Health Care Services involves programs and activities that directly provide health and medical care to the public, including both earned and unearned health care benefit programs. The overall accountability rating for this information classification is Moderate.
Confidentiality level = Low
The confidentiality impact level is the effect of unauthorized disclosure of health services care information on the ability of responsible entities to directly provide health and medical care to the public, including both earned and unearned health care benefit programs. Most consequences of unauthorized disclosure of health care information are unlikely to have a serious adverse effect on organizational operations.
Known mitigating factors toward changing the confidentiality level
Some information associated with health care involves confidential patient information subject to the various state and international privacy laws and to HIPAA. The various state and international privacy laws Information provisional impact levels are documented in the Personal Identity and Authentication information type. Other information (e.g., information proprietary to hospitals, pharmaceutical companies, insurers, and care givers) must be protected under rules governing proprietary information and procurement management. In some cases, unauthorized disclosure of this information such as privacy-protected medical records can have serious consequences for organizational operations. In such cases, the confidentiality impact level may be moderate.
Integrity level = High
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. Many activities associated with health care services are not time critical and the adverse effects of unauthorized modification or destruction of health care information on organizational mission functions and/or public confidence in the organization will be limited. However, the consequences of unauthorized modification or destruction of health care information may result in incorrect, inappropriate, or excessively delayed treatment of patients. In these cases, serious adverse effects can include legal actions and danger to human life. Unauthorized modification or destruction of information affecting external communications that contain health care information (e.g., web pages, electronic mail) may adversely affect operations and public confidence in the organization and the organization mission. Because of the potential for the loss of human life, the provisional integrity impact level recommended for health care services information is high.
Availability level = Low
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to reestablish access to health care information. Except for cases of emergency actions necessary to correct urgent threats to patient health, health care processes are usually tolerant of reasonable delays.
Known mitigating factors toward changing the availability level
Some health care information is time-critical and is dependent on the severity of the health threat(s) and the rapidity with which the threat is spreading/growing. Delays in the communication of specific situations may be life threatening. This can result in assignment of a moderate or high impact level to such information.