Background
The main legal issues facing insurance companies based on the patient information entrusted upon them are breach of privacy and fraud. These two issues, therefore, become primary legal considerations in the development of an information security management system (ISMS). ISMS can be defined as the set of policies developed to ensure the management of information security for a system within which sensitive information has been placed. The first legal issue is premised on the fact that any and all information provided by a patient to any hospital and healthcare system apparatus is absolutely privileged (Gaivéo, 2015). Therefore, this information can only be seen by only those qualified to see it and only for reasons of the patient’s health or issues relating to public health and welfare. Health insurance companies are involved in issues relating to patient health and are, therefore, qualified to access this otherwise privileged information (Gaivéo, 2015). However, this information is entrusted upon the company on an understanding that it will be properly safeguarded and only seen by qualified individuals only as and when necessary.
The second legal issue as aforesaid relates to fraud and regards the probability of the information entrusted upon health insurance companies being used to defraud customers, the government, hospitals or other financial institutions (Campbell, 2016). This is because the private financial information of customers becomes available to insurance companies through creation of avenues for payment of premiums and also evaluation of eligibility for credit based programs. Further, the behavioral attributes of patients, such as the hospitals they frequent are also available to the companies. Finally, since some clients pay through credit cards, relevant information such as accounts and passwords can also be available to the company (Gaivéo, 2015). Fraud can, therefore, be conducted either by accessing information in the systems and using it illegally or by altering the information within the system for pecuniary gain. It is incumbent upon the ISMS so developed to protect the data from the aforesaid abuses.
Delegate your assignment to our experts and they will do the rest.
Original New User Policy Statement
The current user policy is quite simple and practicable albeit weak from the perspective of security. For a start, it does not qualify new users and considers all new users in lump sum as being equal. Therefore, all new user applications are given equal consideration whether they are interns or new employees of any level. These prospective users of the system have two levels of user application. The first is the ordinary user with the second being users with administrative access. With regard to the ordinary user, application for access is premised on an application made, signed, and executed by the user. The form indicates what nature and level of access is necessary for the user to undertake official duties. It is upon this indication that access to the user is granted. However, in the event the user’s obligations necessitate provision of administrative access, the signature of a ‘manager’ is necessary. The nature and rank of the manager is also not included. The upshot of the foregoing is that any applicant who manages to get access for a manager within can get unfettered access to the information within the system. Further, even without managerial approval, any new user who indicates the need for any level of non-administrative access will be granted the same.
Modified New User Policy Statement
The first amendment to the new user system entails the classification of levels of ordinary users in the system from the least access to administrative access, with well-established and outlined limitations. These levels of access will be akin to administrative levels of employees within a human resource management system. Instead of a new user having to apply for access into the system, a personalized user access protocol will be established and bequeathed to each new member of staff whose duties require access to the system. It is the nature of the obligations that an employee will undertake as defined by the employee’s duties as scheduled and not the employees themselves who will determine the user level necessary. Further, user levels allowed to employees will be based on the least possible user level necessary to accomplish normal operations. This policy, therefore, eliminates the procedure for application of new user access and makes new user access available to all who need it, limited to the right minimum level as pre-determined.
Administrative access, due to its sensitive nature should also not be subject to application but purely tied to job descriptions of individuals. Further, necessary training must be undertaken by all individuals before being granted administrative access to the system. Based on the size of the system and the scope of work within any given dispensation as well as the level and nature of activity per department, it is possible to determine how many administrators are necessary. The number of administrators necessary should also factor the different departments and seasonal changes in work schedules. Once the number of administrators necessary is periodically arrived at, these administrators will be appointed and granted passwords that allow for that level of access. This access should vary with permanent administrators getting permanent access and the rest of the administrators getting access valid until the next periodic review. This will keep the number of administrators as few as possible and well known yet allow for fluid undertaking of duties.
Justification for the New Changes
The major policy changes outlined above limits access to information and also the capability of amending and/or transferring information as held by Heart-Healthy Insurance. The limitation as aforesaid is pursuant to the Health Insurance Portability and Accountability Act of 1996 in general and particularly the privacy rule at 45 CFR Part 160 as well as Subparts A and E of Part 164 (Government Publishing Office, 2017). It is also founded on the Financial Privacy Rule of the Gramm-Leach-Bliley Act, which provides for the privacy and safety of customer’s financial records (Federal Trade Commission, 2015). Whereas this privacy rule allows access for Protected Health Information (PHI) to health insurance providers, it places an immense obligation to the companies to protect the privacy aspect of this information (Campbell, 2016). Currently, the information technology age ensures that a majority of members of staff in an insurance firm require access to the information system to conduct their duties.
