You know by now that working with HIPAA’s security standards means taking a risk management approach to the security of your clients’ information. In order to evaluate risks, we first need to examine something that doesn’t sound too pleasant: threats.
Threats — or “hazards” when we’re talking about environmental threats — are actors or circumstances that cause risks to exist. For example, the risk of data loss due to theft wouldn’t exist without thieves. So thieves, we can say, are a reasonably anticipated threat for pretty much any practice. Another reasonably anticipated hazard is a fire in the office.
When we take the time to think about relevant threats, we give ourselves a better picture of the risks we need to prepare for. There are several threats that impact nearly all practices — theft, loss, office fires, etc. — but some threats are more specific. E.g. hurricanes aren’t a reasonably anticipatable hazard for practices located in Kansas. Tornadoes, on the other hand, are at the top of the hazard list.
In this section, we’re talking about threats to the devices we use in our practices and the security measures we can use to lessen the risks posed by those threats. To help start us off, here is a list of example threats that can impact all of our computers, smartphones, external drives, and the like:
- Losing devices
- Viruses and other malware
- Password guessing
- Destructive natural disasters
- Giant magnets
What is Threatened?
When examining threats that impact our devices, there are two things you need to make sure you keep in mind:
1) We’re ultimately interested in threats to the protected health information that is handled by these devices, and not the devices themselves. So, for example, threats that may cause cosmetic damage to a device but are unlikely to cause actual mechanical damage are unlikely to be ones that we need to concern ourselves with.
2) We need to examine how threats impact the confidentiality, integrity, and availability of the information these devices handle. We often get hung up on confidentiality. There are good reasons for why we do that, but it’s all the more reason to make sure we don’t forget the other two aspects of information security that HIPAA and good sense dictate we maintain.
A common thinking error here is to think of a full-disk encrypted computer as “totally safe,” and to spend all our energy on ensuring that we keep the full disk encryption locked when we need it. That’s an incredibly powerful way to protect the confidentiality of the information that the computer handles, but it doesn’t do a single jot of good to protect its availability. For that, we’ll likely need data backups.
As we proceed through this section, we’ll look at some specific sets of common threats to devices and the typical security measures that hold them at bay.