Privacy and security in electronic health services

Privacy and security in electronic health services

Order Instructions:

Case Assignment

For your Module 4 Case Assignment, in 2-3 pages, answer each of the “questions for discussion” listed below each case. Develop your answers in 150 to 250 words for each question within the context of the background material. In addition, incorporate relevant applicable laws.

Section 1:

Explain the characteristics of technical, physical, and organizational privacy and security concerns.

Section 2: Case 4.8: E-Mail Goes Astray

Kaiser Permanente, one of the nation’s largest health insurers with 8.5 million subscribers, accidentally compromised the confidentiality of the medical information of 858 of its members. The problem occurred when a technician began sending out a large number of e-mail messages that had been backlogged while Kaiser’s system was being upgraded. Some e-mail messages were sent to the wrong recipients. Members access the website and use the e-mail system to fill prescriptions, make appointments, and seek medical advice. Some of the messages contained names, home telephone numbers, medical account numbers, and medical advice. When the technician noticed the problem, he stopped sending out e-mails but did not notify Kaiser managers of the problem. The next morning, two Kaiser subscribers notified the company that they had received other subscribers’ e-mails. The following message appears on the website:

“Your information is confidential. We are dedicated to keeping your personal health information confidential. We take many precautions to make sure others can’t pretend to be you and get your confidential information from the Web site. As long as you don’t give out your PIN, any confidential information you send or receive on this Web site can be seen only by you and Kaiser Permanente staff who have a ‘genuine business need.’ ” The director of Kaiser’s Web site indicated that once the error was discovered, Kaiser officials attempted to telephone each of the subscribers whose e-mails had been sent to the wrong person and, “We have fixed the problem.”

Source: Brubaker B. ‘Sensitive’ Kaiser e-mails go astray. The Washington Post. August 10, 2000: E01.

Questions for Discussion:
1.Who is responsible for the breach in confidentiality? The technician? Kaiser Permanente? And why?
2.Will this breach of confidentiality discourage subscribers from accessing the Kaiser Web site to fill prescriptions and seek medical advice? How can subscribers be reassured that their information will be kept confidential in the future?

Case 4.7: Patients’ Files Used for Obscene Calls

An orthopedic technician who had been convicted of child rape and indecent assault used the password of a former hospital administrator to gain access to confidential medical records of 954 patients at a major hospital. He then made obscene telephone calls to female patients as young as 8 or 9 years old.

The technician’s access to the confidential patient records began in December and continued until he was fired four months later. The hospital was not aware of the problem until a trace on the telephone line of a girl who was receiving obscene calls indicated that the calls originated from the hospital. The computer system failed to detect the outdated password and did not alert employees who were responsible for maintaining the information system that one individual was accessing a large number of patient files. Moreover, the hospital did not conduct background checks when hiring new employees.

Source: Brelis M. Patients’ files allegedly used for obscene calls. The Boston Globe. April 11, 1995: 1.

Questions for Discussion:
1.Should healthcare institutions conduct background checks on new employees who will be allowed access to confidential patient information? What information should be accessible to such employees?
2.How could the hospital have prevented the misuse of patient information from occurring? Was the hospital’s security system at fault for this breach of security?
3.Should the hospital be held accountable for the actions of the technician?

Case 4.44: University Tightens Computer Security

A university is tightening its computer security after hackers broke into a computer at the medical school and secretly used it to generate a flood of e-mail advertisements. Efforts by the university to cope with the break-in have caused balky and intermittent e-mail service for seven months for hundreds of staff members. At least once, e-mail service throughout the system shut down for two days. University officials did not detect the break-in until at least a couple of weeks later, when someone forwarded an advertisement sent by the computer.

A university spokesperson said that no file information was improperly accessed. Instead the hackers merely used the system to generate e-mail promoting other websites. The university announced that $150,000 would be spent to install new equipment to restore the e-mail system. A number of security measures were being upgraded to prevent the computer system from being broken into in the future.

Source: Birch D. Hopkins tightens computer security. The Baltimore Sun. May 29, 1999: 1B-2B.

Questions for Discussion:
1.Are university medical center information systems especially vulnerable to hackers? Why, or why not?
2.Is the medical center accountable for any harm that is caused by unauthorized entry into patient records?

Module Overview

Concerns over the privacy and security of electronic health information fall into two general categories: (1) concerns about inappropriate releases of information from individual organizations and (2) concerns about the systemic flows of information throughout the healthcare industry and related industries. Inappropriate releases from organizations can result either from authorized users who intentionally or unintentionally access or disseminate information in violation of organizational policy or from outsiders who break into an organization’s computer system. The second category, systemic concerns, refers to the open disclosure of patient-identifiable health information to parties that may act against the interests of the specific patient or may otherwise be perceived as invading a patient’s privacy. These concerns arise from the many flows of data across the healthcare system, between and among providers, payers, and secondary users, with or without the patient’s knowledge. These two categories of concerns are conceptually quite different and require different interventions or countermeasures.

