Managing Information System in Healthcare Institutions - Case Study Example

Managing Information System in Healthcare s The automation of health information system has enabled efficient delivery of health services in a healthcare system. However, digitalization process has its fair share of challenges. It exposes patient’s confidential information to threats of access to unauthorized persons, and this can lead to litigations. Patient’s information should be confidential, and hence should not be accessed by other people apart from health professionals as required by law. Due to increased connectivity of various health operations to the internet securing patients confidential information has become a challenging task to health care workers. In America, the health insurance accountability and portability Act require the health professional to safeguard confidential patient records (Sametinger, et al 74-82). The advents of new information technologies have compounded the problem and expose the healthcare givers to a breach of privacy rules as dictated by HIPAA. Threats to electronic data recording can originate from ignorance or reluctance from the health care providers intentionally, unintentionally or technology failures. Confidential information can, therefore, leak through hacking, breach, security breaches, malware, human error or natural accidents. This assignment focuses on some recommendations of the problems facing the health service organization management information systems that have resulted in the severe information security breach. The first part will focus on some of the recommendations that can help resolve the challenge. The assignment will also include budget proposal to the board of directors to help fix the problem. Lastly, the paper will give recommendations for remedies to the patients who have suffered reputation damage out of the security breaches of health service organization (Gostin and Lawrence 92). Information security policies First, my leadership will embark on drafting clear information security policies that will guide all departments of health service organization in handling patient information. The policy document will address issues that have been recognized as possible causes of information security breach. First the policy document must address the procedure for acquisition of the hardware including authentication measures and passwords that will be assigned to each profession as a gate pass to the information organization system. The policy document will also guide the employees on privacy rights of caregivers, patients, families and research. The policy documents will also state the sanctions and other penalties imposed on the professionals working in the organization for the breach of confidentiality. The policy also should explicitly state the employees’ individual responsibilities for data accuracy and integrity. The organization should also include in its policy guidelines on the disposal of media including the hard drives, printed reports, computers, flash discs among other hardware storage devices containing critical organizational information. Levels of privacy expected in users of electronic mail should also be explicitly included in the security policy formulation. It is also important to include the guidelines for disposal of paper-based or printed organization information (Box, Debra, and Dalenca Pottas 1462-1470). The policy documents should provide guidelines for bringing in media, disks or other hard drives from outside the organization. The information security policy must be adhered to by all stakeholders in the organization including vendors, volunteers, staff, students, and management and independent contractors (Gaynor, Mark, Dorine, and Sarnikar 78). The organization will issue the security policy that will create an information security program as well as assign responsibilities to individuals managing it. It must explicitly prescribe the organizational approach to its information security program. The policy will address the particular issues of concern to the organization. Finally, the program will define the sanctions and penalties for security breaches and management expectations from the staff. The organization will need to subcontract an information technology expert to strengthen the information system in the organization based on the analysis of the expert security consultant. Software security. My leadership will develop a mechanism for user authentication. Passwords are critical to safeguarding access to the organization information system. The institution should allocate a personal password to every employee in the organization, and those passwords should be confidential to the employee. Every employee should be personally liable for their passwords and will be held personally liable for any transaction done in the system through their passwords. The health service organization should enforce strict rules prohibiting sharing of login information with other employees or outsiders. To implement the above, each employee will be assigned a unique username and password that has never been reused even by persons who earlier seized to work in the organization earlier. The usernames and password will be used by relevant employees to access the information system of the institution. Generic login will be required from the workstation computers for authentication purposes. The institution will use the authentication guidelines issued by the NIST that require a four stage authentication process involving electronic transactions (Rodrigues and Joel 55). To access information system particularly in situations where individuals are required to have access to multiple information systems a variety of authentication tools will be used. Password pairs, single sign-on, biometrics such as the use of voice and fingerprints or hardware tokens will be included as authentication requirements to have access to the information management system of the organization. Passwords. The organization will have procedures for creating strong passwords, safeguarding and even changing passwords. The organization staff will be assigned strong passwords by international standard organization requirements. Security questions will be programmed to help the users to access their