Data Security in Health Care Organizations
Answer
Data Security in Health Care Organizations
Key Management Issues at the Organization
In consideration of the scenario described, the organization is experiencing various management problems. Issues within the current complex healthcare system include regulatory changes, system inefficiencies, coding updates, security issues, and disruptive technology. Among these, issues related to technology are most common in the current technologically-led society. Medical and technology advancements and innovations have enabled radical service delivery advancements in health care settings. Nonetheless, while organizations experience growth, they are also experiencing a lot of issues because of technology. As the organization’s Chief Executive Officer, I find that though information technology helps solve various healthcare management issues, it also brings security to patient protection laws. Over the past few years, there have been increased cyber attacks on information technology systems in health care organizations, leading to data breaches of patients’ personal information and health records. According to Hayes (2015), data breaches experienced from 2009 to 2015, compromised 135 million patient health records, which led to an estimated cost of about $50.6 billion.
The organization currently experiences technological issues from a data breach where someone downloaded the names of 4,000 HIV + patients from our hospitals’ HIV clinic and then uploaded it on the internet. Technology innovations allow health care providers to use cloud storage services to store medical files allowing quick and efficient access from any location. Other management issues within the organization are improper employee training about security and the need to protect customer information, contributing to data breaches. It is crucial to note that some health records are compromised due to malicious software and activities, but a large portion of it is due to the staff’s unintentional disclosures. Here, the staff, including doctors and nurses, give out their passwords without questioning the person’s intentions in the system.
Key Laws, Regulations, and Guidelines related to data breaches in Healthcare
Legally, the obligations for responding and managing data breaches involving healthcare-related data in the United States include laws such as the federal Health Insurance Portability and Accountability Act (HIPAA) and its Breach Notification Rule. Also, the Federal Trade Commission’s (FTC) Health Breach Notification Rule and applicable state law include the Personal Information Protection Act (PIPA). According to HIPAA laws, covered entities should ensure adequate storage, transfer, and management of patient health records (PHI) (Snells, 2017). It drives covered entities first to identify the breach’s source and notify individuals whose information has been affected or their data have been acquired, accessed, used, or disclosed. The FTC law applies to foreign and domestic healthcare organizations in the U.S., and it helps PHR related entities, vendors of personal records, and third-party service providers to manage and lawfully deal with data breaches.
PIPA provides laws that guide how organizations should respond to data breaches. These laws only apply to data collectors and not to any health organization under HIPAA. Data collectors refer to companies that collect, manage, disseminate, and deal with personal information such as names, medical information, email addresses. It ensures that the collectors encrypt and protect individuals’ data, including that of patients. Lord (2020) provides guidelines and tips on how health care organizations can protect their patients’ information and reduce and prevent data breaches. Lord (2020) encourages health organizations to follow HIPAA laws and other regulations concerning data breaches, educate staff about IT-related security issues, restrict access to sensitive patients’ data, encrypt data systems, use off-site data backup servers and conduct regular risk assessments.
Data Breach Cases
As technology advances, health care organizations experience severe consequences of incorporating current and advanced technology. According to Davis (2019), in 2018 alone, 25 million patient health records were compromised in 503 breaches, three times more than experienced in 2017. In 2019, over 25 million patient records were breached. Healthcare organizations have experienced massive data breaches, which increases the risk of exposure to patients’ health and personal data in various facilities. For instance, in July 2018, an authorized third-party gained access to Navicent Health through an employee database and hosted email accounts leading to a breach of data of over 278,000 patients. The organization launched an investigation into the breach to determine how to improve security in the facility. It notified patients about the breach eight months later, which is against the HIPAA laws. HIPAA requires health providers to notify patients 60 days after the breach. This would not be a good approach to deal with a data breach, especially when it involves patients’ health records.
Also, UConn Health centre experienced a data breach, potentially compromising the personal and health data of approximately 326,629 patients. Some employees became victims of phishing attacks, which led to the data breach. In February 2019, the company also discovered a hacker trying to access employee email, but it immediately secured the accounts. Assessing risks and securing accounts and computer systems greatly helped the company solve the crisis and prevent more data bleach events. The approaches would effectively work for our organization to reduce data breaches.
How to Handle Data Breaches
Data breaches are quite common in health care organizations as hackers try to gain access to hospitals’ mainframes and database systems holding patients’ information and health records. As we try to solve the organization’s crisis (Jelen, 2018), I would recommend we use specific strategies to manage the issue. First, I would recommend we assess the damage caused by the breach to the organization. This would help the management know how the attack happened and how to prevent it. Secondly, we should notify the individuals affected or whose data has been compromised. It is not only ethical but also follows the regulations in the HIPAA laws. We will notify the patients through phone calls, direct messages, and emails. Thirdly, we will conduct a security audit or assessment. Here, we will conduct a thorough assessment of the organization’s current computer systems, which will help prepare future recovery plans. We will then update our recovery based on the assessment results to solve the current data bleach and prepare for future cyberattacks.
Fundamentally, the human resource department and the IT Department will organize training programs for nurses, doctors, and support staff members about data breaching and other security issues and concerns caused by technology currently. The human elements remain one of the largest security threats in all sectors, especially the health care sector (Lord, 2020). Human negligence and error can lead to expensive and disastrous outcomes for an organization. They will be taught the importance of keeping their passwords safe, not revealing them to other individuals, and shutting the systems down after closing them. The organization will develop a program to remind employees to change their passwords weekly or monthly. Fundamentally, security awareness training will provide employees with sufficient knowledge to make smart decisions and apply appropriate approaches and caution when managing patients’ data.
References
Davis, J. (2019, August 2). The ten most significant healthcare data breaches of 2019, so far.
Hayes, T. (2015) Are Electronic Medical Records Worth the Costs of Implementation? American Action Forum. Retrieved from: https://www.americanactionforum.org/research/are-electronic-medical-records-worth-the-costs-of-implementation/
HealthITSecurity. https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2019-so-far
Jelen, S. (2018, November 27). Top 5 ways to handle a data breach. The World’s Largest Repository of Historical DNS data. https://securitytrails.com/blog/top-5-ways-handle-data-breach
Lord, N. (2018, September 12). Healthcare cybersecurity: Tips for securing private health data. Digital Guardian. https://digitalguardian.com/blog/healthcare-cybersecurity-tips-securing-private-health-data
Snell, E. (2017, January 6). State data breach notification laws critical to healthcare Orgs. HealthITSecurity. https://healthitsecurity.com/features/state-data-breach-notification-laws-critical-to-healthcare-orgs