Information Security and Privacy in Healthcare - Essay Example

Information System Security Plan s May Information security and privacy in health is an issue that is garnering importance in today’s healthcare sector all over the world. The increasing technological advancements and the adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information dissemination between the health providers, the patients and all the stakeholders in the business has prompted the adoption of a better and consistent information security. The healthcare information systems have been one of the most important factors in improving the quality of healthcare as well as reducing related costs (Doherty & Fulford, 2006). Some recent research have provided the evidence that lack of adequate security measures have has resulted in numerous breaches if data, and has consequently left patients vulnerable to economic threats, mental anguish, and a possible occurrence of social stigma. For instance, a recent research in the United Stated have suggested that 75% of patients are concerned about health websites that are sharing information without their consents and this could be because the disclosure of medical was found to be the second most highest breach in the US (Ma, Zou & Li, 2011). Researchers, especially in information systems have employed different disciplines to analyze the roles that individuals and employees in information security management play, like psychology and sociology. There are all good reasons as to why the information should be guarded in the healthcare facilities. For instance, information could be used to improve the efficiency and the quality of services offered in the facility, spearheading the development of public policy and administration at all level of governance and may also be used to advance research in the medical field (Doherty & Fulford, 2006). Further, a patient’s information can be shared with the payer organizations and insurance companies where the patient is a stakeholder, to justify payments rendered by the physicians. Healthcare records can be used by the healthcare providers to manage their operations, assess the quality of their services and identify the areas that need to be improved. Introduction In today’s corporate setups, security has been a major concern due to advancements in technology and has prompted businesses to beef up their security plans to avoid unnecessary losses and guard their important information from being tampered with by adverse parties. Information security can be defined as the safeguarding of information and information systems from unauthorized access or from modification; be it in processing, storage, dissemination or even in the collection. A good information security plan must contain measures that are necessary for detecting, documenting and curbing the threat of information intruders (Ma, Zou & Li, 2011). The information security plan chosen must guarantee information assurance, which basically means ensuring that the information is not lost in the event of a threat arising. These threats can include but not restricted to natural disasters like floods, earthquakes and the like; computer technical errors or server malfunctions, physical theft by thieves or any other means by which has the probability of being lost or tampered with (Wiech, 2012). Since in the modern era information is stored by the means of computers in soft copies, information assurance is usually dealt by the means of information technology. Among the most common used methods of information assurance used by programmers and Information Technology specialists is by having an external and offline backup of the data in case of one of the cases mentioned above occur (Ma, Zou & Li, 2011). However, security practitioners today whinge, or in other words, complains so much about the ever-rising threat of information theft and manipulations while they are doing nothing about it. Understanding the importance of information security is very essential; it helps the concerned parties in working work to ensure that their information is protected from any malicious and unwarranted access. Therefore, this study will seek to identify the key elements that are essential in an ideal information security plan for hospitals, singling out the advantages and the challenges that are facing security plans of information security as well as the functions of the same (Doherty & Fulford, 2006). Characteristics of a Good Information Security System Plan A good information security system plan has some characteristics that act as pillars of its operation. Among these characteristics is integrity, confidentiality, availability authenticity among others. On integrity, good information security system plans must be able to guarantee accuracy and consistency of data over the time they are in use; implying that data cannot be changed or accessed in an unauthorized and undetectable manner (Yeh & Chang, 2007). Moreover, a good system of information security must ensure availability; the devices used for the storage of information must be accessible whenever they are needed and this is essential in preventing denial-of-service attacks like the overflow of information that may force the system to shut down. Information security system must ensure authenticity and ensure that the information provided by the involved parties is genuine. Some plans may even require digital signatures for evidence that the information contained therein is valid (Wiech, 2012). Threats and Vulnerabilities Information is prone to a number of threats that may cause damage and inappropriate access to some fatal information. Threats can be intentional, malicious or accidental, but either way, measures must be put in place to deal with any potential threat brought forth by them. On the other hand, vulnerabilities are weaknesses that can be exploited by the threats aforementioned. Therefore, reduction of system vulnerabilities will consequently reduce the impacts of threats to the system. Some of the threats to the information security include but not restricted to the following: unauthorized users, which constitute the greatest number of security breaches. Losing confidential information to the wrong users can be bad news for the healthcare facility, while the privacy if the patients and other stakeholders at an unbelievable risk (Yeh & Chang, 2007). Theft is another threat that the information security faces, as most of the information is contained in desktops and laptop computers. Laptops, tablets, smartphones and other handheld devices are extensively being used in the storage of information has increased the probability of the loss of information. Portable media storage devices such as the external hard drives, the USB disks and the like have also increased the potential loss of information, especially if these devices are not encrypted. Measures must be taken to ensure that patient and corporate data are protected in the event that any of these devices are lost, stolen, or misplaced. Encryption and limited