.
Absence or lack of role-based access controls, which may result in unauthorized access to
e-PHI, without the minimum necessary rule being applied.
2.
Insufficient device media controls or lack of inventory control may result in loss or theft of devices that contain e-PHI, such as unencrypted laptops, mobile devices, and/or USB drives.
3.
Inadequate employee education and awareness on phishing attacks may result in hackers gaining unauthorized access to e-PHI on the network and/or system.
To mitigate the risks mentioned, I recommend implementing the following safeguards:
Physical Safeguards:
Device Security and Media Controls: Encrypt all devices that contain e-PHI, ensure appropriate inventory control is in place, and create strict policies for use of devices and transfer of data.
Facility Access & Control: Implement controls, such as a card swipe system, that limits access to only authorized personnel in areas that contain e-PHI.
Workstation Security: Implement controls at workstations to only allow access to authorized personnel by using two-factor authentication or an equivalent based on
user roles. Administrative Safeguards:
Information Access Management: Implement the minimum necessary rule to ensure uses and disclosures of e-PHI are limited.
Security Personnel: The designated official is responsible for developing and executive procedures to identify, report, and respond to security incidents.
Workforce Training: Schedule days for regular employee training regarding security policies and procedures. Technical Safeguards:
Access Control: Implement security measures to restrict unauthorized access to the network and system by using firewalls or an equivalent.
Audit Control: Implement audit mechanisms to examine access and activity in information systems that contain e-PHI to detect and track unauthorized access.
Integrity Control: Implement electronic measures, such as encryption mechanisms, in policies and procedures to ensure e-PHI is not improperly altered or destroyed.
Best practices to protect and secure information when using mobile devices:
Enable or install encryption on mobile devices to protect health information that is stored or sent.
Disable or do not install file sharing applications to prevent unauthorized access and reduce data risk.
Develop and implement mechanisms for GPS tracking and remote wiping of lost or stolen devices to locate and/or erased all data. Sincerely,
Rebecca Myers
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
REFERENCES
HealthIT.gov. (2019, September 4). How Can You Protect and Secure Health Information When Using a Mobile Device?. HealthIT.gov. https://www.healthit.gov/topic/privacy-security-and-
hipaa/how-can-you-protect-and-secure-health-information-when-using-mobile-device
OCR, O. for C. R. (2022, October 20). Summary of the HIPAA security rule.
HHS.gov. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html