As a health care organization, it is important that the Saint John’s Hospital takes the security and privacy of its patients’ information very seriously. Patient information in the Saint John’s Hospital is electronic and managed by the information systems department. In the organization, the security and privacy of all information is the responsibility of the Information Systems (IS) Manager. As the IS Manager, based on the following information on security and privacy, a Management Plan has been developed to be used as the process for the maintenance of patient information privacy and security.
The administration at St. John’s Hospital takes pride in their sound policies and procedures for the protection of confidential client information. In fact, they serve as a model for other institutions in the area. However, printouts discarded in the restricted-access IS department are not shredded. On numerous occasions, personnel working late observed the cleaning staff reading discarded printouts. What actions, if any, should these personnel take toward the actions of the cleaning staff? What actions, if any, should be taken by IS administration?
Conduct security assessment of hospital system
In the development of any improvement system, the first step is to conduct an assessment of the existing system. This will be used as the baseline measurement. To conduct this assessment, an external IS professional will be invited to conduct two exercises. The first would be a security assessment of the system during which the IS professional would perform ethical hacks against the system to assess how secure the information is from fraudulent computer users (hackers). The second assessment exercise to be conducted by the IS professional is information privacy assessment. Social engineering would be used in carrying out this assessment. The IS professional would visit the hospital as an ordinary person and interact with staff of the hospital.
During these interactions, the professional would use social engineering skills to find out how much patient information could be extracted from the hospital staff. After the assessment exercises, the IS professional would present a report to the IS Manager of the hospital with recommendations on how the security holes could be blocked and the weak privacy of patient information can be strengthened. Improve security and privacy of patient information
The findings and recommendations from the assessment report would be used in the improvement of the security of the system and also strengthening the privacy of any information taken from the hospital’s patients. Schneier (2000) stated, “Security is a process, not a product” (Computer Security: Will We Ever Learn? ¶ 2). This means that the security of the information contained in any system is largely dependent on how security conscious the staff that work with the system are and not the amount of sophisticated security devices installed to protect the system. Information privacy, similar to information privacy, is also largely dependent on the level of awareness of the people who input, store, process, and utilize the information. This is because any release of patient information would originate from one of the people stated above. Training
To improve the security and privacy of patient information at the Saint John‘s Hospital, the staff need to be educated on the importance of maintaining the security and privacy of information. Training sessions will be organized for all employees at least once a year to refresh their knowledge of privacy and security in compliance to with Health Insurance Portability and Accountability Act (HIPAA) rules. HIPAA Privacy and Security Rule set a national standard for the security and privacy of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule. The US Department of Health and Human Services (2010) stated, “the Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization”. The training guide will be as follows:
A.Take employees through the privacy and security rules of HIPAA Here, employees will be instructed on the security and privacy expectations of the HIPAA law. Employees will be expected to adhere to these rules in order to keep to the code of ethics of St John’s Hospital. B.Train staff on importance of privacy to the core business of the hospital Employees of the hospital will be retrained on the fact that the reputation of the organization not only depends on the kind and level of service provided but also on maintaining patient privacy. C.Educate employees on what privacy and security are
Employees need to what the words privacy and security mean. How they affect the patient’s information as well as the health care organization. D.Explain in details the importance of privacy and security with respect to patient health care information Employees will be educated how important it is to maintain the privacy of patients. They will be informed on the importance of not discussing patient information with any unauthorized party as well as not on any social network. E.Educate on the consequences of security breach
Employees will be informed and educated on what consequences can result from a security breach if it goes public. Consequences may include compromising the integrity of the health care organization, legal suits against the hospital as well as job security of employees who are involved in the breach.
Staff training on code of conduct
After the staff training on the importance of information security and privacy, a code of conduct will be prepared and delivered to the staff. The code of conduct
The code of conduct applies to all employees of Saint John’s Hospital. The code outlines guidelines for staff conduct and provides guidance on how to exercise judgment in ethical issues. The International Monetary Fund (1998) stated, every employee is “expected to observe the highest standards of ethical conduct, consistent with the values of integrity, impartiality and discretion” (¶ 9). The code of conduct for the Saint John’s Hospital is as follows: •Under no circumstance should a patient’s personal or medical information be released to a third party without the prior consent of the patient in question •The release of a patient’s information to a third party without the patient’s prior consent is subject to punishment determined by the disciplinary committee.
