CYB:407-WK3-RISKREGISTRY-SAP-PHI:EPHI
docx
keyboard_arrow_up
School
University of Phoenix *
*We aren’t endorsed by this school
Course
407
Subject
Philosophy
Date
Apr 3, 2024
Type
docx
Pages
8
Uploaded by lejb1288
CYB/407- WEEK3-RISKREGISTRY-SAP-PHI/EPHI Risk Likelihood Impact Risk Owner Resources Estimated Description Required Completion for Risk Date Registry <Briefly <Low, <Low, <List department | <List hardware, <Provide a describe the | Medium, or Medium, or or role> software, date based risk> High> High> personnel, on the risk and/or policy complexity needed> and today’s date> An employee | Low High Access 1. Aserver March 2023 mistakenly Control providing sent an email Security verification of a patient’s Officer of PHI PHI General information information Management which to the wrong Employees includes individual. patient email address to ensure this mistake does not occur again. 2. Provide employee training program to ensure that this incident does not repeat. Brute force Medium High Analyst 1. Policy February or password Access implemented | 2023 cracking Control that requires occurring Security all
Risk Likelihood Impact Risk Owner Resources Estimated Description Required Completion for Risk Date Registry due to weak Officer passwords passwords 3. Employees to meeta allowing for certain client length and information special to be character accessed. criteria to make sure brute force or password cracking does not happen again. PHI High High 1. Information Continuous | April 2023 information Systems IDS/IPS was exposed Owner monitoring by hackers 2. IT Security showing us a Team vulnerability 3. Information in our security software Officer and/or network. Finding data | Medium High 1. Engineering Employee April 2023 breaches Department Training through Program internal and AnewDLP external risk System assessments Adding additional analytics for your network The loss of High Very High 1. Accounting A new back- | February original Department up systemto | 2023 server data 2. Record/Filing keep original by losing Department documents access to safe in the PHI. eventofa breach or down server.
Descripti Security Securit System Last Asset Assessm Policy on of Control Categoriza | Assessm ent Alignme Vulnerab | Number and | Control tion for ent Method nt ility Name Type Risk Level | Informati Impact on <Describ | <List the <Comm | <High, <Identify <Describ | <Identify | <Indicate e the Security on, moderate, any e the at least what vulnerabil | Control name | System | or low> security asset that | one way security ity> and number> | - assessme | will be you can policy Specific nts from tested> test this aligns 5 the past> asset> with the Hybrid> asset> Employee | NIST: SP Commo | Low During a All Adding Conducti s 800-37 n security employee | tracesto | ng accidenta | Awareness risk s and alle mails | regular lly email and assessme | their being training patient Monitoring nt, itwas | system. sentto all | with PHI noted patient employee informatio | sanction there was recipients | s n to the Policy: a lack of and concernin wrong 164.308(a)(1) emp!oyee havipg g recipient. | (ii)(C) training emails password concernin removed | manage g or ment and authentica marked protectio tion undeliver | n. credential able if s with sent to access to the wrong PHI data. patient. Brute NIST: SP Internal | Moderate Arecent All An Penetrati force or 800-53 and assessme | employee | internal on testing password | Identification commo nt s and penetratio | policy. cracking and n identified | their n test and occurring | Authentication that the respected | brute- due to Access current systems. | force weak Control password attack
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Descripti Security Securit System Last Asset Assessm Policy on of Control Categoriza | Assessm ent Alignme Vulnerab | Number and | Control tion for ent Method nt ility Name Type Risk Level | Informati Impact on password policy was was s allowing | Risk too lax conducte forclient | Management: and not don informatio | 164.308(a)(1) protected. employee n to be (ii)(B) login and accessed password . Standard isfl\:l(; sce; Security o Management bl procets m 164.308(a)(1) & data. specifically 164.308(a)(1) (ii)(C) An attack | Information Hybrid High A Company | An Consiste on the System previous networks | internal nt network Activity assessme penetratio | Analysis containin | Review(R)- nt All ntesting | of g patient | 164.308(a)(1) revealed systems. | was Networks PHI data | (ii)(D) many conducte was attempts Websites | d. Penetrati breached | Risk made to Implemen | on by a Management: access ted tools, | Testing hacker 164.308(a)(1) the such as Policy exposing | (ii)(B) system IPS and a with a IDS. vulnerabil gradual ity in the increase network each day. and software. Arrisk NIST: SP System | High An Entire In the Vulnerabi assessm | 800-53 assessme | company | instance | lity ent Incident nt was network of Disclosur conducte | Response done and business | e Policy d revealed Company | continuity 12/06/22 | Risk an Systems |, disaster | Backup on Management: attempt recovery, | Policy internal 164.308(a)(1) was made | Company | and and (ii)(B) toaccess | Infrastruc | incident | Content external the ture response | Security systems network procedur | Policy revealed but, Company | es then hackers nothing Website you
