Case 4.8 – E-mail Goes Astray
- Primarily, the technician is the one responsible for the breach in confidentiality because he was the one who sent out the e-mails. Moreover, he did not seek instructions from Kaiser Permanente regarding the backlogged e-mails. Kaiser Permanente hired the technician to upgrade their system. Therefore, tasks other than doing upgrades should be consulted to the company. The technician should have asked whether the accumulated e-mails in the system should be sent out, and he should have asked what to do with them. However, Kaiser Permanente is partly responsible for the breach, because first and foremost, since they hold millions of private information, they should have made sure that that information would not be compromised. They should have made their system secure and only accessible to Kaiser Permanente personnel.
- Yes, situations like this discourage subscribers in using the system of Kaiser Permanente. However, the services that Kaiser Permanente offer is of great value and subscribers will not easily discontinue their subscription. But Kaiser Permanente has to ensure their subscribers that this will not happen in the future by informing them what caused the breach and reassuring them that upgrades are being done to improve the security of the system and the privacy of their information. The most important thing to do here is to be honest and at the same time make great efforts to secure the system of the company.
Case 4.17 – Patient’s Files Used for Obscene Calls
- Definitely, background checks should be conducted before hiring new employees because this would ensure the safety of the clients, especially in the health care industry. Employers should be granted access to criminal records for them to be able to identify the extent of the crime that ex-convicts have committed. Cases such as child rape and indecent assault is a serious crime that should not be disregarded when hiring employees, especially when the job requires dealing with other people, children, etc. such as in the health care institution.
- Former employees who are given access to system information that are confidential, such as passwords, etc. should be screened out from the system. In other words, once an employee is not connected with the institution anymore, his access to the system should be deleted or reset. In this case, the system of the health care institution is at fault because it failed to keep the information confidential and secure.
- In this case, the hospital is accountable for the actions of the technician. Primarily because they hired an employee without doing background checks, they do not monitor the system, wherein they could have detected that calls were being made and the information of the clients were being accessed, and the system is not 100 % secure.
Case 4.44 – University Tightens Computer Security
- Because of the wide range of subscribers in university medical centers information systems, it becomes vulnerable to hackers. In this case, they hacked into the system and used it to send hundreds of advertisements in their e-mails. The hackers wanted to target the significant number of subscribers in the system. However, the information within the system is not precisely the target of the breach.
- It is not entirely the medical center’s fault. This is because hackers do what they do. They find ways to get into the system even if security measures were set-up to avoid breaching the security of an information system. Therefore, even if the system is secure, hackers will really find a way to get into the system. The medical center’s fault was that they were not able to detect that the system was being hacked. They should have upgrades in the system, which will be used in monitoring the system and alarming when hackers breach the system.