To: Chief Security Officer
From: Director of Health Information Technology
Subject: Medium Healthcare Facility Security Plan Recommendations
To determine the current state of our health care facility, I have completed a risk assessment. During the assessment, I identified the following three potential risks to electronic protected health information (e-PHI):
1.
Absence or lack of role-based access controls, which may result in unauthorized access to
e-PHI, without the minimum necessary rule being applied.
2.
Insufficient device media controls or lack of inventory control may result in loss or theft of devices that contain e-PHI, such as unencrypted laptops, mobile devices, and/or USB drives.
3.
Inadequate employee education and awareness on phishing attacks may result in hackers gaining unauthorized access to e-PHI on the network and/or system.
To mitigate the risks mentioned, I recommend implementing the following safeguards:
Physical Safeguards:
Device Security and Media Controls: Encrypt all devices that contain e-PHI, ensure appropriate inventory control is in place, and create strict policies for use of devices and transfer of data.
Facility Access & Control: Implement controls, such as a card swipe system, that limits access to only authorized personnel in areas that contain e-PHI.
Workstation Security: Implement controls at workstations to only allow access to authorized personnel by using two-factor authentication or an equivalent based on
user roles. Administrative Safeguards:
Information Access Management: Implement the minimum necessary rule to ensure uses and disclosures of e-PHI are limited.