use of portable devices will help minimize this problem (Wiech, 2012). Employees and former employees also pose another dimension of threat through sabotage (Yeh & Chang, 2007). These disgruntled employees may maliciously destroy their hardware or facilities and plant logic numbs that are responsible for data destruction and manipulation. These logic bombs also destroy programs, enter data incorrectly delete data, alter data and ultimately crash systems. It is highly important, therefore, that passwords and system access codes are deleted or change immediately an employee leaves or resigns from the post. The system can be attacked by a malicious code and render the information security system to malfunction (Ma, Zou & Li, 2011). Malicious codes can affect personal computer and even more sophisticated systems and they include viruses, worms, Trojan horses, logic bombs and other malicious software. Although malicious program may be harmless, they may be nuisances to the security plan, by displaying unwanted phrases or graphics and may eventually alter, destroy, or crash programs. The use of corporate networks, e-mails, and Internet are grounds from where malicious codes and software invade computers and systems. Therefore, it is critical that antivirus and antimalware be kept up to speed to curb this situation. Another vulnerability of information security system is the issue of hackers (Yeh & Chang, 2007). Hacking, or sometimes called cracking or attacking has been on the rise in recent years and has raised serious concerns. Actions taken by hackers, attackers or crackers may be limited to just surfing the information therein, but may later extend to stealing the information, changing, manipulating or deleting it. Information security plans must ensure that their systems are not accessible via remote means as these are particularly vulnerable to hackers. Errors and omissions by end users, data entry clerks, system operators and software programmers may make errors that are unintentional and this may present another version of system vulnerability of the information security system (Yeh & Chang, 2007). Ways Hospitals Can Improve Information Security With the threats mentioned above and vulnerabilities of information security, security practitioners need to be vigilant and bold to ensure that the information in healthcare is protected at all costs. A good information security system plan must eliminate shared accounts and their security risks (Wiech, 2012). It is not uncharacteristic for physicians and nurses to share accounts with one package of credentials with everyone. This is mostly common in emergency rooms where the employees working on some patient uses only one computer to access a vital piece of information. Due the fact that it is in emergency, time for logging into different accounts for different employees cannot be afforded and therefore employees only use one computer to access the information that is needed (Wiech, 2012). This method is risky as users can easily access virtually all the information about the machine and makes it difficult for compliance audits. To eliminate the threat brought by this issue, all the physicians and nurses need their own credentials for every application, but remembering all the credentials for all applications is particularly difficult and logging in and out of the system is time consuming. This can be counteracted by the use of a single sign on application that will require the employees in a healthcare facility can ease this problem, but most importantly, the use of smartcard in operation is even more efficient. Once the user presents the smartcard to the reader, the software recognizes them and the user is automatically logged into the system or the server (Ma, Zou & Li, 2011). A good information security system plan should also keep employees from writing down passwords and codes. Hospitals must implement complex passwords and access codes for audit requirements, but then complex passwords have adverse impacts on end users. However, a single sign in will make it easier for the end users and the healthcare facility can then set up complex passwords for the system. Moreover, employees must be given the correct access rights to ensure the security and the confidentiality of the system. This can be based on the job roles in the hospital or some qualifications, and would be a great deal in improving security of information in the hospital. Great security systems would definitely employ this criterion. Ideal information security plan should be able to detect whoever is logging into the system automatically and the use of single sign on can facilitate this assignment (Wiech, 2012). Automatic user provisioning implementation in the event of employees shifting from their posts is also a characteristic of a good information security system. In most cases, the IT staff is not notified in time when employees leave their positions, and this leaves important information vulnerable and this can lead to some serious repercussions. However, with an automated employee management solution, this problem is solved (Doherty & Fulford, 2006). Conclusion Information security and privacy in health is an issue that is garnering importance in today’s healthcare sector all over the world. The increasing technological advancements and the adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information dissemination between the health providers, the patients and all the stakeholders in the business has prompted the adoption of a better and consistent information security. The healthcare information systems have been one of the most important factors in improving the quality of healthcare as well as reducing related costs. Losing confidential information to the wrong users can be bad news for the healthcare facility, while the privacy of the patients and other stakeholders left at an unbelievable risk. Information security system plans must ensure that the above-discussed challenges are sufficiently addressed, while also striving to possess the characteristics discussed in the study for better and assured performance. References A Software Security Assessment System Based On Analysis of Vulnerabilities. (2012). JCIT, 7(6), 211-219. doi:10.4156/jcit.vol7.issue6.26 Doherty, N., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55-63. doi:10.1016/j.cose.2005.09.009 Eschelbeck, G. (2005). The Laws of Vulnerabilities: Which security vulnerabilities really matter?. Information Security Technical Report, 10(4), 213-219. doi:10.1016/j.istr.2005.09.005 Ma, X., Zou, H., & Li, Y. (2011). Research and Application of Contingency Plan Based on Hospital Network and Information System Security. Computer And Information Science, 4(6). doi:10.5539/cis.v4n6p105 Wiech, D. (2012). 5 Ways Hospitals Can Improve Information Security. Cipherhealth. doi:August 22, 2012 Yeh, Q., & Chang, A. (2007). Threats and countermeasures for information system security: A cross-industry study. Information & Management, 44(5), 480-491. doi:10.1016/j.im.2007.05.003 Read More