Memo: reasonably anticipated threats to protected health information

What are possible threats to protected health information (PHI), electronic (ePHI) or otherwise?

The US Department of Health and Human Services defines a threat as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Threats are broken down into three categories:

  • Environmental: referring to immediate physical environments, such as offices or data centers
  • Natural: referring to weather, natural disasters, mass human events, and Acts of God
  • Human: referring to individuals who could cause harm, either inadvertently or negligently, or intentionally and maliciously

Aligned Risk Management has identified the following reasonably-anticipated threats to the security, privacy and availability of ePHI.

  1. Environmental Threats
    1. Internet outage: Failure of application server to connect to internet, failure of DNS servers to resolve server domain name, upstream connection failure, and other internet outages.
    2. Power outageFailure of power systems at the data center, failure of power supply to the data center, and other power outages.
    3. Hardware failureFailure of any hardware component of the server or data center where the application is hosted. Refers to failures caused by wear, age, design flaws, and other inherent hardware weaknesses.
    4. Software failureFailure of any application, operating system or other software component to operate as intended. Includes malware infections, data corruption, functional failures.
    5. Site pollutionFire, spills, accidents, etc.
  2. Natural Threats
    1. Floods, earthquakes, tornadoes, landslides, etc.Any unpredictable large-scale threat over which humans have no control. Also includes mass human events, such as war, terror attacks, strikes, epidemics, alien invasions, zombie apocalypse, etc.
  3. Human Threats
    1. Internal threatsAuthorized users, staff, Business Associates, trusted advisors, etc. The least dramatic but most common threats to the security, privacy and availability of ePHI.
      1. Inadvertent disclosure of ePHIUnintentional action by authorized user or failure of Application that inadvertently discloses any ePHI to any unauthorized user
      2. Inadvertent data entry, modification or deletionUser error. Accidental and unintentional action or omission by an authorized user that causes damage to the security or availability of ePHI
      3. Malicious disclosure of ePHI by authorized userDeliberate disclosure by authorized user who intends to obtain some personal gain or to cause harm
      4. Malicious destruction of ePHI by authorized userDeliberate sabotage by authorized user who intends to cause harm
    2. External threatsEx-employees, hackers, thieves, etc.
      1. Unauthorized observation of ePHIUnauthorized person is able to observe improperly-controlled ePHI
      2. Unauthorized person gains access using genuine credentialsAttacker successfully logs into a controlled system using a genuine username and password or other credentials of an authorized user
      3. Technological attack against a controlled systemAttacker exercises a technological vulnerability of an ePHI system still controlled by the covered entity
      4. Technological attack outside any control or responseAttacker gains indefinite physical control of an ePHI system and is able to exercise vulnerabilities without detection or intervention by covered entity
      5. Social engineeringAttacker uses psychological manipulation to induce authorized users to act against security policies or divulge confidential information
      6. Malicious destruction of ePHI by unauthorized userDeliberate sabotage by attacker who intends to cause harm
  4. Compliance Gaps
    1. Civil liability for failure to implement HIPAA-mandated specificationFailure to implement or adequately document certain required polices and procedures
    2. Civil liability for failure to follow documented policiesFailure to implement or adequately document certain required polices and procedures

Your medical record is worth more to hackers than your credit card

Uniting New Mexico: Health Information Interoperability in the Service of all New Mexicans

New Mexico Health Information Collaborative (NMHIC)
Presents its Third Annual HIE Users’ Conference

Uniting New Mexico

Health Information Interoperability in the Service of all New Mexicans

Why You Should Attend

NMHIC presents its third annual conference to advance the cause of healthcare information exchange in New Mexico by helping participants create a shared vision, examine the current state of interoperability and factors hindering it, build consensus on standards, and formulate strategies for overcoming barriers to information exchange.

The New Mexico Health Information Collaborative (NMHIC), your statewide health information exchange, invites you to attend our third annual HIE Users’ Conference to participate in meaningful presentations and thoughtful discussions about the benefits, challenges, and solutions for interoperability and exchange of health information in New Mexico and surrounding communities.

Keynote Presenter – Laura Adams, President and Chief Executive Officer
Rhode Island Quality Institute

Ms. Adams will present a National Update on Health Information Exchange to set the stage for a highly-interactive day of thoughtful presentations, discussion, and problem-solving around interoperability in New Mexico.