Presentations and Required Readings
•The following is primary reading required for this module: Privacy and Security Concerns1
•This article discusses the primary goals of information security in healthcare and examines policy and appropriate uses of medical data: Confidentiality of Electronic Medical Records2
•Zachary Wilson offers a good explanation of the difference between internal and external sources of attacks. Additionally, he illustrates a wide range of vulnerabilities and how they can be exploited. (Do not get hung up in the technical concepts and jargon at this point. We will cover the more technical aspects later in this course.) Vulnerabilities and attacks3
•The following provides a brief overview of basic concepts surrounding information security along with an introduction to vulnerabilities, controls and policies: Security Concepts4
•Read Chapter 4 “Privacy and Confidentiality” from the following book that is available through the eBrary resource, which can be accessed from the TUI CyberLibrary:
?Anderson, J. G. (2002). Ethics and Information Technology : A Case-Based Approach to a Health Care System in Transition. Springer-Verlag New York, Incorporated, Secaucus: NJ. 63-112. Retrieved on September 8, 2007, from the eBrary database.5
•The following is the United States Department of Human Services summary version of the HIPAA Privacy Rule. HIPAA Privacy Rule6
•Wi-Fi Security concerns7

Sources for Presentation Material Referenced Above

For the Record: Protecting Electronic Health Information (1997). Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure Protecting Electronic Health Information. Washington, DC, USA: National Academies Press. 54-81. Retrieved from the eBrary database.

Barrows, R. C., and Clayton, P. D. (1996). Privacy, Confidentiality, and Electronic Medical Records. Journal of the American Medical Health Informatics Association, 3 (2), 139-148. Retrieved from the PubMed Central database.

Wilson, Z. (2001). Hacking: The Basics. SANS Institute. Retrieved from http://www.sans.org/reading_room/whitepapers/hackers/

Quinsey, C. and Brandt, M. (2003). AHIMA Practice Brief: Information Security: An Overview. American Health Information Management Association. Retrieved from http://www.advancedmedrec.com/images/InformationSecurityAnOverview.pdf

Anderson, J. G. (2002). Ethics and Information Technology : A Case-Based Approach to a Health Care System in Transition. Springer-Verlag New York, Incorporated, Secaucus: NJ. 63-112. Retrieved from the eBrary database.

Summary of the Privacy Rules. (2003). U.S. Department of Health and Human Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

Alam AS, Al Sabah SAA, Chowdhury AR (2007). Wi-Fi Security The Great Challenge. National Conference on Communication and Information Systems. National Conference on Communication and Information Security.

SAMPLE ANSWER

Section 1

The physical, technical, and organizational privacy and security concerns are categorized into two main forms; concerns about the flow of information systematically within the whole healthcare industry and concerns over the inappropriate release of information within an organization. This may arise when some individuals are given access to some confidential information hence violating a company’s privacy policy (Kshetri, 2013). The systemic concern, on the other hand, is the release of particular patient identifiable information about their health that may be against their wishes hence presenting a major invasion of patient privacy.

The concerns hold different characteristics. For example, there is organizational threats which involve vulnerability of individual organization electronic health records to external or internal agents. Internal agents are those with authorization and have access to information yet they abuse their privileges.

Conversely, external agencies do not have access to the information, yet they try to manipulate the data or rendering the system unusable. Another characteristic includes the concerns that may arise due to sensitive information that could easily be used against the patients as a means of acquiring a leverage over them (Boric-Lubecke et al., 2014). The information mostly targeted are those of celebrities, employers, politicians, and journalists.

The basic approach to countering threats to privacy in healthcare is erecting policies against the act of violation and setting heavy fines against anyone who violates privacy rules. Organizations should also have continuous checkup of their system’s accessibility and employ trustworthy workers to man the system.

Section 2

Case 4.8: Emails Goes Astray

Question 1

The technician was in charge of the breach. The act of not checking the backlogged information before confirming who the email was sent to, suggests so. The other reason was the number of emails sent before realizing the mistake; the medical information of 858 of its members had compromised which is a high volume. Also, instead of reporting the problem to the superiors, the technician left the insurance company to deal with the mistake he had committed. Kaiser Permanente was not responsible for the breach as they even tried to correct and put the subscribers at ease as they handled their information. Under HIPAA privacy rule, the responsibility of health insurers and organizations is to be accountable to the disclosure of their patients and confidential communication. Therefore, Kaiser Permanente did the right thing of informing its subscribers about the technical challenges on the website. They also emphasized on the pretenders warning them in the case of such an issue.

