Aspects of Security in Healthcare (USA) – Part II
(This is the second part of a two-part article by the same author)
Lisa and Carol were friends. They worked in the same organization but in different departments. While Lisa was a part of the Accounts department, Carol worked in the Administrative wing. One day, when Lisa was away from her desk to get some water, Carol came looking for her to go out for lunch. Carol happened to notice medical billing records of her neighbor, Anne on the computer screen. She was shocked to see that Anne was HIV positive and had underwent an abortion.
Did something wrong happen here? Yes, a breach of privacy of Anne’s medical information.
Who is at fault? The Organization? Lisa? Carol? Or all three!!
The organization should have some standard security policies and procedures in place. In other words, all PHI (Patient Health information) should be protected from accidental disclosures. For instance, Lisa should have used a screen saver, locked her computer or closed the application before leaving her desk. Carol entered the accounts department? A policy of restricted access to entry should have been initiated. This ensures that the integrity and confidentiality of patient health information is maintained.
A small slippage whether unknowingly or by mistake could risk the confidentiality and integrity of the organization and thus lead to major implications.
Broader Objectives of Security are as follows:
- Ensure the confidentiality, integrity and availability of all electronics protected health information that an organization creates, receives/transmits or maintains.
- Protection against potential hazards to security or integrity (Environmental)
- Protection against anticipated use, misuse or disclosures of electronics protected health information.
- Ensuring proper compliance of policies and procedures laid by the organization for protecting the information.
Once the objectives are set, it is important to recognize those who all are covered or required to comply with these objectives
In simple words – Any person or organization that stores, uses, maintains/ transmit individually identifiable health information in any form (electronically or manual) need to comply.
In broader spectrum – Healthcare providers (Physicians , Dentists, nurses, Pharmacies, nursing homes etc.) or Healthcare insurance companies , HMO’s , Govt programs like Medicare, Medicaid etc. or Healthcare clearing houses etc. or all third party vendors and business partners who create maintain or transmit protected health information on behalf of covered entity.
The aforementioned objectives of security are distributed in the following categories:
- Administrative: Policies and procedures are designed to show how the entities should adhere to security rules. For e.g. assigning a security officer, conducting internal audits, defining processes of reporting security incidents etc.
- Physical: Controlling of physical access to protect the data from inappropriate access or vulnerability. For instance locking the server rooms, restricted access control, ensuring fireproof storage areas, using screen saver, maintaining data backup etc.
- Technical: Ensuring the security of computers and electronic systems that contain protected health information. E.g. Access controls on computer, firewalls, data encryption, security logs etc.
Each of the above section can be discussed in detail. However, this would take the discussion much deeper into safeguards, information access management processes, procedures, training etc. Here is a quick glimpse of how a typical security frame work would look like:
Many organizations attempt to implement security with the attitude as “address the current Issue” approach. This results in unsustainable and not the best fit solution to the broader issue of security and protecting data from unauthorized use or access. Considering the three Triad’s i.e. Confidentiality, Integrity and Availability as basic ingredients of a minimal information security program, a more sustainable approach is to make or adopt a strategy of implementing the best practices approach to an enterprise wide process which will address the information security issues.
Mattord and Whitman book posts the McCumber Cube shown below as the model to implement information security based on research done by United States Government. Once this model is followed, any organization can implement enterprise processes covering all the facets (Integrity, confidentiality, availability, storage, training, policy, transmission etc.). Implementing all the 27 nodes is not easy by any means and need a well thought out, enterprise wide processes and workflows, full management support and central control.
Mark was terminated from his company because of poor performance. Although, he realized that he could have performed better, he also felt that he was singled out to set an example for other low performing staff as the punishment was too harsh for him. A few days later, he tried to dial into his company computer and was surprised to see that his user id and passwords were still active. He quickly downloaded the names, and addresses of all the AIDS patients and posted them on the internet from a fictitious account to harass the company.
With the movement towards maintaining electronics health records, it has become all the more critical for securing organizations information. It is too easy for data to be stolen by a hacker or a security slip. Nothing could be worse for an organization than to lose all its patient health information due to some security lapse.
We are all patients at some point in life and would want many of the same protections for our own personal health information.
In order to ensure confidentiality and integrity of patient health information, proper security measures should be undertaken.