This ensures that even temporary employees and contractors who have not been properly cleared may need to use the system from time to time to undertake their duties. A system that allows any user to determine the level and nature of access they should get has supervisory deficiencies. It is also contrary to the HIPAA ‘minimum necessary’ rule as provided in the HIPAA privacy rule (Government Publishing Office, 2017). The worst part however, is with as little as a manager’s signature, administrative access can also be allowed. This means that all ‘managers’ as well as those that they approve of have administrative access and the number of system administrators from time to time is undefined as the system administrative access is not indicated as temporary or permanent. Administrative access also allows for amendment and dissemination of information which creates a high propensity for fraud, which Title II of HIPAA creates an obligation to prevent. Title II Section 201 of HIPAA also states that in spite of the internal systems available within an ISMS, training for individuals who get administrative access is mandatory (Government Publishing Office, 2017; CDC, 2017).
Original Password Policy Statement
The current password policy has three basic components; the nature of the password, the procedure for resetting a password, and the procedure to follow in the event that three incorrect password entries have been made. With regard to nature of the password, the policy only indicates that the password should be over 8 characters long and is a combination of small case and large case numbers. When resetting of passwords, the procedure thereof is not indicated save that the previous 6 passwords used should not be utilized in the resetting of the password. Finally, when a wrong password is entered three times, an intermission of 15 minutes is allowed before another effort to use a new password is made. The totality of this password ensures that the passwords used are relatively strong, resetting them cannot be easily done using other passwords that could have been recently observed, and finally that trial and error would be relatively hard to use on guessing a password.
Modified Password Policy Statement
The modified password statement will adopt several aspects of the original policy with two major modifications. The first modification is premised on the password name and will indicate that the password will also include both letters and number and will not involve a decipherable common word, event or noun. A user can, therefore, not have a password with their names on it, a birthday or birth year or a loose combination of the same. The second modification which entails the wrongful entry of a password for over three times will indicate that when a person has input a wrong password over three times, administrative intervention will be necessary before the user can try to log in afresh. The graphic user interphase will, therefore, immediately direct the user to contact a supervisor for help.
The modified policy will indicate that passwords must be at least eight characters long and contain a combination of upper- and lowercase letters as well as at least two (2) numerals. The combination of letters and words used should not result in a decipherable common word, event or noun. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. In the case a user inadvertently enters the wrong password for three consecutive times, administrative intervention will be necessary for the user to attempt another log in.
Justification for Changes in the Password Policy
The two aforesaid changes relate to avoidance of access to the information system of Heart-Healthy Insurance by unauthorized personnel. This is premised on the provision of Title II of HIPAA that obligates companies upon whom electronic data from patients has been given to safeguard the data (Government Publishing Office, 2017). It is also premised on the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act (CDC, 2017). The provisions of HITECH obligate companies to avoid fraudulent utilization of data gained in pursuit of healthcare based activities. Finally, the provisions of the Payment Card Industry Data Security Standard (PCI DSS) obligate the company to protect credit card based information which is also available in the Heart-Healthy Insurance databases (PCI Standards Council, 2010; Campbell, 2016).
No matter how advanced a password protected ISMS is, it will only be as safe as the passwords used to access it. The first modification avoids the use of a weak password by a user which will create a high probability for fraudulent access through guessing the password. The modification makes the passwords stronger and more complex thus harder to guess. However, no password is beyond a good guess more so when the person guessing has an unlimited number of guesses (Campbell, 2016). This is the premise for the second modification which requires administrative intervention in the case of more than three wrong entries of the same password. With a more complex password and a limited number of guesses, the strength of the password is enhanced.
References
Campbell, T. (2016). Practical Information Security Management. In Standards, Frameworks, Guidelines, and Legislation (pp. 71-93). New York: Apress.
CDC. (2017). Meaningful Use: Introduction . Retrieved from https://www.cdc.gov/ehrmeaningfuluse/introduction.html
Federal Trade Commission. (2015). Gramm-Leach-Bliley Act . Retrieved from https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Gaivéo, J. M. (2015). Security of ICTs Supporting Healthcare Activities. In Standards and Standardization: Concepts, Methodologies, Tools, and Applications: Concepts, Methodologies, Tools, and Applications , 192-212. doi: 10.4018/978-1-4666-8111-8
Government Publishing Office. (2017). Health Insurance Portability and Accountability Act of 1996 Public Law 104-191. Retrieved from https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
PCI Standards Council. (2010). PCI DDS quick reference guide. Retrieved from https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Pompon, R. (2016). Why Audit?. In IT Security Risk Control Management (pp. 3-11). New York: Apress.