What are the three broad requirements specified by the cia security triad?
Show Sinchan Banerjee Sinchan BanerjeeGeneral Manager - IT Infrastructure & IT Security @ ProcessIT Global plcPublished Jun 9, 2020 + Follow Confidentiality, Integrity & Availability (CIA triad) collectively is the core underpinning of information security. Confidentially relates to the defense of information from unauthorized or scrupulous access that can spawn a threat (Threat vectors comprise of direct attacks such as stealing information or capturing network traffic, social engineering, phishing, etc. ) to an organization. Some of the confronts that could compromise confidentiality are Encryption cracking, Man-in-the-middle attacks, insider leaks in case the data is in plain text and doxxing confidential information of data holders. Several measures to keep your information confidential are:
Integrity guarantees that information is in a format that is accurate and correct to its original purposes i.e. integrity ensures protection of information from unlawful/unofficial alteration. Integrity also ensures that data must not be changed in transit we well. Some of the challenges that could jeopardize integrity are tampering plaintext data in a man-in-the-middle attack, compromising a server where end-to-end-encryption does not exist, etc Some measures to sustain the integrity of information include:
Availability represents that, information is accessible to authorized individual only and in continuous/continual mode. Some of the most primary threats to availability may be non-malicious in nature and include hardware failures, unscheduled software downtime and network throughput related challenges. Malicious attacks in nature may include various forms of sabotage by declining users access to the information system. Some of the threats that could imperil availability are DDoS (Distributed Denial of Service attacks), Ransomware attacks and disrupting the System/data center’s power supply Measures to shield threats to availability include:
With respect to healthcare information, confidentiality is justified as the right of an individual to maintain his/her individual health information from being revealed. With exponential growth of patient data, available in digital format, protecting them is a statutory and regulatory requirement. The method of protecting the patient data is defined in the HIPPA (Health Insurance Portability and Accountability Act) framework/ NABH (National Accreditation Board for Hospitals & Healthcare)/NABL (National Accreditation Board for Testing and Calibration Laboratories) standards and guidelines with clear guardrails. HIPAA & CIAThe HIPAA Privacy Rule consists of standards for safeguarding patient’s medical records and other PHI (protected health information). As a subset of the Privacy Rule, the Security Rule applies specifically to ePHI (electronic protected health information). The Security Rule mandates the following 3 safeguards: 1. Technical Safeguard Standard
2. Physical measures standard
3. Administrative safeguards Standards
Business and associate agreements —written agreements or contracts in place for their vendors, contractors and other business associates who has access on ePHI (electronic protected health information). CIA for NABH National Accreditation Board for Hospitals & Healthcare Providers (NABH) is a constituent board of Quality Council of India (QCI), set up to establish and operate accreditation programme for healthcare organizations. The standard concentrates on patient safety and quality of care. The standards call for continuous monitoring of sentinel events and ample corrective action plan leading to building of quality ethnicity at every level and across all the functionalities. Chapter 10, Information Management System (IMS) of NABH Accreditation Standards for Hospitals (4th edition) exclusively articulates data privacy and data security of patient data. IMS1 through IMS7 defines of implementing reasonable and appropriate administrative, physical, and technical safeguards to:
CIA for NABL The National Accreditation Board for Testing and Calibration Laboratories (NABL) is an autonomous body under the guidance of the Dept. Of Science & Technology, Govt. of India whose purpose is to provide accreditation to testing and calibration of clinical laboratories in the country. NABH is the highest benchmark standard for hospital quality in India. NABL is the formal recognition, authorization, and registration of a laboratory that has demonstrated its capability, competence, and credibility to carry out the tasks it is claiming to be able to do. Section 10.5 (Laboratory Information Management) of Specific Criteria for Accreditation of Medical Laboratories Issue no – 04, brings into being the controls for maintaining data privacy and data security Standards. In gist, the controls emphasizes on the following aspect to maintain the confidentiality, Integrity and availability of the applicable ePHI (electronic protected health information).
JCAHO and CIA Even JCAHO too preserves the identical harmony and rhythm of the CIA triad while articulating of patient data security. The mission of the JCAHO (Joint Commission on Accreditation of Healthcare Organizations) is to continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. Joint Commission standard EC.2.10 clearly suggests maintaining technical and organizational measures to protect Personal Information from loss, misuse, alteration, or unintentional destruction of Personal Data and this can be accomplished if CIA is in place. ISO/TS 14441:2013 and CIA ISO/TS 14441:2013 examine electronic patient record systems at the clinical point of care that are also interoperable with EHRs ((electronic health record)). ISO/TS 14441:2013 addresses their security and privacy protections by providing a set of security and privacy requirements, along with guidelines and best practice for conformity assessment. ISO/TS 14441:2013 include a cross-mapping of 82 security and privacy requirements against the Common Criteria categories in ISO/IEC 15408 (all parts) and ISO 27799 (based upon and extends the general guidance provided by ISO/IEC 27002:2013). This Technical Specification (ISO/TS 14441:2013) focuses on two main topics: a) Security and privacy requirements (Clause 5). Clause 5 is technical and provides a comprehensive set of 82 requirements necessary to protect (information, patients) against the main categories of risks, addressing the broad scope of security and privacy concerns for point of care, interoperable clinical (electronic patient record) systems. These requirements are suitable for conformity assessment purposes. b) Best practice and guidance for establishing and maintaining conformity assessment programs (Clause 6). #a very clearly brings into being the security and privacy requirements that should be met to ensure that information is protected as well as the main categories of attack is shielded. GDPR and CIA General Data Protection Regulation (GDPR) has substantial impact on healthcare organizations. The regulation characterize “personal” data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” On top of this definition, GDPR consists of 3 additional, noteworthy definitions that are relevant to health data:
However healthcare organizations have an added dimension to maintain “data concerning health,” “genetic data,” and “biometric data” to a higher standard of protection than personal data, in general. GDPR prohibits processing of these forms of health data unless one of the three conditions below would apply.
Under the GDPR, both the controller and the processor shall apply suitable technical and organizational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. What are the three 3 main security properties of CIA?When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
What are three components of CIA?What are the components of the CIA Triad? The CIA triad has three components: Confidentiality, Integrity, and Availability.
What is the most important part of the CIA triad?The CIA triad goal of confidentiality is more important than the other goals when the value of the information depends on limiting access to it. For example, information confidentiality is more important than integrity or availability in the case of proprietary information of a company.
What is CIA triad examples?Examples of CIA Triad
The two-factor authentication (debit card with the PIN code) provides confidentiality before authorizing access to sensitive data. The ATM and bank software ensure data integrity by maintaining all transfer and withdrawal records made via the ATM in the user's bank accounting.
|