Medical identity theft and data security breaches have become quite commonplace these days with thousands of reports registered every year. As healthcare management grows increasingly reliant on computerized patient record, more of such issues concerning privacy, security and confidentiality breaches are coming to the fore. The total automation of patient record makes the confidentiality of information vulnerable to unauthorized access and therefore nurses and physicians who have authorized access to the information should be more responsible for keeping the data secure from all kinds of insidious infiltration. Unauthorized access is not the only security challenge facing the healthcare management. There are cases of authorized people misusing information or looking for confidential information where they don't have access to.
Further, untrained user without the required knowledge of managing the system may change information stored in the system or may cause the system to crash or lock up (Simpson, 1994). In order to address all these security concerns, every healthcare facility should maintain a proper security management plan along with a set code of ethics made mandatory for every hospital staff to follow. This paper will discuss how possible security breaches at St. Johns Hospital could be dealt effectively with a robust management plan by implementing management response plan, staff training and introducing code of conduct into the system.
Possible Security Breaches
There are many possible ways security breach can take place in St. Johns. First the hospital needs to identify different types of security breaches. The easiest form of theft is when somebody steals sensitive hospital data through breaching its security network or using some portable devices. Theft can also happen in the way of loss or theft of laptop, CD-ROM or flash drive containing sensitive hospital and patient information. Sometimes it is also seen that some of the employees who have access to sensitive information may misuse it for personal benefit. Sensitive data can sometimes get exposed to unwanted audience because of not enough security control measures in place. Virus and malware by affecting computers account for most common form of data loss these days. Apart from the IT related security breaches there can be breach of security information from the theft of printed records which are disposed by the hospital.
Management Response Plan
Based on the scenario at St. John's Hospital, I believe the appropriate action taken by the personnel would be to report the incident to an HR manager who would give the cleaning staff first a warning about their misconduct with a reminder that any confidential information should not be read or distributed as per the hospital security policies. If they continue with their behavior then a disciplinary action such as temporary suspension from service should be taken against them.
As we discussed in the previous section that security breaches can happen in many ways and taking the action plan as stated in the previous paragraph will not solve the overall issue completely. It requires a comprehensive planning on the part of the management to prevent security breaches. In order to develop an overarching security plan, St. Johns first should create a data security cell for data security related query and reporting. In case of any suspected data theft or misuse, informing the data security cell immediately will be the first plan of action.
As soon as the data security cell comes to know of the incident it will take action to minimize the impact of the breach. Data security cell must also create a proposal to prevent breaches and take management approval to implement it. It will also review its security plan periodically. In case of a security breach once the immediate remedial action is taken by the data security cell it should inform the HR. HR and data cell will evaluate the magnitude of loss and legal and public affair issues together. Based on the findings HR will be responsible to take the next course of action regarding who should be notified, police should be informed or not and so on. Once that is done HR and IT head along with the data security personnel will assess the financial impact and devise a future course of action plan to reduce the chances of such incident happening again.
First of all, the hospital system network should be protected with firewalls, antivirus programming, strong security protocols and passwords. Many time security breaches take place due to the carelessness of the hospital staff who ignore the importance of password protection and remain logged into multiple computers under their usernames even when the devices are out of their immediate reach. Therefore automatic, timed logouts should be in place. Further employees should be provided with proper training related to data security with their roles explained on the issue. The HIPAA privacy and security regulations mandate formal training and education of all the employees to ascertain their accountability for privacy and security of protected healthcare information or PHI. The training standards are flexible with the organizations allowed the freedom to implement the training as suitable. The trainers should be qualified to give the training as per HIPAA requirements. The mandatory topics that would be included in the training plan for the staff are as follows:
- Employee awareness about general security policies, general patient rights, treatment and payment operations.
- Training on virus protection including preventive measures and reporting the same.
- Importance of understanding log-in success and failure and how to understand discrepancies.
- Destruction of sensitive information
- Password management and periodic security reminders
- Consequences of security breaches to the individual and organizations
- Complaint reporting and investigation
- Monitoring process
- Verbal confidentiality policies and procedures
- Mitigation of identity theft (AHIMA, 2010)
Not only the staff members, patients should also be made aware of the importance of protecting privacy to fight identity theft. I would print multiple copies of brochure with instructions on how to avoid falling victim to medical identity theft and distribute them among patients (Taitsman, Grimm & Agrawal, 2013).
Code of Conduct
Some ethical guidelines and code of conduct should be in place at St. Johns. Anybody found violating these codes of conduct should be met with disciplinary action and in cases where disciplinary actions fail to rectify the alleged behavior, the perpetrators should be suspended. Some codes of conduct as below should be followed by every employee:
- Users should be authorized to access confidential data and should not make attempts to use the information for any reason beyond the purpose of authorization. They should not share the information with any unauthorized person.
- Giving due respect to the privacy of other users, a user should not read, copy, delete or modify the data, emails and information of other users without their permission.
- The user should not share and distribute any information that would cause violation to the security policies of the hospital.
- The user should not launch any program or data intended to disturb normal operations.
- Forgery and attempted forgery would be met with dire consequences (East Tennessee State University, 2006).
St. Johns is a well-established name in healthcare industry. It is well known for its superior health care services. However, security of patient information is of utmost importance in health care industry. If a hospital is unable to protect the patient information then despite providing good healthcare service patients will be unwilling to choose St. Johns over other hospitals. St. Johns already has some good security measures but they are not well implemented. In order to put the security measures effectively into action, the hospital needs to train its employees of the possible security breaches and what to do in case of any potential security breach. St. Johns also needs to devise a strategy for a fast management response in case of security breach. It also should put an effective code of conduct in place for every employee to follow. Only a comprehensive security plan will not suffice to solve the problem of security breaches. An action plan to implement the measures along with educating the employees will make the security plan more robust.
Information Technology Code of Ethics (2006). East Tennessee State University. Retrieved on 9th August 2013 from <http://www.etsu.edu/oit/policies/inftechcodeethics.aspx>
Simpson, R. L. (1994). Ensuring patient data, privacy, confidentiality and security. Nursing Management, 25(7), 18. Retrieved on 9th August 2013 from http://search.proquest.com/docview/231413298?accountid=458
Taitsman, Julie K., Grimm, Christi Macrina and Agrawal, Shantanu (2013). The New England Journal of Medicine. Protecting Patient Privacy and Data Security. 368(11), 977-9. Retrieved on 9th August 2013 from <http://search.proquest.com/docview/1316940711?accountid=458>
HIPAA Privacy and Security Training (2010). AHIMA. Retrieved on 9th August 2013 from <http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048509.hcsp?dDocName=bok1_048509>
McDonald, C. (2009). Protecting patients in health information exchange: A defense of the HIPAA privacy rule. Health Affairs, 28(2), 447-9. Retrieved on 9th August 2013 from <http://search.proquest.com/docview/204516138?accountid=458>
Questions on HlPAA Security Regulation (2005). Practice Strategies. Optometry. Volume 76.