Breaching the Security of an Internet Patient Portal
In August 2000, a breach occurred when an Operations technician applied patches to servers in support of a new KP Online pharmacy refill application. Subsequently, the outgoing e-mail function of KP Online failed and created a dead letter file of outbound messages with replies to patient inquiries that contained individually identifiable patient information (Collmann & Cooper, 2007). In trying to clear the e-mail file, a flawed computer script was created that concatenated over 800 individual e-mail messages, which contained personal identifiable.
At least nineteen of the e-mails reached their intended destination (Collmann & Cooper, 2007). Two members who received the email messages reported the incident to KP. Kaiser considered the breach was a significant incident due to the number of messages sent. As a result, the company created a crisis team to find the cause of the breach. The Kaiser crisis team notified its members and issued a press release three days after the breach. Major Issues This case study protected sensitive patient information was comprised during the e-mail security breach.
The Kaiser Permanente leadership reacted quickly to mitigate the damage of the breach because the company was non-compliant with good information security practice and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which established standards for the confidentiality and security of health care information. The advances in technology including computerized medical data has the potential to be breached regarding patients privacy and confidentiality health information. The ANA supports the following principles with respect to patient privacy and confidentiality.
Patients right to privacy of health information. The use or release of health information is prohibited without patient consent, as well as, using safeguards for disclosure and storage of personal health information. It is the responsibility of users to follow the guidelines in their workplace set forth to protect the patient and information. This statement gives support to patients’ privacy, which may turn into laws that the ANA would represent and push in congress. Also, it supports the laws and regulations set forth by the HIPAA regulations of 1996 in that it protects and adopted the national standards for electronic health care.
It promotes using safeguards for all disclosures and transactions in health information. Crisis Team Member As a crisis team member, it is important to find the cause of the breach. Two key suggestions that should be implemented in the Kaiser IT group. • More interaction with one another during the planning, implementation, and evaluation process • Before the implementation process of a program or a change the IT groups should test the migration site and functions in a test lab.
As noted in the case study, the three groups the development group, operations group, and e-mail group worked independently from each other to meet their individual department goals. The following Diagram notes the IT department that manages their prospective component:[pic]Source: Collmann, J. , & Cooper, T. (2007). Breaching The Security Of The Kaiser Permanente Internet Patient Portal: The Organizational Foundations Of Information Security. Journal of the American Medical Informatics Association, 14(2), 239-243.
As a crisis team member I would develop a plan to have all three groups interact with each other on job functions, each group should have a member represent their prospective group during development/implementation meetings. The member would have the opportunity to give valuable insight to how their group functions will be impacted during the implementation phase. Future Security Breaches Data security is the responsibility of the information system team. Three responsibilities of this team are making sure the data is accurate, protecting the data from unauthorized users, and correcting the data if it is damaged.
This includes protecting the system by firewalls, gouging phishing, and protecting data from a hardware or software loss. If Kaiser Permanente did not take steps to quickly resolve the issues within the group and organization they might face a HIPAA violation. HIPAA Violators can be sentenced for up to 10 years in prison and fined up to $250,000 in criminal penalties for failure to comply. In addition, civil penalties can be imposed that include $100 per violation and up to $25,000 per person, per year for each violation (DMA. org, 2002). Course of Action
The Course of Action that the administration should take to ensure that KP Online is secure, is improvising precautionary measures that are in place for the health information technology; which make up the HIT trust framework. This starts with an assessment of risk and is carefully applied through the system. Risk management, informs the organization of possible risks, such as natural disasters and malicious software programs. Information security is widely viewed as the protection of confidential information which is similar to privacy, this includes HIPAA regulations.
All of these precautions combine to protect information within the HIT. The following precautions affects the healthcare system as a whole; if one or all of the precautions are not followed data and information may be at risk. Conclusion In an age where patients’ information is storage, retrieved, and used, it is essential for all users to follow preventative measures, guidelines, policies, and procedures set forth by their employer and HIPAA to protect the patients’ right to privacy and confidentiality.
As technology advances, transitions of IT programs will need to be implemented, unfortunately breaches in healthcare may occur during the implementation. It is important for the organization and administrators to be aware of the risks and if a breach does occur, act promptly to correct the problem. References American Nurses Association. (2012). ANA Ethics Position Statement Privacy and Confidentiality. Silver Springs, MD: Author. Retrieved May 18, 2013 from ANA website. Collmann, J. , & Cooper, T. (2007).
Breaching The Security Of The Kaiser Permanente Internet Patient Portal: The Organizational Foundations Of Information Security. Journal of the American Medical Informatics Association, 14(2), 239-243. Harrison J. , & Booth N. (2003). Applying new thinking from the linked and emerging fields of digital identity and privacy to information governance in health informatics. Informatics in Primary Care Journal, 11(4), 223-8. Retrieved from CINAHL database. HIPAA FAQs. (2002, August 1). Corporate Responsibility Resources For Businesses And Marketers.
Retrieved May 18, 2013, from http://www. dmaresponsibility. org/HIPPA/. Rossel, C. L. (2003). HIPAA: An informatics system perspective, Chart, 100(1). Retrieved May 18, 2013 from CINANL database. Saba, V. , & McCormick, K. A. (5th Ed. ). (2011). Essentials of Nursing Informatics. Trustworthy Systems for Safe and Private Healthcare (pp. 271-277). New York: McGraw-Hill Companies. Wager, K. A. , Lee, F. W. , & Glaser, J. (2009). Health care information systems: a practical approach for health care management (2nd ed. ). San Francisco, CA: Jossey-Bass.