Summary of the Problem
Information security from breach management and privacy perspective is a very important aspect for the information management team. In this case, the healthcare organization is dealing with a confidentiality breach. A breach is an impermissible disclosure under the Privacy Rule that compromises the privacy of the protected health information to the extent that it causes a substantial risk, in this case, reputational, to the affected party (Wakina, 2014). One of the company’s coders gained access to a colleague’s health recorded and disclosed that the victim suffered from HIV. The action led to the forwarding of a complaint to the hospital legal department, which resulted in the termination of the perpetrator’s tenure with the healthcare organization.
The Nature of the Data Breach
The case is a typical example of an insider threat. An insider threat occurs within an organization when an employee or any other user with access to the organization’s technology infrastructure intentionally or accidentally divulge unauthorized information (US Department of Health and Human Services, 2018). The coder was an intentional insider threat who targeted to harm his colleague. The coder managed to access the protected health information by impersonating the victim and logging into his account. The breach was mainly as a result of inadequate logging and auditing of access to critical technology assets, including the protected health information (US Department of Health and Human Services, 2018).
Delegate your assignment to our experts and they will do the rest.
Investigation of the Breach, Risk Assessment, and Communication Plan
Was the breach as a result of the increased usage of health information technology or due to human error? The adoption of information technology, particularly the Electronic Health Records (EHR), has exposed personal health information to hackers and fraudsters (Hourihan et al., 2012). However, most of the breaches are a result of human errors. The investigation will seek to determine how the perpetrator managed to identify the victim’s login credentials. Did the culprit hack into the account or was it as a result of human errors? Up to 75% of all security breaches are a result of failure to follow procedures (Wakina, 2014). The attackers target human vulnerabilities and use social engineering tactics to get important authentication details. The probe will want to determine if the system had a security loophole, or if the victim intentionally or accidentally shared his login credential. Once the primary cause of the breach is identified, an analysis will be conducted to ascertain that there are no chances of another breach and identify ways to improve the current level of system security.
Depending on the outcome of the investigation, the health information management suggests various recommendations to health avoid any future breach (US Department of Health and Human Services, 2018).
Train staff and IT users on data access and control procedures to mitigate procedural errors. If the login credentials to the victim’s account were disclosed to the perpetrator as a result of human error, training might be required to sensitive the staff members about cybersecurity.
Implementation and use of workforce access auditing of health record systems and sensitive data to prevent unauthorized access.
Incorporate privileged access managerial tools to report access to critical technology infrastructure and systems. This will help track and record every login.
Short-term and Long-term Consequences of the Breach
In the short-term period, the security breach will reduce staff productivity (Smith, 2016). A suffocating working environment that is not favorable for optimum productivity will surround the victim and colleagues. Also, the impact of the breach on the patient’s health and safety will affect his performance at work. Besides, the victim would suffer from reputational damage because of the breach.
In the long-term, the security breach will have an organizational effect in the form of mitigation, investigative, and response cost (Smith, 2016). While mitigation, in the form of firing and canceling the perpetrator’s security clearance, can be done immediately, and investigation into the incident must be conducted. The recommendation made will be implemented to offer a long-term solution to system security. The organization will incur some response expenses to cater for the investigation and modifications.
Key Stakeholders
Based on the HIPAA Breach Notification Rule, a notification must be sent to the afflicted patient within 60 days of the breach discovery (Smith, 2016). However, since the victim was the one that reported the breach, the organization does not have to send a notification. Besides, since only one member of the staff was affected, there is no need to post a statement on the breach on the organization’s website. A notification will be sent to the secretary of the Health and Human Services (HHS) informing about the breach (Smith, 2016). The healthcare organization is required to send one notification per year since the breach only affected one person.
To address the data breach within the organization, a team will be set up to respond to the security breach. The lead investigator will be the HIM director, who will be overseeing the investigation. The human resources must be involved in the response team to address the dispute between the colleagues. The IT department will provide an insight into the security breach and give a recommendation on how to address the breach (Smith, 2016). Finally, an attorney must be included in the team in case the victim decides to file a lawsuit against the healthcare organization. The members of the response team will liaise to ensure that the current situation does not escalate become a major issue that might lead to an expensive lawsuit.
References
Hourihan, C., & Cline, B. (2012). A Look Back: US Healthcare Data Breach Trends. Health Information Trust Alliance. Retrieved from https://hitrustalliance. net/content/uploads/2014/05/HITRUST-Report-US-Healthcare-Data-Breach-Trends. pdf .
Smith, T. T. (2016). Examining data privacy breaches in healthcare.
US Department of Health and Human Services (2018) . Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
Wikina, S. B. (2014). What caused the breach? An examination of use of information technology and health data breaches. Perspectives in health information management , 11 (Fall).
