Login Issues to Health Networks in a Hospital Environment - Essay Example

? Login issues to health networks in a hospital environment affiliation Table of contents …………..………………………………………………….………………… 3 Introduction………………………………………….……..………………………………4 Technical responsibilities by health institutions……………………………………………6 Legal Provisions by HIPAA………………………………………………………………8 Provisions on breach….......................................................................................................10 Conclusion…………………………………………………………………………………11 References………………………………………………………………………………….12 Abstract The invention of technological advances in IT has enabled many organizations and institutions improve on their storage and communication abilities. Storage networks have been greatly been transformed from physical storage to the use of websites and computers for storage and references. However, these advances have come with ethical issues that need to be addressed before effective and complete installations in organization are confirmed. This paper will analyse the depth in which healthcare organization would manage and control login to their networks. There will be a review on the effects of guests’ login to these networks and the depth of damage that could be done in case information falls on wrong hands. Additionally, the paper will significantly consider the fact that it is illegal to expose patient sensitive information or access without patient authorization. The results of the paper will be based on: every organization should ensure patient confidentiality. Regardless of the growth of the IT system in healthcare organization, many people still doubt the effectiveness of organization in protecting patient records in their systems. Studies have also indicated that with poor management of IT systems illegal logins may significantly dent an organization effort to ensure security of their stored data and records. The Health Insurance Portability and Accountability Act (HIPAA) is part of American Law that governs the way in which organizations health information sharing, access and exchange. Additionally, HIPAA also provides legislations that govern login to healthcare networks and the extent an organization should be held liable for carelessness and mishandling patient information. Moreover, the HIPAA mentioned many legal issues with the most important one being the three elements have to be protected by three safeguards: administrative, technical and physical. Login issues to health networks in a hospital environment Introduction Technological trends in IT have made it easier for simpler ways in which health organizations have stored their records. Prior to technological advances, health institutions used filing systems based on physical storage of records. However, in healthcare systems the use of health networks pose much risks to both patients and health institution personnel. In healthcare organizations, confidentiality is a right every patient is entitled to (Pattinson, 2007). With the use of networks, an organization faces great risks of patient personal information being accessed by guests. This is breach to rules and regulation governing informational management in healthcare organizations (Hill, 2000). With complete reliance on IT systems, healthcare organizations record all sensitive information on patients in their systems. Additionally, these systems ensure that organizations run smoothly without interruption of its records (Bos & Blobel, 2007). The reliability of information in any medical setting is important to ensure the connection between patients and physicians (Quynh, 2005). Patients trust physicians with their sensitive information and trust this would be safeguarded. The information is always useful but also dangerous if used for wrong purposes (Pande et.al, 2003). With healthcare organization having great magnitude of information to store and patients to communicate to, they choose IT storage options and online communications system. This is managed through authorized login to healthcare networks. Login to healthcare networks has access on both sensitive institutions information and also patient private information. For this reason, Moyer et.al (2002) suggests that organizations should put in place security measure on their systems that would stop any unauthorized access to this information. Perrig et.al (2002) described login to health networks as an activity that should be done on an authorized basis. The author further points out that authorization should be done by using IT protective measures such as passwords and firewalls (Sittig, King & Hazlehurst, 2001). HIPAA holds an organisation responsible for ensuring security of patient information and in case if any carelessness in this management may lead to prosecution of involved parties. There are numerous advantages of using health networks and computerized heath systems. The accessibility is easier and faster. Additionally, arrangement of information and records can be done in terms of importance and significance (Hash et.al, 2005).These storage systems also ensure the number of employees is cut thus reducing expenditure that would be directed in improving the computerized storage systems (Simon, 2000). However, the application of this invention is comes with ethical responsibilities. For instance, login to health networks should be made confidential as possible. Only authorized physicians should be allowed to access