passwords in case they forget them. The users will be required to change the passwords within a certain period. Additionally the system should be designed in such a way that it allows only one login session per user at a given time. The system should not permit the sharing of passwords and accounts. A certain number of failed attempts to login with shared passwords should lead to permanent closure of the account. The system should be designed a manner that logs out automatically after a certain period. The above measure will disconnect the user from access to the system thus preventing access to information from unauthorized people should the authentic user forget to log out a session. However, the logout period should be set reasonably to avoid nuisance due to short sessions by the users (Kapoor, Akshat, and Derek L. Nazareth 61). An additional layer of security set up should be permitted in the system that connects staff account to their mobile phone numbers. The above measure will protect the users account from being hacked by malicious people. A second credential will be required to login from other devices not specified in the security settings. Certain codes will be sent to the account owner smart phone and the person accessing the account will be required to type in those codes to access the account. The above measures will make it difficult to the access of unauthorized users into the staff accounts (Box, Debra, and Dalenca Pottas 1462-1470). Biometrics My leadership intends to use biometric devices to improve the security of its information systems. Therefore, biometric devices will be tendered to be used by staff and other stakeholders in electronic transactions. The devices will read the fingerprints and also be fitted with the digital cameras to capture individual’s image in the transaction. The biometrics is very effective and makes forging identities almost impossible. However, the biometric identification is not free from security breaches, and the organization is aware of the limitations. To avert the situation health service organization intends to use multiple methods including fingerprinting, use of passwords and voice as authentication methods to make it difficult to access information to unauthorized individuals in the organization (Hill and John 120). Conduct regular analysis of data security procedures and policies. My leadership intends to conduct a regular analysis of information security systems to identify potential security risks exposing the organization to more litigation. This analysis should be conducted repeatedly and periodically as soon as information system changes are implemented in the organization. The ultimate responsibility to comply with confidentiality act solely lies with the organization. The institution must meet the requirements of HIPAA as per the law despite the need to adopt the most updated information sharing technologies. Security risk should help the organization to identify vulnerabilities of the system to prevent security breaches. The analysis should address the loopholes identified in the system such as threats and also monitor the progress of the measures adopted to address them (Gostin and Lawrence 76). The organization intends to identify the person who hacked the system through the additional layer of security setups. Upon upgrading the organization information security systems, it will be easy to trace unauthorized individuals trying to access the systems. The devices used to hack the organization system will be tracked through their IP address and the perpetrators will be prosecuted for the cyber crime. Training of staff. My leadership intends to organize training events to all departments to create awareness of the need to safeguard confidential information and serious repercussions that may lead to security breaches. To achieve the above, various training sessions will be conducted to educate the staff on the contents of the information security policies. Each training event will have its objectives that will include: Educating the staff on the contents of new information security policies Training the employees on handling the new information system including the changes that have been implemented The training sessions will also create awareness of serious risks that the breach of confidentiality and ignorance from the staff exposes the organizations to losses and other risks. The training will also train the staff from all the departments on the penalties and sanctions that they may face for failure to comply with the confidential clause as required by the law and professional ethical codes of conduct. The training event will incorporate different training methods to allow every trainee to acquire knowledge through their learning styles. Consequently, the trainers will use different learning theories and styles to plan effective training events (Eichhorst, et al. 314-337). The training events will be designed in such a way as to incorporate different training methods such as role plays, demonstrations, lecturing, and use of diagrams among other methods to train the employees. The training manual will incorporate all the topics identified in the training objectives, and the learners will be evaluated on their ability to transfer that knowledge to the workplace environment. Through the training, the staffs will be required to keep their passwords confidential and safeguard the patient’s information at all costs Budget proposal Introduction Following the recent incident that led to the breach of confidentiality act the organization management have embarked on a rigorous exercise to prevent a repeat of the incident in future. Such occurrences are likely to lead the organization to great losses through litigation and poor reputation among its clients. The management has realized there are training needs of organization staff in different departments (Rodrigues and Joel 108). Secondly the current information management systems need to be upgraded, and thus there is a need to outsource an information technology expert to revisit the entire system. To protect the system from hackers and access by unauthorized people the management has also realized the need to buy biometric devices that can be used to strengthen authentication process. Biometric devices