There has been an epidemic in computer security breaches in healthcare service organizations which has been rising more than 32% over the years. These cost an estimated 6.5 billion per year. Moreover, study conducted by the Ponemon Institute found that nearly 96 % of all the healthcare providers who participated in this study feel they have had at least one data breach earlier primarily due to employee sloppiness, including stolen computer devices (Premier Inc, 2014), third party errors, unintentional employee actions like:Nurses logging in with their passwords and leaving the system open and runningOfficials and Doctors displaying their password, * Fax machines and printers are kept in open rooms without locks* One password can access the entire database in the hospital including human resources* There are no programs reminding staff to change their passwords on a regular basis* non-owner of the account using their password to use an account
* Sharing of confidential patient files and information
The following plan explains what should be done by healthcare organizations to reduce security breaches:
- Establishing Security/Privacy Policies and Training: Healthcare employees who handle confidential patient information must be given proper training and awareness of the policies and procedures ruling the protection of this information.” By implementing Learning management system software, HSO staff can be trained on security privacy policies to help reduce potential security breaches. Medical files are the most frequently lost or stolen patient data, therefore, workers need to understand the importance of protecting patient information and HSO must efficiently train and enforce PHI policies and procedures. Healthcare organizations should also make privileged user and access governance a top priority to fight unauthorized entry into organization database (Kroll Cyber Security, 2014).
- Perform PHI Risk Assessment. Healthcare organizations must perform a PHI risk assessment of inventory for any healthcare data that is personally identifiable. HSO should know the exact location of their patient and organizational sensitive data. All stages of data workflow must be tracked, data which is stored, being used, and transmitted. The information must be prioritized with respect to sensitivity to identify their level of protection. A study reveals that 49 % of participants do not use applications to secure mobile devices. With risk assessment, HSOs can execute effective privileged user and access governance controls (HIT Consultant Media, 2014).
- Implement Security & Privacy Measures. In the current scenario, the HSO should undertake security and privacy measures like Advanced Encryption Standards New Instructions (AES-NI) to secure the confidentiality of sensitive data. A set of robust security monitoring tools for computers or networks and data bases along with encryption is highly recommended to prevent future security breaches. With administrative and physical controls, encryption should be properly implemented within a multilayered approach. This goes back to Step 1 of the security plan that ensures proper administrative training on encryption rules and policies/procedures. The HSO must also make investments in anti-theft technology.
- Security & Privacy a top-Priority in Budget Planning. A research study confirms that inadequate budget and risk assessments are an organization’s biggest obstacles. This step is the most difficult to implement and CIOs cannot get budget approvals easily for extra security and privacy measures when HSOs have already encountered the competing priorities of ICD-10, meaningful usage, etc. Nonetheless, security breaches cost a big amount and damage the organizational performance. One potential security breach is capable of making the case for approved budgets for privacy and security.
- Establishing a Risk Mitigation/Incident Response Plan. The risk mitigation plan can be implemented to define all of the guidelines and assigned teams for efficient management of mitigating loss or theft of PHI. A good risk mitigation strategy can be applied for rapid protection, responsiveness and recovery of potential loss and theft of confidential information by means of anti theft technology in a shorter time period.
Although there is no magic solution to discarding 100% of all unauthorized access and security breaches, HSOs that employ healthcare security and privacy best practices could largely decrease the events of security breaches within their (HIT Consultant Media, 2014).
An HSOs security plan must consist of effective security policies. With security policies, specific guidelines are in place for areas of responsibility, and contain plans that give steps and measures to undertake and regulations to follow for implementing the policies.
Policies must define what organization considers valuable, and must outline the steps to be taken to protect those assets. One example of drafting a policy is a general policy of only a few pages covering most possibilities. Another type is a draft policy for various sets of assets, such as e-mail policies, Internet access, password policies, and remote access policies.
However, with respect to the current case study, two common issues with organizational policies are:
- The policy is nothing but platitude instead of a decision or direction.
- The policy is not actually utilized by the organization. Rather, it is a piece of paper to show to auditors, lawyers, other organizational components, or customers, but it does not affect behaviour (Kroll Cyber Security, 2014).