patient information. In an argument by Cios & Moore (2002) patient information stored in health networks are the responsibility of an organization to protect them from illegal access, deletion or any form of tamper. These provisions are also provided by HIPAA which has legislations created against violation of a patient’s private information through health networks (Cavalli et.al, 2004). It is the responsibility of a physician and a sound patient to authorize access to sensitive information on a patient. However, the issue on information security in terms of login to health networks is purely based on physicians and the responsibility of an organization to protect its networks from possible breach and unauthorized access (Trudy, 2006). Technical responsibilities by health institutions In terms of login to health networks, an organization should ensure protection of sensitive information. Sensitive information include social security numbers, credit card numbers, research data, driver’s license numbers, personal information and computer passwords (Garret, 2005). Safe guarding such information would be enough to hinder any unauthorized login to health networks in an organization (Evered, 2004). However, Zhang, Yan Poon & Zhang (2011) point out that the main responsibility by organization in safe guarding organization networks would be to minimize the access of these networks. The author further points out that health networks should only be accessed upon request by the patient or during a situation a patient cannot make sound decisions (Broderick, 2006). The above situation is when an organization has control over its IT systems. An organization should ensure that their networks are secure. This can be done by effectively managing passwords and network security (Ashenden, 2008). Password management includes having passwords that are complex to crack. For instance, organizations are recommended to have passwords that have letter, numbers and other characters to increase its complexity (Mathur, 2003). Additionally, HIPAA suggests that an organization should change their passwords after 45 to 90 days to mitigate risks that may be involved in cracking their networks (Eder, 2000). There is also a recommendation that the password to networks should be known by department heads to reduce access to networks and increase responsibility and accountability in case of breach. The same sentiments are shared by Humphreys (2008) who argues that company health networks should only be made accessible to leadership figures in the institution to increase manageability. Krause & Tipton (2003) suggest that a hospital environment should have a protected login access. This limits the number of people that can access the networks thus increasing security. Additionally, a network that has barriers is easy to manage and monitor its users (William & Herbert, 2009). The authors also argue that using a large accessible network is risky since untrusted servers and gadgets could be used to tamper with the networks (William & Herbert, 2009). Another responsibility by an organization in managing logins in a hospital environment is to limit access to important information to only around the institution’s environment (Ponemon Institute, 2011). For instance, many health organizations have limited access to their information only around the environment even to its top management: When outside the environment one cannot access the information or login to their health networks (Williams, 2010). The personnel at health institution environment also have an ethical responsibility of ensuring their gadgets are secure and away from unauthorized people. This can be done by them ensuring logout and deletion of access history from their gadgets (Wiegers, 2003). The legislation provided by HIPAA argues that personnel should be help responsible for mishandling sensitive information in or outside their institution’s environment (Kolkman & Brown, 2001). Additionally, any private information accessed outside the institution’s environment can be treated as breach of institution policy and legislation provided in the HIPAA (Dolan, 2011). Legal provision by HIPAA The legislations by HIPAA are divided into two categories (AHIMA, n.d): The HIPAA privacy rule The HIPAA security rule The HIPAA privacy rule In the HIPAA privacy rule, there is information referred to as protected health information (PHI). The PHI of patients must be protected while in the hospital environment (Williams, 2008). This information can only be accessed in the hospital environment and the information is considered institution properties. HIPAA provides that the information can only be accessed through the request by a patient or situation where a profession needs an urgent and significant referral on the history of a patient (Northcutt, 2009). The PHI in health networks in a hospital environment requires protection through effective management of the networks. In an argument by Michael (2008) HIPAA provides legislations that PHI should be protected and excluded from easy access and this can be done by securing the institutions health networks. Additionally, HIPAA secures the information accessed through education purposes as they require approval and their requirements governed by the laws (Lucas, 2008). In securing health systems, an organization should delete any personal information of patients from copiers to deny access of the information (Bloom, 