David S. Nilasena, MD, MSPH, MS, Chief Medical Officer for U.S. Centers for Medicare & Medicaid Services (CMS), Dallas Regional Office, will present on CMS’s proposed plan to Promote Interoperability (P.I.).

“Even though we may work for different organizations with different internal priorities and hold different perspectives, I believe we all share the common goal of and responsibility for improving the health of our patients and communities – and, frankly, working together to achieve that goal has never been more important for all of us than it is today.”
– Timothy Washburn RN, BSN, MBAHM, Memorial Medical Center, 2018 Conference Chair

Who Should Attend

Join your colleagues from the healthcare community, including:

  • Physicians and mid-level providers in any size of type of practice
  • Staff, e.g., nurses, medical assistants, case managers, and others
  • Inpatient, outpatient, and emergency personnel
  • Payers, insurers, and self-insured employers
  • Quality assurance administrators
  • Office and practice managers
  • Health IT professionals
  • Public health professionals

Continuing Medical Education

This activity has been planned and implemented in accordance with the Essential Areas and polices of the New Mexico Medical Society (NMMS) through the joint sponsorship of HealthInsight New Mexico and LCF Research/NMHIC. HealthInsight New Mexico is accredited by the NMMS to provide Continuing Medical Education for physicians.

Register now

For more details, click here.

Aligned Risk Management will be there! You should, too.

Los Alamos Public Schools superintendent Dr. Kurt Steinhaus phished

Dr. Kurt Steinhaus, Superintendent of Los Alamos Public Schools

Phishing attacks occur when an attacker pretends to be a trusted entity, fooling you into opening a malicious email or message

Back in September, Facebook revealed that as many as 50 million accounts may have been hacked, due to a “security issue.”

Dr. Kurt Steinhaus’s Facebook was compromised, likely caused by the bigger data breach that Facebook reported in late September, 2018

Attackers exploited a vulnerability in Facebook’s code that impacted the “View As” feature that lets people see what their own profile looks like to someone else.

According to Guy Rosen, Facebook’s VP of Product Management: “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.

“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

While the issue has now been resolved, the problems may not end there, according to one expert; we may now also see a string of phishing attacks.

Phishing attacks occur when an attacker pretends to be a trusted entity, fooling you into opening a malicious email or message.

Oz Alashe, CEO of cyber security platform CybSafe, said: “Facebook is going by the book notifying authorities as soon as it detected this vulnerability, and it should be applauded for its quick action.

“However, with a security issue as high profile as this one, it’s likely that phishing attacks will swiftly follow urging recipients to change their Facebook passwords via an email and then directing them to a malicious phishing site.

“It’s important to be extra vigilant, to follow Facebook’s instructions on the site or app, but do not act on unsolicited emails unless you are able to verify the sender.”

This latest breach of personally identifiable information (PII) hit home recently when Dr. Kurt Steinhaus, Superintendent of Los Alamos Public Schools, was revealed to have been targeted in a phishing scam, likely made possible as a result of the larger breach.

Dr. Steinhaus’s compromised social media account is just one example that goes to show that no-one is totally invulnerable. Medical records and protected health information (PHI) are exceptionally high value targets.

Aligned Risk Management suggests an immediate change of your Facebook password, as well as enabling two-factor authentication on Facebook and any other social media platforms where 2FA is available.

Additionally, check out this neat tool to find out if accounts associated with any given email were compromised in any other major breaches in recent memory: Have I Been Pwned.

Memo: about two-factor authentication

Two-factor authentication (2FA), or multi-factor authentication, is a security process in which the user provides two means of identification from separate categories of credentials; one is something memorized, such as a security code or password, and the other is typically a physical token, such as a card or a previously-authenticated smartphone.

A common example of two-factor authentication is the ATM card most consumers are familiar with. In order to authorize a transaction, the user must present the ATM card (a physical token) and also enter a PIN (a memorized secret). Neither the card alone nor the PIN alone will suffice to authorize a transaction, and it is unlikely that an attacker could obtain both simultaneously.

Stolen passwords are a very common vector for online attacks. Two-factor authentication can drastically reduce the effectiveness of password-related exploits, because stealing a password is not enough to give an attacker access to protected information.

