Essay
Subject:
Computer sciences and Information technology
Topic:
The EHR Blues: Fears of Adopting the Threat of An EHR Data Breach
As the Privacy and Security Officer, one of the biggest fears that the board of directors (BOD) feared which caused a bit of hesitancy to move forward with the adoption of the EHR, has become a reality. You were recently notified of a recently discovered data breach that impacted your employer which represents ten (10) hospitals along the northeast coast. You are responsible for creating a breach notification letter. This letter is sent to patients whose patient health information (PHI) has been compromised in the breach. According to federal regulations, the breach notification letter must contain five required elements addressed in a customized manner according to the situational circumstances and consisting of:
1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
2. A description of the types of unsecured PHI that were involved in the breach (i.e., full name, Social Security number, date of birth, home address, account number, diagnosis, or disability code)
3. Any steps individuals should take to protect themselves from potential harm resulting from the breach
4. A brief description of what the organization is doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches
5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address If appropriate. The organization may include other customized information, including:
• Information about steps the organization is taking to prevent future similar breaches
• Information about sanctions the organization imposed on workforce members involved in the breach; Identity of workforce members should be on a need-to-know basis according to organizational policy
• Consumer advice directing the individual to review account statements and monitor credit reports
• Recommendations that the individual place a fraud alert on their credit card accounts, or contact a credit bureau to obtain credit monitoring services, if appropriate
• Contact information for credit reporting agencies, including the information needed for reports for criminal investigation and law enforcement
• Contact information for national consumer reporting agencies
Create a letter that incorporates the five required elements, and also include all six of the subcategories of information found in item #5. Using the actual breach case of the Affinity Health Plan in 2013 attached below; research a healthcare data breach that occurred within the past ten years to better assist you in understanding the true impact of a healthcare data breach and efforts taken to respond and prevent future occurrences. You will need to make up the specifics about your health care organization (email address, website, phone number, address…) but use the case for specifics about the breach event. Submit one (1) single presentation at the conclusion of Week Two no later than Sunday, by 11:59 PM EST. This is an individual assignment.
Breach Notification Letter.
[Date]
[Patient Name &Address]
Dear [Patient]:
We are sending this letter to you as part of our company’s commitment to patient privacy. This is a subject we take seriously and as a result of this, it is important we notify our patients of any potential privacy issue. We have learned with a lot of regret that there was a recent breach of your personal health information on 2/20/2018 by Global Health Care Medical. On the date of the breach, the intruders got access to information on the system. We found evidence of the intrusion the following day on 2/21/2018 and we have reasons to believe that your information was compromised. We have reported the incident to investigative agencies because this is a reason for concern. We however don’t have any evidence at the moment of what information might have been accessed or used by the intruder.
The types of unsecured PHI that could have been breached include the names of the patients, the social security number, and account number. These are pieces of information we believe were inadvertently disclosed to a third party. This is serious since we believe they could have gotten access to crucial information that may adversely affect your privacy (Kshetri, 2010).
Following this unfortunate incidence, it is important that you take safety measures that are geared towards protecting your information. As soon as you receive this notification letter call the toll free numbers of your credit bureau and inform them of a possible fraud. This is important since it prevents any malicious person that would be tempted to steal your identity from opening multiple accounts in your name, sell your medical cover, carry out fraudulent tax returns or use your information to procure drugs (Dix, 2012).
As soon as these bureaus receive your distress call they should immediately place alerts on all your credit reports and consequently, provide you with a credit report. Once you receive your credit report please monitor it closely for signs of fraud. An example of a grey area may include inclusion of credit accounts that do not belong to you yet they appear on your report.
After looking at your report, continue monitoring these credit reports from time to time. This is because even after reporting a fraud report, the intruder would have created in your name but is yet to use it. The enemy may then hit when you least expect and this can be pin pointed in consequent reports.
If monitoring this problem may be a hassle for you we are ready to mitigate this problem by catering for the cost of monitoring your account for a year. This service will be offered by a company called Close Eye. This organization will closely monitor your account for malicious activity and later report to you for any unusual credit activity. An example of fertile areas that will be monitored is the creation of new accounts without your approval. Close Eye will also be required to place a Fraud Alert on your credit by liaising with credit bureaus. To benefit from this offer, please write an email to us via medicalhelp@care.or with your name and we will handle the rest.