2008). Additionally, while sending PHI to patients, an organization is advised to use encrypted addresses and messages to ensure security of the content (Hyder, 2007). Hyder (2007) also pint out that all personal contact information of patients such as emails, phone numbers and addresses should be ensured through the three basic aspects of physical, administrative and technical safeguards. Organizations should also have strong password protections. Before contacting patients, medical staffs are advised to verify phone numbers and when possible use programmed numbers (Cook, Render & Woods, 2000). In reality many organizations and medical staff have been charged fro the breach of the privacy rule. For instance, the court ordered Walgreen to pay $1000 to a client whose PHI was accessed without the request (Peters & Sarah, 2012). In this case the employee had a suspicion that his husband’s ex-girlfriend infected him with STD. To confirm her worries she looked up the medical records of the client after which she shared the information with her husband. She later texted the client and informed her of her knowledge of their health information and the client sought the intervention of the courts and she was compensated. In addition, the health institution should be charged with inappropriate handling of PHI in the hospitals environment. This case shows the depth and significance of the legal provision by the HIPAA. Many state courts have ruled on the objective of the HIPAA to rule on the compulsory adherence to its provisions by the legislation and health personnel should be held liable for breach of standard care (Scipioni et. al, 2001). In securing hospitals environments and access to networks, organizations are held liable for any breach of standards care in their environments in situations where breach could be avoided by easy steps of securing the networks. The HIPAA security rule This particular security rule is aimed with the responsibility of safeguarding PHIs by ensuring confidentiality, availability and integrity of PHI in the hospital environment. Confidentiality refers to the ability of an organization not to share personal health information. Integrity refers to not tampering to PHI in whichever manner. And availability means that PHI should be able to be accessed at the request of the patient or an authorized person (Walker, Beiber & Richards, 2004). Each organization should put in place mechanisms that would hinder sharing of PHI in the hospital environment. There are several security standards that are put in place in medical organizations environments to hinder illegal login to health networks. They include (Lucas, 2008): Protect PHI from accidental or unauthorized access. This prevention should be ensured in computer systems and work areas. Limit accidental disclosures. For instance stop the access of health networks systems across hallways and open places and outside the hospital environment (Williams, 2010). Include security practices such as encryption of gadgets and information sharing and stored in the computer systems. This can also be done by using codes and passwords for access to the institution’s health networks. Provisions on breach In reviewing the consequences of the breach of both the private and security rules provided by HIPAA, Wager, Lee & Glaser (2009) argue that the fines and punishments implemented are effective enough to ensure organizations adhere to these provisions. The punishment provisions also include the punishment of individual who breach company protocol and personnel provisions by HIPAA. For instance, Dal Poz (2009) highlights a case whereby health personnel accessed company network while outside the environment of their organization. The staff member then lost their browsing gadget which led to people accessing private information. The personnel was charged and fined for unauthorized access of medical information while outside the institution’s environs. Dal Poz (2009) argues that if the personnel was within the institution’s environs, the jury would have been considerate in giving the ruling on his mishandling of private information. Conclusion From the analysis of the provisions by the HIPAA, one could easily argue that login to health networks in a hospital environment is purely left to be a responsibility of the institutions to protect their systems. However, HIPAA provides mechanisms of how this should be done and situation where breach may occur and demand liability of either the organization or the medical professions. Login to health networks in the hospital environment has however, improved over the years as institutions put client best interest first with great regard of the provisions by the HIPAA (WHO, 2000). Apart from the provisions by HIPAA, health organizations should have an ethical obligation to ensure their networks are safeguarded from risks. The ethical obligation should be based on the assurance of confidentiality of patient information. With development and advancements in illegal ways of accessing IT networks, legislations by HIPAA should be tightened to provide health organization with stern provisions that they should adhere to. This would ensure information security and increase of trust by patients in health institutions. References American Health Information Management Association (AHIMA).