True two-factor authentication requires that the factors be chosen from separate categories of credentials. The three commonly recognized categories are

  • “something you know” (e.g., a password)
  • “something you have” (e.g., a pre-registered smartphone), and
  • “something you are” (e.g., a fingerprint)

Most two-factor authentication today works by leveraging the second category in the form of a physical token or pre-registered smartphone. Smartphone-based solutions are popular since they work with a device most users already carry with them and protect zealously.

Numerous inexpensive 2FA solutions, some based on open standards, are gaining rapid adoption:

  • U2F security keys, an open standard for inexpensive USB tokens, industry leaders, like Yubico and Google.
  • Smartphone apps, usually free, that implement the open standard TOTP protocol (see below). Google Authenticator and Symantec VIP are commonly used.
  • Proprietary solutions, including Microsoft Azure and Duo.

Pre-registered knowledge tokens (PKTs), commonly known as “security questions,” are of the same category as passwords (“something you know”) and cannot be combined with passwords to provide true two-factor authentication.

Two-factor authentication does not replace passwords. Good password practices are still essential, but two-factor authentication can significantly reduce the risk of weak passwords.

Some 2FA solutions work by transmitting a one-time password over a different communication channel, such as via SMS to a pre-registered mobile phone. This is true two-factor authentication, but poor security practices by mobile service providers introduce the risk that the one-time password could be intercepted by an attacker.

More secure solutions can generate one-time passwords without having to transmit them, thus eliminating any risk that they could be intercepted. Transmitting one-time passwords via SMS has been deprecated by the latest NIST cybersecurity guidelines. Non-transmitting solutions should be preferred whenever available.

Cryptographic certificates, when generated and installed by properly authorized administrators, are of the same category as physical devices (“something you have”) and can be used in combination with passwords to implement two-factor authentication. Although a certificate is only data (like a password), it is tied closely to the physical device on which it is installed and it is difficult for the user to access, memorize, or inadvertently breach. The threat of unauthorized cloning does need consideration, but in general, enrolling a trusted device by installing a cryptographic certificate can be a cost-effective and very secure way to implement two-factor authentication.


KRQE: Hundreds of private medical documents scattered on Albuquerque street

By Brittany Bade.

ALBUQUERQUE, N.M. (KRQE) – At first glance, it just looked like a lot of litter lining the street, but when concerned citizens stopped to look, they realized these discarded papers hold information no one would want out in the open.

“I’m floored. I don’t even know yet how I feel,” said a patient named Renee.

Renee is one of dozens of patients who had their personal medical information scattered along Avenida Cesar Chavez at I-25.

“It’s personal information. I had to sign a HIPAA form to protect my privacy,” said Renee.

On these documents, are patients private medical histories, social security numbers and billing information.

“That’s a HIPPA violation right there,” said a woman who stopped to help pick up the papers.

The records are all from the Turquoise Lodge Hospital, a state-run rehabilitation center specializing in treating pregnant women and parents trying to get clean.

The New Mexico Department of Health refused an interview with KRQE News 13, agreeing only to send this statement:

“We take the security and privacy of patient health information very seriously. Turquoise Lodge was in the process of transporting patient records yesterday from the hospital to a secure facility. As soon as we were made aware of the misplaced records, we sent a team out to recover as many documents as possible. We have immediately launched an investigation and will follow all requirements under patient privacy laws to further protect the privacy of all patients and their health information.”

When asked if the department will contact patients to let them know if their personal information has been compromised, they said they would.

Concerned people who say they saw the papers fly out of a truck stopped to pick up the mess. The Department of Health says they also sent a crew out Friday to pick up the remainder of the papers.

Still, patients, like Renee, are concerned someone with bad intentions was also out there picking up the pieces filled with their personal information. The documents were out on the streets for at least 12 hours.

“Hundreds of private medical documents scattered on Albuquerque street”. KRQE, United States. Retrieved October 16, 2018.

Use the RFP Process to Find Best HIPAA Security Risk Assessment Vendor

A Request for Proposal (RFP) is one of the best ways to find out what each HIPAA security risk assessment vendor has to offer your organization, provided you structure it properly

From the August 2004 Issue of HIPAA Security Compliance Insider.