Assessing risk in effective way will help HSO network security officials to determine whether or not good security policies and controls are being implemented. There are vulnerabilities and weaknesses within security policies due to poor security policies and the human factor. Stringent security policies are commonly bypassed because of the fact that personnel get tired of following them (the human factor), thereby making the system vulnerable to security breaches and attacks (HIT Consultant Media, 2014).
For instance, implementing a security keypad on the server room door; officials and administrators may get tired of entering the security PIN number to enter the room and stop the door from closing by using a book or broom. As a result, the security control is bypassed. With introducing a restrictive password policy, the security of the network is compromised. If passwords longer than seven characters are needed, most users find it difficult to remember them. So they might write their passwords down and leave them where an intruder can see them.
Visibility is important for a policy to be effective. It helps in implementing the policy by helping to guarantee that the policy is fully communicated across the organization. This is accomplished via the plan of every policy which is a written set of steps and rules. The plan clearly defines how, when, and by whom the rules and steps are executed. Visibility can be increased by management videos, presentations, guest speakers, panel discussions, question/answer forums, and newsletters. If the HSO is equipped with adequate computer security training and awareness, users can be effectively notified users of new policies. It will also aid in familiarizing new staff members with the organization's policies.
Furthermore, officials must ensure that computer security policies must be established in a way that promises that management's unqualified support is clear, particularly in environments where workers feel flooded with policies, guidelines, rules, directives, and procedures. Scholars state that the HSO’s policy is the factor that emphasizes management's commitment to network security and clarifying their expectations for employee performance, behaviour, and accountability (Premier Inc, 2014).
Types of Security Policies
The following types of policies must be implemented in the current HSO scenario.
Policies can be regulated for any area of security. However, it is up to the IT manager and security administrator to assort which policies need to be applied where and who must plan the policies. These policies can be used for the whole organization or even for various departments within the HSO.
- Password policies
- Administrative Responsibilities
- User Responsibilities
- E-mail policies
- Internet policies
The security offered by a password system relies on the passwords being kept confidential at all times. Therefore, a password is susceptible to compromise everytime it is used, stored, or even memorized (ID Experts, 2014). Within a password-based authentication process running on a system, passwords are likely to get compromised because of five essential aspects of the password system:
- A user’s password must be changed regularly and employees across the HSO must be reminded every month to change it, via their accounts.
- An automatic system-generated password must be initially assigned to every new user when enrolled on the system.
- The system must maintain a "password database."
- Users should memorize their passwords and not let intruders view them.
- At authentication time only, users must enter their passwords into the system.
- Employees should not share their passwords with anyone, from administrators to IT managers.
It is recommended to define minimum password length, inclusion of characters and symbols, no blank passwords, and maximum and minimum password age. Users must be avoided from reusing passwords and make sure that users use specific characters in their passwords to make them difficult to crack (Andersson et al., 2004).
Most systems arrive from the vendor with a few standard user logins already enrolled within the system. Passwords must be changed for all standard user logins before permitting the general user population to access the system. Such as, change administrator password while installing the system.
It is the administrator who generates and assigns the initial password for every user login. Then, the user must be notified of this password. In some departments, it may be essential to prevent sharing or disclosing of the password to the administrator. In other scenarios, the user can easily void this exposure. Smart card encryption is the best way to prevent the exposure of a password, in conjunction with the user's username and password. Although the administrator knows the password, the system will disable him or her to use it without the smart card.
In cases when a user may forget the password or the administrator may see that a user's password might have been compromised. In order to resolve these problems, it is advocated that the administrator be allowed to change the password of any user by creating a new one. The administrator does not need to know the user's password for doing this, but must follow the same rules for assigning the new password that apply to initial password assignment. So, the administrator must make positive identification of the user before replacing a forgotten password (ID Experts, 2014).
Users of the system i.e. the employees of the HSO must know their responsibility to maintain the secrecy and confidentiality of their passwords private and must report changes in their user status, any malicious activity, suspected security violations, and so on. To ensure security awareness within the user population, it is suggested that each user must sign a statement to admit understanding these responsibilities.
