Data Security in Health Care Organizations

/in /by
 Scenario You are the Chief Executive Officer [CEO] of a health services organization. This organization has inpatient and outpatient facilities, home healthcare services, and other services that meet your patient population’s needs. It also has a world-renowned AIDS treatment center. The organization has always enjoyed an excellent reputation and its quality of care is known to be excellent. Unfortunately, your organization has recently been featured in every media vehicle known to man. The reason: Someone downloaded the names of 4,000 HIV+ patients seen in your HIV clinic and posted the list on the Internet. The Board of Trustees is furious and wants to fire you. You have been able to convince them that they need to keep you as CEO to fix this major crisis. You hire a computer security consultant who comes into your organization, disguised as a nurse manager. After three days, she comes to you with the following report. Nurses log in to the computer system with their passwords and then walk away, leaving the system open and running. • Dr. Jones leaves his password taped to his PC on a piece of paper. • Fax machines and printers are in open rooms without locks. • One password can access the entire database in the hospital including human resources. • There are no programs reminding staff to change their passwords on a regular basis. • She pretended to forget her password and other nurses gave her their password. • She requested sensitive patient files and staff provided her with the files without question Assignment Requirements Your paper should be clear, concise, and 4 double-spaced pages (excluding a title page and a reference page) in 12-font. Only the first 4 pages of your assignment will be graded, so it is important to be concise in your writing and remain on-topic. You do not need to provide an abstract or describe any of the details of the scenario provided above. You must address the following: • A brief assessment of the problems that your organization faces from a ‘big picture’ health care management point of view. This should be a high-level overview of the category/categories of problems that your organization currently faces. (1-page maximum) • An overview of key laws, regulations, and guidelines that are relevant to the scenario. Be sure to support your assessment with examples of why you believe each law, regulation, and/or guideline is relevant. (1-page maximum) • The identification of 2 similar situations that have occurred within the health care industry in recent years. A brief explanation of how the identified organizations handled the crisis and an assessment of whether this approach would work for your organization. (1-page maximum) • An explanation of how your organization could best handle this crisis. (1-page maximum) You are required to: • Utilize a minimum of four references. Resources used to support your findings should use a variety of information types including interviews, expert opinions, journal articles, and newspaper articles. • Provide a reference list in APA format. • Use in-text citations in APA format.

Answer

Data Security in Health Care Organizations

Key Management Issues at the Organization

In consideration of the scenario described, the organization is experiencing various management problems. Issues within the current complex healthcare system include regulatory changes, system inefficiencies, coding updates, security issues, and disruptive technology. Among these, issues related to technology are most common in the current technologically-led society. Medical and technology advancements and innovations have enabled radical service delivery advancements in health care settings. Nonetheless, while organizations experience growth, they are also experiencing a lot of issues because of technology. As the organization’s Chief Executive Officer, I find that though information technology helps solve various healthcare management issues, it also brings security to patient protection laws. Over the past few years, there have been increased cyber attacks on information technology systems in health care organizations, leading to data breaches of patients’ personal information and health records. According to Hayes (2015), data breaches experienced from 2009 to 2015, compromised 135 million patient health records, which led to an estimated cost of about $50.6 billion. 

The organization currently experiences technological issues from a data breach where someone downloaded the names of 4,000 HIV + patients from our hospitals’ HIV clinic and then uploaded it on the internet. Technology innovations allow health care providers to use cloud storage services to store medical files allowing quick and efficient access from any location. Other management issues within the organization are improper employee training about security and the need to protect customer information, contributing to data breaches. It is crucial to note that some health records are compromised due to malicious software and activities, but a large portion of it is due to the staff’s unintentional disclosures. Here, the staff, including doctors and nurses, give out their passwords without questioning the person’s intentions in the system.

Key Laws, Regulations, and Guidelines related to data breaches in Healthcare

Legally, the obligations for responding and managing data breaches involving healthcare-related data in the United States include laws such as the federal Health Insurance Portability and Accountability Act (HIPAA) and its Breach Notification Rule. Also, the Federal Trade Commission’s (FTC) Health Breach Notification Rule and applicable state law include the Personal Information Protection Act (PIPA). According to HIPAA laws, covered entities should ensure adequate storage, transfer, and management of patient health records (PHI) (Snells, 2017). It drives covered entities first to identify the breach’s source and notify individuals whose information has been affected or their data have been acquired, accessed, used, or disclosed. The FTC law applies to foreign and domestic healthcare organizations in the U.S., and it helps PHR related entities, vendors of personal records, and third-party service providers to manage and lawfully deal with data breaches. 

