Running head: SECURITY CATEGORIZATION 1

Security Categorization

CSOL 530 Cyber Security Risk Management

Marissa R. Becker

University of San Diego

SECURITY CATEGORIZATION 2

Introduction

FIPS Publication 199 Security Categorization Standards for Information and Information

Systems provide a common framework and understanding for expressing security that promotes

effective management and oversight of information security programs. The security categories

are based on the potential impact on an organization should certain events occur which

jeopardize the information and information systems needed by the organization to accomplish its

assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day

functions, and protect individuals. Security categories are to be used in conjunction with

vulnerability and threat information in assessing the risk to an organization. FIPS 199 requires

assigning a security category for each type of information that is processed, stored, or transmitted

by an information system and for the information itself. The security category consists of an

impact level for each of the security objectives of confidentiality, integrity, and availability.

Potential Impact Levels

Table 1: Categorization of Federal Information and Information Systems

Health Information Systems

Health records is a communication tool that supports clinical decision making,

coordination of services, evaluation of the quality and efficacy of care, research, legal protection,
SECURITY CATEGORIZATION 3

education, and accreditation and regulatory processes. With the development and adoption of

electronic health records, it is important to reassess health information security. “Information

security is the protection of information and information systems from unauthorized access, use,

disclosure, disruption, modification, or destruction. Information security is achieved by ensuring

the confidentiality, integrity, and availability of information” (HealthIT.gov, 2021). For this

paper, confidentiality is the property that electronic health information is not made available or

disclosed to unauthorized persons or processes. Integrity is the property that electronic health

information has not been altered or destroyed in an unauthorized manner. While availability is

the property that electronic health information is accessible and useable upon demand by an

authorized person or entity.

The fact that EHRs are stored and accessed digitally makes it possible for data to be

compromised by hackers or cybercriminals. Security breaches threaten patient privacy and

confidentiality when protected health information (PHI) is made available to others without the

individual's consent or authorization (Ozair, Jamshed, Sharma, & Aggarwal, 2015). Electronic

heath systems can be hacked, manipulated, or destroyed by internal or external users. EHRs are

often targeted by ransomware attacks that install malware in an organization’s servers that can

potentially cause information to be unavailable and can expose personally identifiable

information (PII). In the electronic health environment, data can be collected and exchanged or

shared between systems, throughout an organization and across other practices. As data moves

between and among systems, data can be manipulated intentionally and unintentionally. Data

integrity can also be compromised due to documentation errors or poor documentation integrity

of individuals handling health data. The integrity of medical records is important because the life

of a patient is dependent on the accuracy of information. In addition, there are several features of
SECURITY CATEGORIZATION 4

the EHR system such as the ability to copy and paste content from one progress note to another

and drop-down menus that can lead to errors. Availability is also a major concern in health

information systems. If the system is hacked or becomes overloaded with requests, the system

can slow down, and information may become unusable and unavailable. Inevitable catastrophes

such as a flood, power outage, internet service outage or computer failure can degrade the

availability of health data. FIPS 199 criteria suggest that catastrophic loss of system availability

may result in a high availability impact level. To ensure availability, electronic health record

systems need to have redundant components or fault-tolerance systems, so if one component fails

or is experiencing problems the system will switch to a backup component.

Using important security attributes such as Confidentiality, Integrity and Availability can

measure the security of health information systems. Despite the benefits of EHR functionalities,

health information systems have a high potential impact on Confidentiality, Integrity, and

Availability. Patient privacy violations are an increasing concern for patients and organizations

due to the increasing amount of health information exchanged electronically. Health information

systems can cause several unintended consequences, such as increased medical errors, changes in

power structure, financial loss, patient dissatisfaction, and over reliance of health workers on

technology. Privacy issues faced by most practices include data tampering, loss of data following

a natural disaster, and unauthorized access to patient information. There are also legal

ramifications and consequences of not protecting PII such as government fines, penalties, and in

extreme circumstances, jail time. Lastly, failure of health information systems can impact the

quality of patient care and cause patient harm or loss of life.

SECURITY CATEGORIZATION 5

Reference:

Azadi, M., Zare, H., & Zare, M. J. (2018). Confidentiality, Integrity and Availability in

Electronic Health Records: An Integrative Review. In S. Latifi (Ed.), Information

Technology - New Generations - 15th International Conference on Information

Technology (pp. 745-748). (Advances in Intelligent Systems and Computing; Vol. 738).

Springer Verlag. https://doi.org/10.1007/978-3-319-77028-4_97

FIPS 199, Standards for Security Categorization of Federal Information... (2004, February).

Retrieved January 25, 2021, retrieved from https://ole.sandiego.edu/bbcswebdav/pid-

1915128-dt-message-rid-28793133_1/xid-28793133_1

Hhs.gov. 2021. Reassessing Your Security Practices In A Health IT Environment: A Guide For

Small Health Care Practices. [online] Available at:

<https://www.hhs.gov/sites/default/files/small-practice-security-guide-1.pdf> [Accessed

26 January 2021].

Menachemi, N., & Collum, T. H. (2011). Benefits and drawbacks of electronic health record

systems. Risk management and healthcare policy, 4, 47–55.

https://doi.org/10.2147/RMHP.S12985

Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health

records: A general overview. Perspectives in clinical research, 6(2), 73–76.

https://doi.org/10.4103/2229-3485.153997