The gravity of the punishment is determined by the amount of damage created by the breach of the code of conduct. •It is the responsibility of each staff to “police” other staff and ensure that the code of conduct is being adhered to by all staff. •Computers containing patient information should have their monitors facing away from patients. •The password policy of the hospital should be strictly adhered to. Passwords should not be written down and placed under keyboards or any other obvious and open access area. •All paper documents should be thoroughly shredded and the shredded paper thoroughly mixed up before placed into the dust bin. •All computers that are to be donated, auctioned or sold out should be first sent to the IS department for the hard disk drive to be either removed completely and replaced with a new one or the old hard disk drive should be completely wiped off the information that was contained on the drive. Breach occurs
There are many situations under which the code of conduct covering the security and privacy of patient’s information can be breached. One of such situations is the one in which cleaning staff get access to patients’ cards from the restricted-area of the Information Systems department because the cards to be discarded from this department and simply thrown into the dust bin instead of being shredded. In such a situation, the first action will be to conduct an assessment to see how much information the cleaners got their hands on. The cleaners involved in this action will be called and educated on the implication of their actions. They will be made aware of the legal implications of reading patient’s medication and/or personal information without the prior consent of the patient (U.S. Department of Health and Human Services, 2010). The duties and responsibilities of the cleaning crew will be hammered and they will be made aware of the fact that they do not have the right to look through such information even if it is not shredded. They will then be advised of the punishment if such an action is observed again.
The Information Systems department will immediately procure a shredder and start shredding all documents or cards that they wish discard. In addition, the IS department should investigate other areas where sensitive information could become accessible by unauthorized personnel. Conduct an incident assessment / evaluate the risks associated with the breach After the occurrence of a breach, the first thing to be done is the performance of a detailed assessment of the incidence and how it happened. Following this, a risk analysis needs to be performed to be able to know the level of damage that was caused or to be expected. The assessment will evaluate the extent to which the information was spread. If it is just within the cleaning crew only, then it will be handled internally but if any information is gone out, the affected patients will be contacted and the appropriate action taken. This assessment needs to be performed as soon as possible so that the hospital will be in the position to respond to any allegations that may come from the patient(s) that was affected by breach. With this done, it would be possible to know if the risk can be mitigated or eliminated completely. Prepare incident report
One of the responsibilities of the IS Manager is to keep the hospital’s management board constantly updated with all activities related to the information systems. Every code of conduct breach needs to be reported in an incidence report prepared for the hospital management board. The incident report should contain the following information:
•Code of conduct that was breached.
•Person(s) responsible for the breach
•Date and time of the breach
•How the breach was discovered
•Risk assessment of the breach
Prevent future breaches/talk about how incident occurred
With the incident report properly prepared, it would be clear to the IS Manager how it was possible for the breach to have been breached. This knowledge can now be used to document, in detail, how the code was breached and how such an action can be prevented in the future. The appropriate actions would then need to be carried out to ensure that there is no repetition of the act in the future. Implementing the management plan
To implement this change in the organization, Plan-Do-Check-Act (PDCA) cycle will be used as a model for change as well as continuous improvement. ASQ (2011) stated, “The plan-do-check-act cycle is a four-step model for carrying out change”. The implementation of the management plan will be undertaken by the human resource department in conjunction with the information system department. The security training will be conducted by the security engineer of the information systems department and the human resource department will handle the privacy training. The whole process will be supervised by the information systems manager.
To ensure the continuous security and privacy of patient information, medical institutions need to understand that there has to be continuous staff training and assessment and improvement of the information systems, therefore, the PDCA cycle will be continued and encouraged among staff. A system that is not continuously reviewed and improved will be a static system that will vulnerable to identified system vulnerabilities. Staffs need to be continuously trained and updated on privacy issues concerning the health care industry. Information security and privacy need to be approached as dynamic processes which need to be continuously monitored and improved to ensure that they are always at the best levels.
ASQ. (2011). Project planning and implementing tools. Retrieved March 31, 2011 from http://asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html International Monetary Fund. (1998). IMF Code of Conduct for Staff. Retrieved March 29, 2011 from http://imf.org/external/hrd/code.htm, on December 15, 2011 Schneier, B. (2000). Computer Security: Will We Ever Learn? Cryto-Gram Newsletter. Retrieved March 28, 2011 from http://www.schneier.com/crypto-gram-0005.html U.S. Department of Health and Human Services. (2010). Health Information Privacy. Retrieved April 1, 2011 from