(n.d.).Health Information Exchange. Retrieved from: http://www.ahima.org/resources/hie.aspx Ashenden, D. (2008), “Information Security management: A human challenge?” Information Security Technical Report, 13, 4, (195-201). Bloom, G., Standing, H., & Lloyd, R. (2008). Markets, information asymmetry and health care: towards new social contracts. Social science & medicine, 66(10), 2076-2087. Bos, L., &Blobel, B. (Eds.). (2007). Medical and Care Compunetics 4: Studies in Health Technology and Informatics. IOS Press. Broderick, J.S. (2006), “ISMS, security standards and security regulations”, Information Security Technical Report, 11, 1, (26-31). Cavalli, E., Mattasoglio, A., Pinciroli, F., and Spaggiari, P. (2004), “Information security concepts and practices: the case of a provincial multi-specialty hospital”, International Journal of Medical Informatics, 73, 3, (297-303). Cios, K. & Moore, W. (2002). Uniqueness of Medical Data Mining. Artificial Intelligence in Medicine Journal, 26 (1-24). Cook, R. I., Render, M., Woods, D. (2000). Gaps in the continuity of care and progress on patient safety, BMJ320 (7237): 791–794. Dal Poz, M. (2009).Handbook on monitoring and evaluation of human resources for health. Geneva: WHO Press. Dolan, P. L. (2011). AMA to draft model legislation on information exchanges. American Medical News. Retrieved from: http://www.amaassn.org/amednews/2011/07/04/prsl0704.htm Eder, L.B. (2000). Managing Healthcare Information Systems with Web Enabled Technologies. Hershey: IGI Publishing. Evered, S. (2004). A Case Study in Access Control Requirements for a Health Information System. Sydney: Australasian Information Security Workshop. Garrett, B. (2005). An Accelerometer Based Fall Detector: Development, Experimentation, and Analysis, Internal Report. Berkeley: University of California. Hash, J., Bowen, P., Johnson, C., Smith, D. & Steinberg, D. (2005). "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule," Nat. Inst. Stand. Technol., NIST Spec. Publ. 800-866. Hill, J. (2000). "System Architecture Directions for Networked Sensors," SIGPLAN Not., 35, 11 (93-104). Humphreys, E. (2008). “Information security management standards: Compliance, governance and risk management”, Information Security Technical Report, 13, 4, (247-255). Hyder, A. (2007). Exploring health systems research and its influence on policy processes in low income countries.BMC Public Health7: 309. Kolkman, L. & Brown, B. (2011).The Health Information Exchange Formation Guide.Chicago, IL: Healthcare Information and Management Society. Krause, M. & Tipton, H.F. (2003). Handbook of Information Security Management. New York: CRC Press LLC. Lucas, H (2008). "Information And Communications Technology For Future Health Systems In Developing Countries". Social Science and Medicine66 (10): 2122–2132. Mathur, A. (2003), “The role of information technology in designs of healthcare trade”, http://www.icrier.org/pdf/wp111.pdf, Michael A. (2008). "Health Care": Concise Encyclopedia of Economics. Indianapolis: Library of Economics and Liberty. Northcutt, S. (2009).Tying log management and identity management shortens incident response[Web blog post].Retrieved from: http://searchsecurity.techtarget.com/magazineContent/Tyinglogmanagementandidentitymanagementshortensincidentresponse. Pande, Y., Patel, C., Powers, G., Ancona, H. & Karamanoukian, L. (2003). “The telecommunication revolution in the medical field: present applications and future perspective”, Curr. Surg, 60, 636-640. Pattinson, F. (2007), “Certifying Information Security Management Systems”, http://www.atsec.com/ downloads/pdf/CertifyingISMS.pdf, Perrig, R. Szewczyk, J. D. Tygar, V. & Culler, D. (2002). "SPINS: Security Protocols for Sensor Networks," Wireless Networks, 8, 5 (521-534). Peters, D. & Sara, B. (2012).Better Guidance Is Welcome, but without Blinders. PLoS Med9 (3). Ponemon Institute. (2011). Second Annual Benchmark Study on Patient Privacy & Data Security.Retrieved fromhttp://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Experts_Study.pdf Quynh, L. (2005), “Issues on health data collection”, In: Creative Dissent: Constructive Solutions. NSW: Paramatta. Scipioni, A., Arena, F., Villa, M., and Saccarola, G. (2001), “Integration of management systems”, Environmental Management and Health, 12, 2, (134-145). Simon, R. (2000). Electronic Patient Records , IMIS Journal 10, 5. Trudy, B. (2006). Medical Records: From Clipboard To Point-and-Click. New York: The Institute. Wager, K., Lee, F. & Glaser, J. (2009).Health care information systems: A practical approach for health care management. New York: Jossey-Bass. Walker, J., Bieber, E. & Richards, F. (2004).Implementing an electronic health record system. New York: Springer. Wiegers, K. E. (2003). The Essential Software Requirement. Redmond, WA: Microsoft Press. Willam, S.W. and Herbert, L.S. (2009). Computational Technology for Effective Health Care: Immediate Steps and Strategic Directions. Washington, D.C: National Academies Press. Williams, J. (2010). Social Networking Applications in Health Care: Threats to the Privacy and Security of Health Information. SEHC'10, 39-49. Williams, M. (2008).Preparing for Success in Healthcare Information and Management Systems: The CPHIMS Review Guide.Chicago, IL: Health Information and Management Systems Society. World Health Organization. (2000).World Health Report 2000 – Health systems: improving performance. Geneva: WHO Press. Zhang, G., Yan Poon, C. & Zhang, Y. (2011). A Review on Body Area Networks Security for Healthcare. ISRN Communications and Networking, (8). Read More