E-Mail Security Breach? Why Did

¶ … e-mail security breach? Why did Kaiser Permanente leadership react so quickly to mitigate the possible damage done by the breach?

The e-mail security breach was so serious since it affected confidentiality and security in serious proportions. Information security and confidentiality is important for healthcare systems that contain personally identifiable patient information. The seriousness of the e-mail security breach can be seen in the legal, operational and ethical considerations that are attached to it. In regard to legal grounds, the e-mail security breach exposed Kaiser Permanente to multiple law suits from aggrieved parties. This is evident in the case -Bagent v. Illini

. Employees and the hospital/provider can be sued for an alleged breach of patient confidentiality, negligent infliction of emotional distress, invasion of privacy as well as intentional infliction of emotional distress (Clifford,2006). The company can also be sued and may be penalized for a breach of HIPAA information security codes of conduct.

Why the Kaiser Permanente leadership reacted so quickly to mitigate the possible damage done by the breach.

The Kaiser Permanente leadership reacted so quickly to mitigate the possible damage done by the breach due to a number of reasons. The very first reason is to limit the extent of security and confidentiality breach that took place. The second reason is to assure the affected clients and the unaffected ones of their commitment to information assurance (maintenance of a high level of information confidentiality, integrity, availability) and information security. In a nutshell, their quick reaction was basically an information risk management move that was aimed at preventing further damage to the system's security and assurance.

2. Assume that you were appointed as the administrative member of the crisis team created the day the breach was uncovered. After the initial apologies, what recommendations would you make for investigating the root causes (s) of the breach? Outline your suggested investigative steps.

As an administrative member of the crisis team which was created the day the breach was uncovered, I would make the following recommendations for investigating the root causes (s) of the breach;

Even though the reporting of privacy breaches is never mandatory under the U.S. Health Information Act (HIA) or the Freedom of Information and Protection of Privacy Act (FOIP),it is mandatory to report some categories of privacy breaches to the nation's Commissioner under the PIPA laws (section34.1(1)) (OIPC,2010).The very first step would therefore involve the reporting of the breach to the Commissioner. This would then be followed by the four conventional stages of handling privacy breaches (containment, risk evaluation, notification and risk prevention).

Risk containment and recovery

At this stage, the immediate thing to do is contain the breach and then stopping the unauthorized practice, shutting down of the entire system, revoking access as well as correcting the weakness in the system. The next thing is to immediately contact the FOIP Coordinator, Privacy Officer, Responsible Affiliate as well as any other person who is responsible for the organization's it security.

Evaluation of the Risks Associated with the Breach

There is a need to evaluate the risks associated with the privacy breach. This should be done with a consideration of personal as well as health information (Social Insurance Number, financial information or any other sensitive information) that are involved, the cause as well as extent of the privacy breach, the individuals who have been affected by the breach as well as the operations that have been affected by the breach.

Notification

In this stage, the team must decide whether or not to notify the people who have been affected by the privacy breach.

Prevention

At this stage, all the necessary steps are taken to prevent the system from any further privacy breaches. The cause of the breach is mended and the system is restored after thorough testing.

3. How likely do you think future security breaches would be if Kaiser Permanente did not take steps to resolve the underlying group and organizational issues? Why?