The interviewee was as System Administrator at Northwestern Memorial Hospital in Chicago, Illinois. As a system administrator, the person had been charged with the responsibilities of setting up and maintaining user accounts, maintaining and monitoring system performance, developing security and privacy policies for users and creating data backup and recovery policies. Other responsibilities included managing password and identities, installing and upgrading software, scheduling hardware repairs and auditing the system. He joined the hospitals in February 2010 as Assistant Network Administrator before getting a promotion to his current position in July 2013. He had worked Broadway Supermarket as a database administrator for a period of years. He holds a Bachelor Degree in Computer Science from Western Illinois University. Besides, he is a Microsoft Certified System Administrator, Oracle Solaris 11 System Administrator, Certified Security Testing Associate and Certified Associate in Healthcare Information and & Management Systems. Although the interviewee had been involved in data security and privacy at Broadway Supermarket, the Northwestern Memorial University provided him with the first opportunity to get involved in the management of patient data. He is the only person authorized to assign privileges to various users of the hospital’s system. Consequently, he is answerable to the board on any misuse of data stored in the system. This responsibility makes him the chief custodian of the health information. The hospital uses a client hosted Electronic Health Record (EHR) software supported extensive infrastructure that consists of networking devices, three servers and several clients’ computers. The users of the system that include clinicians, pharmacists, laboratory technicians, and finance officers, access the system by first providing valid usernames and passwords. They too have varying privileges with doctors assigned to the patients’ having the highest privileges of getting all the information that include family history. The interviewee acknowledged that the responsibilities of a system administrator and by extension IT security officer have been very challenging and sometimes overwhelming. He stated that, as the system administrator, he is expected by the board to protect the personal health information and data from misuse by any individual or agency. Consequently, he get summons from the board, courts and even law enforcers to explain any breaches in regulations that govern the use of patients’ records. He cited one case where a rogue nurse disclosed the patient health information to a spouse who wanted to know about her partner’s health. Based on this information, the spouse initiated divorce proceedings against her partner. In response, the partner threatened to sue the hospital for breaching patient’s confidentiality regulations. The interviewee vividly narrated how he appeared before the board on several occasions to explain how the patient’s record found its way from the hospital system to a third party. He was even forced to take a compulsory leave while the issue was under investigation.
The rogue nurse case led drastic system and policy changes at the hospital. When he was cleared and got back his job, the board mandated him conduct a thorough audit of the system with a view of uncovering system weaknesses and propose any changes in the system and policies. He recommended an upgrade to new EHR software that had superior security features. Besides, he changed the policy on system logins. All the users with the exception of high level administrators and care providers were not allowed to access the system through their devices while they were not within the hospital premises. The system was set to flag the IP addresses that were not associated with the hospital. Besides, the users were required to register their machine addresses in order to be allowed to use their laptops for accessing the system while at the hospital. Initially, authorized users could get access to patients’ while not on duty. The interviewee contended that the hospital has good policies as far the protection of patients’ personal health information is concerned. However, the biggest threat on health records does not come from the system weaknesses but rather from the users of the system. He emphasized the security and privacy of patients’ records largely depends on the integrity of the clinicians, pharmacist and all the people who have authorized access to such information. He stated that modern databases are very hard to hack because they use secure communication protocols and are monitored in real time.
Therefore, the cases of unauthorized access are almost non-existence. The developments leave the user as the greatest abuser of the system. He said that, with enough resources, the hospital can minimized the incidences of misuse of patients’ health information. The system requires continuous upgrades and maintenance which require resources. For their case, the processes are budgeted for every year and they are expected to work within that budget. Given that the hospital allocates a small portion of its revenue to the IT Department, he is sometimes compelled to abandon some critical projects that are directly related to the protection of patients’ information. On the issue of compliance with regulations, the interviewee acknowledged that the hospital puts great emphasis on the privacy and security of personal health information. Consequently, it complies with Health Information Technology for Economic and Clinical Health (HITECH) Act as a matter of good practice and not law. He stated that as stipulated in HITECH act, the hospital has adopted a 100% electronic health record system that ensures that only authorized people can access patients’ records. The data sent via the network is encrypted and as directed by the Act. Besides, the hospital thorough the communications officer notifies any patient whose health information has been misused by any entity or person even if the patients is not aware of the same. Again, patients can at any time request their health information and be given in the format that is most convenient for them. Finally, he concluded by stating that the use the patients’ data at the hospital is guided by Health Insurance Portability and Accountability Act. The act gives four conditions under which health information may be used or disclosed. The conditions include on request by patients, for treatment and operation and public interest (“Summary of the HIPPA Privacy Rules”).
Summary of the HIPAA Privacy Rule. (n.d.). Summary of the HIPAA Privacy Rule. Retrieved April 10, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/