PIPA provides laws that guide how organizations should respond to data breaches. These laws only apply to data collectors and not to any health organization under HIPAA. Data collectors refer to companies that collect, manage, disseminate, and deal with personal information such as names, medical information, email addresses. It ensures that the collectors encrypt and protect individuals’ data, including that of patients. Lord (2020) provides guidelines and tips on how health care organizations can protect their patients’ information and reduce and prevent data breaches. Lord (2020) encourages health organizations to follow HIPAA laws and other regulations concerning data breaches, educate staff about IT-related security issues, restrict access to sensitive patients’ data, encrypt data systems, use off-site data backup servers and conduct regular risk assessments.

Data Breach Cases

As technology advances, health care organizations experience severe consequences of incorporating current and advanced technology. According to Davis (2019), in 2018 alone, 25 million patient health records were compromised in 503 breaches, three times more than experienced in 2017. In 2019, over 25 million patient records were breached. Healthcare organizations have experienced massive data breaches, which increases the risk of exposure to patients’ health and personal data in various facilities. For instance, in July 2018, an authorized third-party gained access to Navicent Health through an employee database and hosted email accounts leading to a breach of data of over 278,000 patients. The organization launched an investigation into the breach to determine how to improve security in the facility. It notified patients about the breach eight months later, which is against the HIPAA laws. HIPAA requires health providers to notify patients 60 days after the breach. This would not be a good approach to deal with a data breach, especially when it involves patients’ health records. 

Also, UConn Health centre experienced a data breach, potentially compromising the personal and health data of approximately 326,629 patients. Some employees became victims of phishing attacks, which led to the data breach. In February 2019, the company also discovered a hacker trying to access employee email, but it immediately secured the accounts. Assessing risks and securing accounts and computer systems greatly helped the company solve the crisis and prevent more data bleach events. The approaches would effectively work for our organization to reduce data breaches.

How to Handle Data Breaches

Data breaches are quite common in health care organizations as hackers try to gain access to hospitals’ mainframes and database systems holding patients’ information and health records. As we try to solve the organization’s crisis (Jelen, 2018), I would recommend we use specific strategies to manage the issue. First, I would recommend we assess the damage caused by the breach to the organization. This would help the management know how the attack happened and how to prevent it. Secondly, we should notify the individuals affected or whose data has been compromised. It is not only ethical but also follows the regulations in the HIPAA laws. We will notify the patients through phone calls, direct messages, and emails. Thirdly, we will conduct a security audit or assessment. Here, we will conduct a thorough assessment of the organization’s current computer systems, which will help prepare future recovery plans. We will then update our recovery based on the assessment results to solve the current data bleach and prepare for future cyberattacks. 

Fundamentally, the human resource department and the IT Department will organize training programs for nurses, doctors, and support staff members about data breaching and other security issues and concerns caused by technology currently. The human elements remain one of the largest security threats in all sectors, especially the health care sector (Lord, 2020). Human negligence and error can lead to expensive and disastrous outcomes for an organization. They will be taught the importance of keeping their passwords safe, not revealing them to other individuals, and shutting the systems down after closing them. The organization will develop a program to remind employees to change their passwords weekly or monthly. Fundamentally, security awareness training will provide employees with sufficient knowledge to make smart decisions and apply appropriate approaches and caution when managing patients’ data.

 

References

Davis, J. (2019, August 2). The ten most significant healthcare data breaches of 2019, so far

Hayes, T. (2015) Are Electronic Medical Records Worth the Costs of Implementation? American Action Forum. Retrieved from: https://www.americanactionforum.org/research/are-electronic-medical-records-worth-the-costs-of-implementation/

HealthITSecurity. https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2019-so-far

Jelen, S. (2018, November 27). Top 5 ways to handle a data breach. The World’s Largest Repository of Historical DNS data. https://securitytrails.com/blog/top-5-ways-handle-data-breach

Lord, N. (2018, September 12). Healthcare cybersecurity: Tips for securing private health data. Digital Guardian. https://digitalguardian.com/blog/healthcare-cybersecurity-tips-securing-private-health-data

Snell, E. (2017, January 6). State data breach notification laws critical to healthcare Orgs. HealthITSecurity. https://healthitsecurity.com/features/state-data-breach-notification-laws-critical-to-healthcare-orgs