If you have a smartphone, a teenager or both, then acronyms like OMG (oh my gosh), OMW (on my way) and AFAIK (as far as I know) are probably pretty familiar to you. However, the last one – LoProCo - probably belongs more in a list with HIPAA than BTW (by the way).
So what is LoProCo? Well it starts with HIPAA (if you would like to learn more about HIPAA, google it) and the mandate that each and every breach be reported even if no harm was done. This draconian standard was amended recently to help organizations define a breach - and the acronym for this clarification is LoProCo.
LoProCo and the new standards reads something like this.
- HIPAA requires you to assume a breach has occurred unless you can prove LoProCo, which means that you can demonstrate that there is a Low Probability that PHI has been Compromised based on:
- Nature and extent of the PHI involved (including the types of identifiers and the likelihood or re-identification)
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
This is probably best demonstrated through an example. Let’s take the case of an errant fax of patient information. Let’s say an office manager is attempting to send patient information to a billing partner. However, there’s a PEBCAK (problem exists between chair and keyboard) and the PHI (protected health information) is faxed to the wrong number. Obviously this is a breach. But, can the doctor’s office prove LoProCo? That depends.
1) Where was the fax actually sent? Was it sent to the credit card company or the local supermarket? The credit card company has some requirement to maintain confidentiality. The supermarket, not so much.
2) How long was it before the fax was sent and the error was noticed? Was it 30 seconds or five days?
3) What steps were taken to mitigate the damage? Was the office manager able to contact the supermarket within three minutes and guarantee they destroy the PHI immediately?
All of these factors contribute to a LoProCo determination.
But the challenge doesn’t end there. To be sure, employees dealing with PHI make mistakes and they need to be dealt with as per HIPAA and LoProCo. But what if the mistake wasn’t? Imagine a scenario whereby an employee “intentionally” logs into the automated billing system using a shared administrative account and changes the destination fax number or email address for *all* the outbound PHI as a way to gather data to sell on the black market? In this scenario, because the administrative credentials are shared, there would be no way to determine which employee made the change. In fact, it could have been the trusted IT vendor the recently visited to upgrade the application to the latest version.
The real challenge here is without the right IT controls and auditing, there is no way this security violation could pass LoProCo which means it would HAVE to be reported…and all the joy and fun that comes with that.
The point here is to make sure you have the right training for employees to understand the ramifications of their actions along with the right IT controls in place for your administrative accounts to ensure you can cover off those situations as well…or you might be FUBAR (probably can’t use that).
If you’d like to learn more about controlling and managing administrator credentials, read this white paper.