TABLE 2—
Potential Network Access Management and Information Transfer Security Threats to Patient and Personal Information
| Risk | Risk Description | Prevention (Education) | Prevention (Engineering) |
| Network access management | |||
| Within agency | Sensitive data on health department intranet accessible to unauthorized user, either on-site or remotely. | Not applicable. | Establish effective centralized processes for access provision and revocation and password reset. Require at least single-factor authentication for on-site network access. |
| Remotely | Sensitive data on health department intranet accessible to unauthorized user, either on-site or remotely. | Not applicable. | Require multifactor authentication for remote network access and access to sensitive information |
| Information transfer (e.g., e-mail) | |||
| Within health department | Sensitive data transmitted in inappropriate format. | Establish a policy that instructs users about best practices for transfer of sensitive data via e-mail. | Not applicable. |
| Outside health department | Sensitive data transmitted in inappropriate format. Sensitive data transferred to and from unauthorized users. | Establish a policy that instructs users about best practices for the transfer of sensitive data via e-mail. Establish a policy that instructs users to request encryption of all sensitive data being transmitted via e-mail. | In the future, employ agency-wide e-mail encryption and quarantine of suspicious emails. |