Passwords must be changed on a regular basis to combat the possibility of unseen password compromise. They should be changed so often that there are low chances of password compromise during its lifetime. To prevent unnecessary password exposure to the administrator, users should be able to change their passwords without administrator intervention (Van deVelde R, 2000).
E-mail policies can be introduced to protect patient confidential data. E-mails are increasingly critical to the normal code of business. Organizations must define policies for e-mail to assist employees in safe and proper use of e-mail, to decrease the threat of intentional or accidental misuse, and to ensure that official records and sensitive files transferred via e-mail are properly handled. Organizational polices should be used to establish general guidance in following areas:
- Using e-mail to operate official business
- Using e-mail for personal business
- Access control and confidential protection of e-email messages
- Managing and retaining e-mail messages
E-mail accidents are potential is damage. E-mail folders may grow until the e-mail system crashes. Bad configuration of discussion group tools may send across messages to the wrong groups. Further, subscribers can be flooded with hundreds of error messages due to errors in e-mail lists. Sometime errors messages will traverse back and forth between e-mail servers. These accidents can be prevented by:
- Training users on how and what actions can be taken when things go wrong.
- Configure e-mail software to make the default behaviour as the safest behaviour.
- Make use of software that complies with Internet e-mail protocols and conventions constantly. Every time an online service enters its proprietary e-mail system to the Internet, there are roaring protests due to the flooding of error messages as a result of the online service's faulty e-mail servers.
Encryption algorithms are recommended to create digital signatures for the e-mail messages to avoid impersonation. Encryption of the contents of the message or the channel across which it is transmitted can forbid eavesdropping (Miami Children’s Hospital, 2013).
Using public locations like the discussion rooms to access e-mail can result in the user leaving valuable data downloaded or cached on to the computers. Users must clean up the computer after using it so that no valuable documents are left behind.
Internet policies make extensive use of the World Wide Web where a sea of software and a set of protocols and conventions can be used to traverse and seek information over the Internet (Microsoft, 2014).
Web clients or Web browsers furnish a user interface for navigating through information by pointing and clicking. Browsers also pose vulnerabilities to an HSO, even though usually less in severity than the threat posed by servers. Different settings can set on Web browsers by using Group Policy function in the underlying operating system (OS) (Van deVelde R, 2000).
It is possible for Web servers to be attacked directly, or utilized as jumping off points to attack an organization's internal networks. Web servers can be safeguarded through various areas: the underlying OS, the Web server software, server scripts and other software, etc. Moreover, firewalls and other security configuration of routers and the IP protocol can aid in fending off denial of service (DOS) attacks.
Intrusion Detections systems must be installed to detect unauthorized usage of, or attack on, a computer or network. IDSs are hardware or software systems which detect such misuse. With IDSs, malicious attempts to compromise the confidentiality, security, integrity, and availability of a network can be detected. The attacks can come from attackers, like in the present scenario, attackers downloading patient names and publishing through online and offline media. Installation of IDS can combat such issues and will prevent future malicious attacks (Microsoft, 2014).
Microsoft., (2014). Security Planning. Available at
Premier, Inc., (2014). Medical errors and the Institute of Medicine (IOM). Available at
Kroll Cyber Security., (2014). IT security planning should be a top 2014 healthcare
resolution. Available at http://www.krollfraudsolutionsblog.com/2014/01/it-security-planning-should-be-a-top-2014-healthcare-resolution/
Miami Children’s Hospital., (2013). Patients & Families: HIPAA - Health Insurance
Portability & Accountability Act. Available at http://www.mch.com/patients-and-families/hipaa-health-insurance-portability-and-accountability-act.aspx
HIT Consultant Media., (2014). 5 Ways Healthcare Organizations Can Reduce Security
Breaches. Available at http://hitconsultant.net/2011/12/12/5-ways-healthcare-organizations-can-reduce-security-breaches/
ID Experts., (2014). 11 Data Security Tips for Healthcare Organizations in 2013. Available
Andersson, A., Hallberg, N., Eriksson, Timpka, T., (2004). A Management Information
System Model for Process-Oriented Health Care. MDA, Departments of Computer Science and Department of Health and Society, Linköping University, Sweden.
Van deVelde R., (2000). Framework for a clinical information system, International Journal
of Medical Information. (57): 57-72.