What are the three broad requirements specified by the cia security triad?

Confidentiality, Integrity & Availability (CIA triad) collectively is the core underpinning of information security. 

Confidentially relates to the defense of information from unauthorized or scrupulous access that can spawn a threat (Threat vectors comprise of direct attacks such as stealing information or capturing network traffic, social engineering, phishing, etc. ) to an organization. 

Some of the confronts that could compromise confidentiality are Encryption cracking, Man-in-the-middle attacks, insider leaks in case the data is in plain text and doxxing confidential information of data holders.

Several measures to keep your information confidential are:

• Strong/Complex Password
• Two-factor authentication
• Access Control list (ACL)
• Encryption
• Use of Steganography

Integrity guarantees that information is in a format that is accurate and correct to its original purposes i.e. integrity ensures protection of information from unlawful/unofficial alteration. Integrity also ensures that data must not be changed in transit we well.

Some of the challenges that could jeopardize integrity are tampering plaintext data in a man-in-the-middle attack, compromising a server where end-to-end-encryption does not exist, etc

Some measures to sustain the integrity of information include:

• Certificates
• Encryption
• Hash verification
• Digital signatures
• User Access Controls (Authorizations/Rights)
• SOD
• Version Controlling
• Backup
• Non-repudiation
• Training/Awareness

Availability represents that, information is accessible to authorized individual only and in continuous/continual mode. Some of the most primary threats to availability may be non-malicious in nature and include hardware failures, unscheduled software downtime and network throughput related challenges. Malicious attacks in nature may include various forms of sabotage by declining users access to the information system.

Some of the threats that could imperil availability are DDoS (Distributed Denial of Service attacks), Ransomware attacks and disrupting the System/data center’s power supply

Measures to shield threats to availability include:

• Patching
• Hardening
• Server clustering
• Redundancy (Fault Tolerance)
• Virtualization
• Fail-over
• Off-site backups
• Disaster recovery
• Continuity of operations planning
• Environmental controls
• Monitor system performance and network traffic (SIEM - Security Information and Event Management)
• Protection against DDoS and other attacks

With respect to healthcare information, confidentiality is justified as the right of an individual to maintain his/her individual health information from being revealed. With exponential growth of patient data, available in digital format, protecting them is a statutory and regulatory requirement. The method of protecting the patient data is defined in the HIPPA (Health Insurance Portability and Accountability Act) framework/ NABH (National Accreditation Board for Hospitals & Healthcare)/NABL (National Accreditation Board for Testing and Calibration Laboratories) standards and guidelines with clear guardrails.

HIPAA & CIA

The HIPAA Privacy Rule consists of standards for safeguarding patient’s medical records and other PHI (protected health information). As a subset of the Privacy Rule, the Security Rule applies specifically to ePHI (electronic protected health information).

The Security Rule mandates the following 3 safeguards:

1.      Technical Safeguard Standard

• Access — refers to the access/authorization, the user should have on the files/folders based on SOD (Segregation of duties).
• Audit controls — refers to method for storing and examining activities pertaining to ePHI (electronic protected health information) within the information systems.
• Integrity — defines policies/procedures for protecting the data from being modified or destroyed in an unauthorized manner.
• Authentication — requires the confirmation of the identity of the user/individual seeking access to the protected data.

2.      Physical measures standard

• Facilities access control —policies and procedures for restricting access to the facilities where information systems is housed.
• Workstation use — addresses the appropriate and restricted business use of desktops/laptops residing in the immediate environment. For example, the desktop that processes patient bills can only be used with a browser and no other programs. The desktop/laptop should not be deployed with the software which is irrelevant to the usage.
• Workstation security —this standard defines how workstations should be physically protected from unauthorized access, which may include keeping the workstation in a secure room accessible only by authorized individuals.
• Device and media controls — consists of policies and procedures for the removal of hardware (Hardware spare parts) and electronic media (external HDD, Pen drive, Optical disks, Tapes, etc) containing ePHI (electronic protected health information) in and out of the facility and within the facility. The standard also defines the process for disposal and reuse of media, tracking procedure of all media movements and data backup/storage of media.