The annually required HIPAA Security Risk Assessment isn't a joke....Like many organizations, your organization may not have the resources to conduct a HIPAA security risk assessment that compares your technical and nontechnical security measures to HIPAA’s requirements. That’s where an outside security assessment vendor can help. It can identify and explain your security weaknesses and the potential threats and vulnerabilities to your electronic protected health information (EPHI). Plus, a security assessment vendor can give you advice on what security measures you should implement to comply with HIPAA’s security regulations and stay in business.

But how do you know which security assessment vendor is the best one for your organization? One good way is to put together a request for proposal (RFP) that you send to prospective HIPAA security risk assessment vendors. Creating an RFP for prospective vendors will help you focus your security assessment project. And it will give you a chance to review and compare prospective vendors’ written responses to questions tailored to your organization. “Done well, an RFP is an indispensable tool for visualizing a project; and it provides a concrete roadmap for your relationship with the vendor you select,” says information technology attorney Jay Hollander.

We’ll tell you the steps you should take to start the process of choosing the right HIPAA security risk assessment vendor, including how to set up an RFP. And to help you set up your own, we’ll give you a Model Form of an RFP that you can adapt and distribute to potential vendors.

Follow Three Steps to Start Your HIPAA Security Risk Assessment Vendor Selection Process

According to Hollander, choosing a vendor to perform a HIPAA security risk assessment should start with three steps.

  1. Assess needs/scope of project. First you must identify what areas your HIPAA security risk assessment should include. Do you need an assessment of your physical access controls and security policies? Should the vendor conduct a penetration test of your internal and external networks to see how easily they can be breached? “Each organization’s needs will be different,” says information security consultant Earl Crane. For example, smaller organizations that don’t transfer EPHI over extranet connections probably won’t need a security assessment of their extranet, he explains. 

    Insider Says: For a list of the various areas an organization’s security assessment might need to cover, click here. You can use this list to help you identify your own needs so you can communicate them to prospective vendors.

  2. Narrow list of vendors. Next, you will need to get a list of prospective vendors. To do this, you can search for security assessment vendors on the Internet or ask colleagues for recommendations. Narrow your list by considering the vendors’ experience, general pricing approach, and the services they provide, says Hollander. 

    Focus on vendors that have the ability to assess both your technical and nontechnical security, recommends Crane. To get a complete picture of your security practices, you will need a technical assessment and a policy assessment, preferably by the same vendor, he explains. “Look for a vendor with a good understanding of HIPAA’s security regulations, and a good technical reputation,” he adds.

  3. Prepare RFP. Once you’ve narrowed your list of prospective vendors down to four or five, it’s time to create an RFP. Your RFP, like ours, should include the following provisions:
  • Purpose and goals. Begin your RFP with a brief explanation of the reason you’re seeking a HIPAA security risk assessment vendor and your goals for the assessment—that is, to identify and repair security gaps and comply with the HIPAA security regulations.
  • Proposal contact and method of evaluation. Give prospective vendors the name and contact information of a knowledgeable person in your organization to whom they can go for more information. And tell them who should receive the proposals and any additional information your organization might need [Form, sec. 2(a)]. Also tell them the factors that will affect your decision to accept a proposal. Explain that your consideration of the proposals will be based on more than cost, says Crane. This way, they’ll understand that they may be rejected even if they have the lowest bid.
  • Schedule. Vendors will also need a schedule that outlines the RFP process from beginning to end, including the date when:
    • Responses to the RFP are due;
    • Vendor interviews will be held;
    • Supplemental information must be received;
    • A decision will be made; and
    • The project should start and finish.
  • Organization information. To understand the scope of the project and price it appropriately, prospective vendors will need a basic description of your organization and the information systems it currently uses. Be sure to describe all hardware and software, and let prospective vendors know how many active IP addresses your organization uses.
  • Scope of project. Based on the needs assessment you conducted before you narrowed down your vendor list, define the scope of the project in your RFP. Be precise, says Crane. Otherwise, your vendors might not bid on the same project, resulting in service and pricing differences that could be hard to identify and compare. And ask your vendors to break down their costs and the amount of time they require for each type of assessment you list in your RFP, Crane adds.

Confused? That’s okay! Call Aligned Risk Management for help:


“Use RFP to Find Best HIPAA Security Assessment Vendor”. HIPAA Security Compliance Insider, US. Retrieved July 3, 2018.