We assure you that the organization is going to carry out thorough investigations. This is will be by the use a risk assessment tool(“Breach Notification Detailed,” 2012). This investigation will be based on the risk factors. The first risk factor will be the nature as well as the extent of the PHI involved and the types of identifiers. The second risk factor is the unauthorised person who got access to this information. The investigation will find out what information that the intruder accessed and for what purpose did he or she intend to use it for. Thirdly, it would be prudent to find out whether the PHI was viewed or acquired. It would be a high risk if the intruder viewed and acquired the PHI (Omotosho et al, 2014). At this stage, we will find out if it was an internally accessed or was this disclosure from outside the organization.
Finally it would be important to find out whether the PHI risk was actually mitigated. For instance, we will find out if the data was visually viewed without further retention or disclosure, the extent of the disclosure, find out the channel used to acquire this PHI and for what purpose this data was intended for. These investigations will be carried out internally as well as externally with the collaboration of investigative agencies.
The organization is taking preventive measures to prevent future breaches. One such measure is the use of a Role Based Access control to secure data that is web based. Consequently, rather than giving control of the system to all practitioners in the health sector, data will only be accessed by associating roles and privileges of an individual taking that role performs. Furthermore, the internet used for the communication will be secured by using authentication and cryptographic techniques.
The encryption technique can also be used to handle this data through what is known as Pseudonymization of Information for Privacy in e-Health (PIPE). This method is primarily based on the patient. The method integrates all health data usage and consequently, all the data does not have to be encrypted. Also only patient identification tags are stored in the pseudonyms that are generated using either symmetric or asymmetric encryption algorithm.
Furthermore, PIPE doesn’t use a patient list to identify patients but rather the patient is given a smart card that he or she uses for identification (Omotosho et al, 2014). This smartcard, contains a secret key for access to medical records. We understand that these smart cards may be lost. The system has a solution for this whereby it has a secret key that can be used to recover the information via an administrator.
Patient control Encryption (PCE) is another solution we are pursuing (“Prospective Payment Systems: Opportunities and Threats for the Pharmaceutical Industry,” 2011). A PCE enables the patient to generate as well as store private and personal encryption keys and therefore in case the host data is compromised the patient’s information will be protected because the server that stores the health information cannot be accessed since the intruder has no access to the keys given to the doctor and therefore he or she cannot decrypt the data. Furthermore, a patient can decrypt key to come up with sub keys and thus only certain data can be accessed.
The organization has imposed sanctions on the workforce members involved in the breach. These members were relieved off their duties since it was found that they were a threat to the e organizations credibility. This was after investigation of the part they played in the breach.
We recommend that our clients place a fraud alert on their credit card accounts since they are high risk area that intruders can use. If doing this turns out to be cumbersome, you can seek the services of a credit bureau that will monitor your credit services.
If you would wish to reach our credit reporting office, you can do so via creditreportoffice@care.or . As you reply please attach your credit reports and we will carry out investigations promptly. In the same light, we will contact law enforcement agencies who will follow up on the issue. You can also reach out to our national consumer reporting agencies via nationalconsumer@care.or
Sincerely,
Compliance Officer
Global Health Care Medical.
References
Breach Notification Detailed. (2012). The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules, 149-160. doi:10.1201/b13693-9
Dix, A. (2012). Electronic Health Records — The Case for Accountability in Hospitals. Managing Privacy through Accountability, 188-192. doi:10.1057/9781137032225_10
Kshetri, N. (2010). The Global Cybercrime Industry and Its Structure: Relevant Actors, Motivations, Threats, and Countermeasures. The Global Cybercrime Industry, 1-34. doi:10.1007/978-3-642-11522-6_1
Omotosho, A., & Emuoyibofarhe, J. (2014). A Criticism of the Current Security, Privacy and Accountability Issues in Electronic Health Records. International Journal of Applied Information Systems, 7(8), 11-18. doi:10.5120/ijais14-451225
Prospective Payment Systems: Opportunities and Threats for the Pharmaceutical Industry. (2011). The SAGE Handbook of Healthcare, 41-56. doi:10.4135/9781848605985.n3