will be used together with other methods identified to safeguard the health service organization. The staff needs to be taken through training sessions to sensitize the on the new improvements and the new policy framework. Consequently, the organization leadership intends to organize training events for all the staff in different departments. However, the management has realized there are no enough resources to implement the highlighted plans and, therefore, seeks financial support from the board of directors. The management requests $ 1000000 from the board to fund the budget as shown below. Acquisition of biometric devices $300000 Training Conference rental $50000 Catering $60000 Training materials $115000 Policy analysts $150000 Outsourcing IT services $200000 Allowances for facilitators $125000 Total $1000000 A thorough investigation through an independent security analyst realized some faults in information technology department. The entire information management system was in a total mess and the department managers were aware of those issues but were reluctant to initiate stringent measures to fix the problem. Consequently Nurse Lucy used those loopholes to leak patient’s confidential information to the media. Through one of the CCTV cameras we were able to trace Nurse Lucy downloading the names of the patients and saving them on her own personal flash disc. After saving them the camera traced the nurse putting the flash in her handbag and walked away home. Afterwards we were able to grill her for close to two hours in a boardroom meeting where she finally admitted committing the act. She admitted that she shared that disc with her friend who is a journalist and forgot to delete those names from her flash disc. Remedies To help the patients whose reputation has been damaged health service organization intends to offer free counseling sessions to all the affected patients to manage the psychological torture they underwent through their names appearing on the list. The counseling sessions will help the patients to overcome stigmatization and discrimination that may arise in society as a result of their status being put into the public limelight. Secondly the organization intends to offer the public apology to all the patients whose confidential information was leaked to the public. The organization will offer the apology and assure the clients that adequate measures have been put in place to avoid the repeat of the incident (Gostin and Lawrence 13. Improved management information systems will be used by the organization to prosecute the perpetrators of the act. The organization intends to cover the costs of hiring the lawyers to pursue justice on behalf of the victims. All the stakeholders involved in the publishing of the confidential information will be sued in the court of justice through the help of law enforcement officers for breaching privacy rights as enshrined in the American laws. My leadership intends to organize a meeting with all the patients whose names were published with an aim of holding a consultative meeting where we will negotiate on the amount of compensation for damage control. The organization may be forced to offer some monetary compensation to the patients. The amount of compensation will be discussed through consultations with the patients to come up with agreeable figure taking considerations of organization and patients interests. Nurse Lucy will be fired to teach others lesson and face full force of law. Conclusion Managing information systems in health institutions is a major challenge especially to avoid an information security breach. The first parts of the assignment have explored some of the major solutions to avoid a breach of confidentiality act. Automation of health services help in increasing efficiency and effectiveness of service delivery in the health sector. However, it also exposes such institutions to risks of litigation if they are not responsible enough to seal any loopholes that may lead to the leak of confidential information. Health service organization can strengthen their information management systems through integrating various methods such as the use of strong passwords and biometric user identification. The above plans require adequate financing as shown in the last part of the assignment, but they must be put in place for the survival of the organization. Work cited Sametinger, Johannes, et al. "Security Challenges For Medical Devices." Communications of the ACM 58.4 (2015): 74-82. Print. Michel-Verkerke, Margreet B, Robert A Stegwee, and Ton AM Spil. "Viewpoint Paper: The Six P’S Of The Next Step In Electronic Patient Records In The Netherlands." Health Policy And Technology 4. (2015): 137-143. Print. Eichhorst, Werner, et al. "A Road Map to Vocational Education and Training In Industrialized Countries." Industrial & Labor Relations Review 68.2 (2015): 314-337 print. Box, Debra, and Dalenca Pottas. "A Model For Information Security Compliant Behavior In The Healthcare Context." Procedia Technology “(2014): 1462-1470.print. Gaynor, Mark, Dourine Bennett, and Surendra Sarnikar. Cases on Healthcare Information Technology for Patient Care Management. Hershey, PA: Medical Information Science , 2013 Rodrigues, Joel. Health Information Systems: Concepts, Methodologies, Tools and Applications. Hershey PA: Medical Information Science Reference, 2010.print. Calabrese, Barbara, and Mario Cannataro. "Cloud Computing In Healthcare and Biomedicine." Scalable Computing: Practice & Experience 16.1 (2015): 1.print. Kapoor, Akshat, and Derek L. Nazareth. "Medical Data Breaches: What The Reported Data Illustrates, And Implications For Transitioning To Electronic Medical Records." Journal Of Applied Security Research 8.1 (2013): 61.print. Hill, John W. "Law, Information Technology, And Medical Errors: Toward A National Healthcare Information Network Approach To Improving Patient Care And Reducing Malpractice Costs." University Of Illinois Journal Of Law, Technology & Policy 7.(2007): 159. print. Gostin, Lawrence O. "modern studies in privacy law: national health information privacy regulations under HIPAA: personal Privacy and Common Goods: A Framework for Balancing under the National Health Information Privacy Rule." Minnesota Law Review 86.(2007) print. Read More