Personal Health Information Security

Case Study: Information Security Issue
Macro-view of the Problem
The hospital faces a problem of end-user security: sensitive data is vulnerable to exposure in the workplace as the end-user methods of using computers in the hospital are ineffective to safeguard the data from theft. Personal health records are important for patients, but if privacy of data cannot be guaranteed, these records are more of a risk to personal privacy than a benefit with regards to having access to information. Nurses, on the other hand, require access to health information and they often need it quickly because of the amount of work they have to deal with routinely on their shift. While end-user security should be a top priority among nurses using facility computers and databases, it routinely is not—as Koppel, Smith, Blythe and Kothari (2015) point out: “a significant gap exists between cybersecurity as taught by textbooks and experts, and cybersecurity as practiced by actual end users” (p. 215). This gap is evidence that in the real world of health care, nurses and care providers are less concerned about systems security than they are about providing timely quality care to patients and quick access to information. Ideally, they would be concerned about both—but the real world often falls short of the ideal.
Conaty-Buck (2017) notes that “all healthcare employees should learn about cybersecurity risks and work to protect patient privacy and safety” (p. 62)—and that education should take place at school and carry over into the facilities where nurses work. In this case, both nursing department and the systems themselves need to be addressed. The nurses and care professionals (even the physicians) need re-education on what it means to safely use information systems and why it is important to follow the guidelines. The systems, too, need updating because there are too few protections within the information databases themselves to prevent access to sensitive patient information from individuals who should not obtain it.
Overview of Key Laws, Rules and Regulations
HIPAA—the Health Insurance Portability and Accountability Act—has issued a Privacy Rule, a Security Rule and a Breach Notification Rule, all of which are relevant to the case scenario. The Privacy Rule has set national standards in terms of when personal health information (PHI) may be shared. In the case scenario, it is unknown who gained access to the HIV patient list or how it was shared—but someone who knew what to look for and where to look for it broke this privacy rule under HIPAA.
However, the Privacy Rule would not have been broken most likely had the Security Rule been better enforced. The Security rule provides a standard of safeguards to protect hospitals like this one so as to ensure the “confidentiality, integrity, and availability of electronic PHI” (HIPAA, 2016, p. 1). The Breach Notification Rule requires hospitals like this one to alert affected individuals that their personal health information has been stolen. The Rule also requires the care provider to alert the U.S. Department of Health & Human Services (HHS) and even the media if it is particularly expedient—though of course in this case the media needed no alerting. The problem is that it is unknown whether the hospital even knew about the breach before it was made public. If so, then the hospital also broke this rule regarding alerting the proper authorities and the individuals involved.
Two Similar Situations
On March 20, 2017, UNC Health Care—the University of North Carolina Health Care System sent out 1,300 letters to prenatal patients regarding a data breach that may have impacted them. The breach occurred when patients who filled out a pregnancy home risk screening form over the prior three years had that information accidently shipped to local county health departments. The information contained names, addresses, ethnicity, Social Security numbers, and PHI (Daitch, 2017). Aside from the letters sent out to patients to alert them of what happened, there is no indication that any steps were taken to address the situation. There was no indication of what steps were taken to prevent such a breach from occurring in the future, and no action is not a suitable response that would apply to the hospital in this case.
On May 10, 2017, Bronx Lebanon Hospital Center suffered a data breach when it had thousands of HIPAA-protected electronic health records exposed during a misconfiguration of a backup server hosted by iHealth. Nearly 10,000 patients who had received care from the hospital in the three years prior had their information leaked—information that contained names, religious affiliation, addiction history, mental health, diagnoses, HIV status, and more (Daitch, 2017). The hospital immediately took steps along with its server provider to safeguard the rest of the data once the breach became obvious. However, what caused the misconfiguration in the first place was unknown and IT teams were looking into it to see if such an issue could potentially occur again and further cause safety risk to PHI. This response would apply to the hospital in this case scenario as an investigation into the data systems is badly needed at least to facilitate an updating of software and security measures.
Recommendations
End-user security is even more important in hospital settings than security to guard against hacking—for “the top threat for many healthcare organizations isn't the black hat (malicious) hacker, but rather its end users” (Kim, 2018, p. 16). This means that the hospital in this case scenario should definitely take steps to make sure such a situation does not happen again by updating its internal policy regarding end-user security, retraining all employees, nurses, physicians and staff on the proper protocol when using computers, passwords, and accessing information, and why it is important to practice cybersecurity.
Following retraining, the change management process has to be monitored to ensure that all workers are adhering to the new standards. If there is resistance, it has to be overcome. Some nurses may not think the change is necessary or that it is highly inconvenient. However, the importance of patient right to privacy is crucial to quality care, and besides under HIPAA law, care providers have to adhere to these standards or face the consequences. So the same has to be made clear to nurses and doctors: if they fail to adhere to the standards expected of them, they will find themselves no longer employed at the facility.
At the same time, the facility desperately needs to update its software and the access that end users have to sensitive information. The information security systems in the hospital have to be updated to better protect PHI, especially if end users fail to adhere to the new standards. The information systems should have fail safe options built in that block users from accessing data after so many minutes have elapsed or once a new database is opened. More than one security measure should be in place and multiple password protection screens should be used to prevent one access point from allowing multiple information files on separate databases from being accessed illegally and shared by hackers.

References
Conaty-Buck, S. (2017). Cybersecurity and healthcare records. American Nurse
Today, 12(9), 62.
Daitch, H. (2017). 2017 data breaches—the worst so far. Retrieved from
https://www.identityforce.com/blog/2017-data-breaches
HIPAA. (2016). Basics for providers. Retrieved from
https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf
Kim, L. (2018). Cybersecurity matters. Nursing Management, 49(2), 16-22.
Koppel, R., Smith, S. W., Blythe, J., & Kothari, V. (2015). Workarounds to computer
access in healthcare organizations: you want my password or a dead patient?. In ITCH (pp. 215-220).