Question 2

The breach will discourage subscribers from the Kaiser web due to reduced trust in confidentiality of the organization. People tend to learn or fear from others mistakes. The subscribers can be reassured by integrating a better system that requires constant change of passwords thus narrowing the margin of email being hacked and informing them. This also ensures that the company adjusts well to the need of the subscribers. Notifying them that they are securing the site for them will make them feel assured and valued. This goes hand in hand with reassuring them that their information is safe. Employing better technicians, to prevent incompetence at work and informing subscribers of the root of the problem after an investigation is essential as it informs the subscribers that the case was not completely forgotten and they are involved in the processes taking place in the organization.

Case 4.7: Patients Files Used for Obscene Calls

Question 1

Clinical centers should carry out background checks on all new employees before allowing access and employ them. It should be carried out by searching through their public records, private investigations, checking their websites and face to face interviews that requires a detailed history of all previous endeavors and checking if it all fits public record (Yüksel, Küpçü & Özkasap, 2017). The main benefits include increased in value of hire, prevents shame of employing criminals, ensures regulatory acquiescence; satisfies industrial standards, reduces chances of drug abuse and less absenteeism and improves workplace safety and security. Information that should be accessible to such employees should be petite. The technician should only be given access to names of patients and medical records under supervision. Allowing such minimal ensures that they do not get the personal information that can be used to irritate patients. The medical files would be required to conduct his work.

Question 2

There are multiple ways of preventing such a breach. The hospital could have performed a full background check on the technician which could have reduced the risk employing an incompetent individual. In the case study, the hospital had employed the technician yet he was previously convicted of indecent assault and child rape. The hospital should have regularly updated the accessibility passwords. The incident in the case study was due to a failure of updating password allowing for the access of the orthopedic technician even after he was fired. The hospital should have to conduct more frequent vulnerability assessments tests; monthly or every two months. Updating the software systems would also have prevented failure on alerting the people in charge of maintaining information systems. The hospital security system was responsible for the breach as it failed to inform the employees in charge of maintaining information systems.

Question 3

For the technician’s actions, the hospital should be held liable. The hospital was responsible for the employment of a rape offender and indecent assault, to begin with; they did not conduct background checks while hiring new employees. The security system of the hospital allowed the technician access even after he was fired. During his time as a technician, supervision was not provided giving him freedom of action. The hospital also granted access to personal confidential information to a technician, yet receptions and secretaries are the people supposed to possess such information. The hospital was not aware till the girl’s obscene calls were traced inside the hospital. The hospital information system, including employees, were incompetent as this could have been noted at early stages but it got to four months.

Case 4.44 University Tightens Computer Security

Question 1

The University Medical Center Information Systems are not vulnerable to hackers. As from the context the hacker who secretly used them to obtain a flood of e-mail for just advertisement purpose suggests that he or she was not interested in the medical information or records within the system. No information is recorded to be missing as reported by the spokesman. The main aim was to create flood email, and any of the superior computer systems would also have been an easy target. Hackers use an external server to avoid detection while sending emails or viruses like Trojan to render a given site useless. They look for the easy access mainframes to operate; in this case, the medical school computers were previously not as well protected the efforts done after the hack. To restore email system they spent $150,000 installation of new equipment and numbers of security measures were upgraded in the process.

Question 2

The health center is responsible for any harm that happens on patient health records. The spokesperson touched on the issue of improper access of information saying that none was obtained. This shows that the medical center should beef up the security of the information and prevent similar hacking cases from occurring in future. Medical centers are bound by Health Insurance Portability and Accountability Act, (HIPAA) rules to prevent disclosure privacy and security of the patients’ information, confidential communication. HIPAA privacy rule safeguards all identifiable health information of patients that is relayed by a covered entity or business associate. The university had the right of protecting its clients’ information against any hackers with the intention of violating the rules of privacy, as per HIPAA, within the medical center. Therefore, expenses on the installations were put across as well as an upgrade and prevent future hacking incidents.

References

Boric-Lubecke, O., Gao, X., Yavari, E., Baboli, M., Singh, A., & Lubecke, V. M. (2014, June). E-healthcare: Remote monitoring, privacy, and security. In Microwave Symposium (IMS), 2014 IEEE MTT-S International (pp. 1-3). IEEE.

Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4), 372-386.

Yüksel, B., Küpçü, A., & Özkasap, Ö. (2017). Research issues for privacy and security of electronic health services. Future Generation Computer Systems, 68, 1-13.

We can write this or a similar paper for you! Simply fill the order form!