3.      Administrative safeguards Standards

• Security management process — it includes policies and procedures for preventing, detecting, containing, and correcting violations. It also risk analysis and implementing the risk management plan.
• Assigned security responsibility —a designated security individual responsible for developing and implementing policies and procedures.
• Workforce security —policies and procedures governing employee access to ePHI (electronic protected health information), i.e. authorization, supervision, clearance, and termination.
• Information access management — concentrates on restricting inappropriate access to ePHI (electronic protected health information).
• Security awareness and training — defines the implementation of security awareness trainings for the organization.
• Security incident procedures — contains procedures for identifying the incidents and reporting to the appropriate persons.
• Contingency plan — contains plans for data backup, disaster recovery, business continuity and emergency mode operations.
• Evaluation — defines the process of periodic evaluation of the implemented security plans and procedures to ensure continued compliance with HIPAA Security Rule.

Business and associate agreements —written agreements or contracts in place for their vendors, contractors and other business associates who has access on ePHI (electronic protected health information).

CIA for NABH

National Accreditation Board for Hospitals & Healthcare Providers (NABH) is a constituent board of Quality Council of India (QCI), set up to establish and operate accreditation programme for healthcare organizations. The standard concentrates on patient safety and quality of care. The standards call for continuous monitoring of sentinel events and ample corrective action plan leading to building of quality ethnicity at every level and across all the functionalities.

Chapter 10, Information Management System (IMS) of NABH Accreditation Standards for Hospitals (4th edition) exclusively articulates data privacy and data security of patient data. IMS1 through IMS7 defines of implementing reasonable and appropriate administrative, physical, and technical safeguards to:

• Ensure the confidentiality, integrity and availability of all the e-PHI created, transmitted, received or maintained.
• Protection of e-PHI against probable risks, threats and vulnerabilities.
• Protection against misuse/ disclosures of the e-PHI which are not required under the Privacy Standards.
• Ensure that the employees of the organization comply with the defined and approved security policies and procedures.

CIA for NABL

The National Accreditation Board for Testing and Calibration Laboratories (NABL) is an autonomous body under the guidance of the Dept. Of Science & Technology, Govt. of India whose purpose is to provide accreditation to testing and calibration of clinical laboratories in the country.

NABH is the highest benchmark standard for hospital quality in India.

NABL is the formal recognition, authorization, and registration of a laboratory that has demonstrated its capability, competence, and credibility to carry out the tasks it is claiming to be able to do.

Section 10.5 (Laboratory Information Management) of Specific Criteria for Accreditation of Medical Laboratories Issue no – 04, brings into being the controls for maintaining data privacy and data security Standards. In gist, the controls emphasizes on the following aspect to maintain the confidentiality, Integrity and availability of the applicable ePHI (electronic protected health information).

• Access Controls
• Accountability (Tracking)
• Data Backup and storage
• Role Based Access
• User Identification
• Alarms and Events reporting
• Audit Trail
• Disaster Recovery
• Sign offs
• User Educations

JCAHO and CIA

Even JCAHO too preserves the identical harmony and rhythm of the CIA triad while articulating of patient data security.

The mission of the JCAHO (Joint Commission on Accreditation of Healthcare Organizations) is to continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations.

Joint Commission standard EC.2.10 clearly suggests maintaining technical and organizational measures to protect Personal Information from loss, misuse, alteration, or unintentional destruction of Personal Data and this can be accomplished if CIA is in place.

ISO/TS 14441:2013 and CIA

ISO/TS 14441:2013 examine electronic patient record systems at the clinical point of care that are also interoperable with EHRs ((electronic health record)). ISO/TS 14441:2013 addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment.

ISO/TS 14441:2013 include a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts) and ISO 27799 (based upon and extends the general guidance provided by ISO/IEC 27002:2013).

This Technical Specification (ISO/TS 14441:2013) focuses on two main topics:

a)     Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes.

b)     Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6).

#a very clearly brings into being the security and privacy requirements that should be met to ensure that information is protected as well as the main categories of attack is shielded.

GDPR and CIA

General Data Protection Regulation (GDPR) has substantial impact on healthcare organizations.

The regulation characterize “personal” data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” On top of this definition, GDPR consists of 3 additional, noteworthy definitions that are relevant to health data:

• “Data concerning health” is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
• “Genetic data” is defined by the GDPR as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
• “Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

However healthcare organizations have an added dimension to maintain “data concerning health,” “genetic data,” and “biometric data” to a higher standard of protection than personal data, in general. GDPR prohibits processing of these forms of health data unless one of the three conditions below would apply.

• The data subject must have given “explicit consent.”
• “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services …”
• “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices …”

Under the GDPR, both the controller and the processor shall apply suitable technical and organizational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

What are the three 3 main security properties of CIA?

What are three components of CIA?

What is the most important part of the CIA triad?

What is CIA triad examples?