¶ … protection of proprietary information is essential for the efficient and legal operation of a large hospital. Most existing security measures available for hospitals are inadequate to protect against security breaches that may result in patient records being stolen, lost or misused.
(Lisa Gallagher, 2009)
"This is a call for action," said Lisa a. Gallagher, a privacy and security expert who conducted the study for the Healthcare Information and Management Systems Society. "We need to get focused on security."
There are some inherent protections for the hospital. The federally enacted Health Insurance Portability and Accountability Act of 1996 (hereinafter HIPPA) (Health Information Privacy)
privacy rules have been formulated to protect the privacy rights of patients. All trained hospital personnel should be fully aware of the application of all HIPPA but HIPPA rules only strictly apply to the dissemination of electronic information therefore additional guarantees are necessary.
When dealing with an organization with nearly 4,000 employees it is a near certainty that information leaks will occur. Whether it is the release of information regarding a patient or information regarding the operation of the hospital such leaks must be minimized. In most cases the release of this information will occur long before the hospital management becomes aware of it and this fact makes it essential that a strictly enforced confidentiality policy be prepared.
To be successful an information management system must do more than just outline the goal of protecting the privacy of the patients and the institution. Instead, the strategy must be to identify the key needs within the organization and provide a unified framework for addressing these needs.
Hospitals are unique in that they have a wide range of personnel that have contact with the public. This begins with the greeters at the front door, the cafeteria workers, the nurses, and maintenance people and so on. All of these individuals possess unique opportunities for obtaining information about the patients and organization and are operating under differing degrees of professionalism. The challenge to management is to ensure a consistent, accurate and repeatable degree of privacy protection not only as to the rights of the patients but also the institution. To insure overall staff compliance with the institution's confidentiality policy
The first step in any management of institutional information is to start at the top. By ensuring that those at the top of the organization understand the importance of confidentiality and the protection of proprietary information it is highly likely that said importance will trickle down the organizational framework.
Through the efficient and consistent use of educational seminars, workplace observations, patient surveys, and periodic dissemination of informational updates a rigid adherence to the basic privacy policy of the institution can be better maintained.
Confidentiality does not end with upper management. In fact, the problem likely increases as one progresses down the corporate structure. This reality dictates that an organization adopts strict privacy standards and that a well organized system of enforcement be put in place. From the very first day of employment, all hospital employees, regardless of responsibilities, should be informed of the importance of maintaining the privacy of both the patients and the institution. The policy that is ultimately adopted should be applied to all systems, automated, paper and verbal. All staff must be required to sign and adhere to the policy.
It is a basic tenet of business management that policies and manuals are not enough. It is essential that in order for any policy to have effect it is necessary that management make a concentrated effort to educate the employees of the importance of maintaining confidentiality through the strict adherence to the privacy policy. This education program must include all levels of the institution from the highest level of management, physicians, nurses, technicians and support staff. As much as possible, it should also include all outside vendors and casual hires.
Although employee leaks remain the primary source for the loss of proprietary information attacks on information systems by hackers, viruses, worms and the occasional angry employee are becoming an increasingly more serious problem. The actual seriousness of this problem is skewed due to the fact that most institutions do not report such occurrences in order to avoid the negative publicity associated with such breaches.
Security breaches of this nature have traditionally been relegated to the exclusive province of it personnel. It was believed that such personnel were best able to handle such problems and, for the most part, that remains the case but due to the increase in such occurrences collateral damage must now be addressed as well. It technologists can correct the underlying problem that allowed the breach to occur but it remains the responsibility of management to determine how to handle the after effects.
The problem with security breaches relative to medical records is intensified currently by the increased pressure to utilize digital medical records. The standardization of medical records is seen by many as a way to lower health care costs. Critics argue that in the process a corresponding increase in security problems is likely to develop. Unfortunately the trend toward standardization is a reality that must be dealt with and management must find a way to safeguard their institution's information within the context of standardization.
In order to do so, a system of safeguards should put in place as soon as practically possible. Such safeguards should include controls and guidelines to ensure the protection of data and information, including all clinical records against loss, destruction and tampering. They should protect against unwarranted and unauthorized removal of records from the physical premises. Accuracy of all records is a must and the system should be designed so that all information is collected professionally and cannot be falsified or altered.
The cooperation of the it department, the Medical Records department and all other management offices must be facilitated at all costs. Every effort must be made to make communications between these various offices as open and unfiltered as possible. A well disciplined checks and balances system should be utilized. In an era when information is so easily accessed and transferred, it is essential that no one person or department has absolute control over any information. Passwords for access to all vital information should be changed and reset on a frequent basis and subject to strict protocols. Needless to say, daily backup of all data, configuration files and source codes must be done.
You’re 88% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.