Descripti Security Securit System Last Asset Assessm Policy on of Control Categoriza | Assessm ent Alignme Vulnerab | Number and | Control tion for ent Method nt ility Name Type Risk Level | Informati Impact on retrieved was done should sensitive further to have a data. reduce secondar these y server incidents implemen or ted. mitigate any future events. The loss NIST: SP System | High Previous Company | When a Content of original | 800-53 assessme | Network | business | Security server Incident nts continuity | policy data by Response revealed Company | , disaster losing the Systems | recovery, | Vulnerabi access t0 | |nformation company and lity PHI. System data and incident disclosur Activity access response | e Policy Review (R)- portal to procedur 164.308(a)(1) the earein | Backup (ii)(D) network place, Policy that holds then you Risk all PHI would Management: data was have a 164.308(a)(1) sound. second (ii)(B) server to us as well.
Version: 164.530 — Disclosure of Protected Health Information (PHI): General Rules — Proposed on December 6, 2022 Referenced in the HIPAA Privacy Rule and regarding “All HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164" (U.S. Department of Health & Human Services, 2008) Purpose: This policy prohibits the use, storage, and discloser of Personal Health Information (PHI) and Electronic Personal Heal information (EPHI), except as specifically permitted or required by HIPAA regulation. Scope: “This will apply to all covered entities or company employees, stating that they will not use or disclose PHI or Protected Health Information as well as EPHI or Electronic Personal Health Information with exception if and only if permitted or required to do so by Part 160 and Subparts A and E of Part 164. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.” (U.S. Department of Health & Human Services, 2008) Policy: 1. Electronic Protected Health Information or ePHI is a HIPAA regulation that protects all and any PHI that is used, created, stored, transmitted in any format or media. 2(a). PHI will always be restricted unless it is being accessed for a specific use.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2(b). All PHI and ePHI that is being transmitted should be encrypted and devoid of any material that can identify the patient. 2(c). All PHI and ePHI will be kept and maintained in an encrypted database or physically locked in a specific location inaccessible to unauthorized personnel. 2. The entities covered are to be all doctor’s offices, dental offices, clinics, nursing homes, psychologist, pharmacies, hospitals or HHA facilities. This also, includes all health plans, insurance companies, all HMO's, government programs that finance for healthcare, and all healthcare clearing houses. 3. If a breach were to occur of any of these policies, rules and regulations by any unauthorized employees, contractors or vendors there will be a $100 to $500 fine for each violation and can max out at up to $1.5 million per year. 4. The initial standard will contain control families, such as “Access Control, Audit and Accountability, Awareness and Training Programs, Assessment, authorization and Monitoring, Contingency Planning, Identification and Authentication, Incident Response Plans, Media Protection, Personnel Security, Physical and Environmental Protection, Planning, Risk Assessments, System and Communications Protection, System and Information Integrity, and System and Services Acquisition.” (Scholl, 2008) Next, the NIST publication will help in vulnerabilities that will result in the unauthorized access to ePHI. The last publication is usually a general publication that relates to all security and privacy controls for information systems and organizations. 1. NIST SP 800-30, which explains all vulnerabilities that result in access to ePHI from a third party, this is also SP 800-30- Risk Management Guide for Information Technology Systems. 2. NIST SP 800-53, Security and privacy control for information systems and organizations 3. NIST SP 800-66 Rev. 1, Considerations when applying the HIPAA security rue, which contains all control families.
Cited References 1. U.S. Department of Health & Human Services. (May 7, 2008). The HIPAA Privacy Rule. r-professional 2. Scholl, M. A, Stine, K. M., Hash, J., Bowen, P., Johnson, L. A,, Smith, C. D., & Steinberg, D. I. (October 2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. https://nvipubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf