Information technology (IT) in the Health Care
Information technology (IT) failure in healthcare organizations happens when software incompatibility issues emerge, making Electronic Healthcare Systems (EHS) not configure existing medical practice issues. IT breach, on the other hand, ensues when there is a specific impermissible usage or disclosure that compromises the privacy of the protected health information and data. When IT failure or breach occurs, there is a risk of harming clients through unwanted access to their details that can be used for malicious reasons (Hammouchi et al., 2019). There are many cases of hospitals realizing health information technology failure or breach during the delivery of Medicare services. This paper explores cases where healthcare organizations have noticed breaches or failures of health information systems.
Healthcare Organizations that have Recently Faced Information Technology Breach
The Florida Orthopedic Institute (FOI) is an example of a healthcare organization that faced a healthcare information management system (HIMS) breach. FOI experienced a ransomware attack from malicious parties on April 9, 2020. The attack was detected when staff was unable to access HIMS due to the newly encrypted data files (Dimov & Tsonev, 2020). The breach affected more than 640,000 persons, as per the Office for Civil Rights (OCR) website. The other case where the healthcare data system was breached involved Baton Rouge Clinic (BRC) in Louisiana. The attack that happened in July 2020 tampered with the email and phone system hence limiting the laboratory and radiology services (Alunge, 2020). Similar to the FOI case, almost 309,000 patients were affected by the ransomware attack (Dimov & Tsonev, 2020). All the effects would be felt on either the management’s side or the individual perspective.
Four Key Factors that May have Contributed to the Breaches
The four factors that may have played a key role in breaching the information for FOI and BRC include improper disclosure, unauthorized access, loss, and theft. Improper happens when there is intentional or unintentional disclosure of information to personnel who may have no rights to explicitly access the data (Dimov & Tsonev, 2020). It occurs mostly due to memory leaks in the HIMS or conspiracy between workers to fraud the organization. The case of FOI was suspected to be memory interference due to weak configurations that enabled crackers to access the data. BRC is said to have lost the data encryption credentials during the authentication process, which led to third parties manipulating the logins hence causing information leakage, which harmed both the healthcare institution and the patients (Alunge, 2020). The investigation that was done revealed that the ransom might have been paid as some staff may have wanted to benefit from insurance claims that would be sent to companies offering health covers for various patients.
How HIMS Failure Impacted the Organizations’ Operations
The cyberattack led to the limitation of laboratory and radiology services for BRC, while for FOI, the hospital had a challenge in accessing the medical record system for reimbursement. As a result, both healthcare organizations suspended the software systems and had to return to manual work for a while (Dimov & Tsonev, 2020). Employees who worked for the organizations had a hard time managing the work under the pressure of finding the possible conspiracies within themselves. Therefore, staff worked under pressure, which led to low productivity as some people felt limited to performing intensive tasks for fear of suspicion (Alunge, 2020). The impact was felt largely by the financial department of the two institutions as many patients withdrew their insurance commitments with the hospitals due to the ruined reputation.
Leadership Actions Towards the Breach
Following the attacks, the management of FOI worked with a third-party forensic expert to investigate the possible cause of the breach. Additionally, the leadership team sent notifications to the affected individuals warning them to ignore any alteration to their data (Dimov & Tsonev, 2020). BRC carried out a cyber kill chain by stopping the technology-centric systems from preventing potential attacks. The management investigated the matter through anonymous cybersecurity firms that consulted with the Federal Bureau of Investigations (FBI) (Alunge, 2020). The measure, though late, was sufficient because patients became aware of the attack, and they did not indulge in monetary tricks and psychological tensions.
Whether or Not the Organizations Had Sufficient Resources
Both BRC and FOI had put in place several measures that were meant to prevent information breaches from occurring. However, the approach was not as per the required standards since they did not prevent ransomware. For instance, the websites for both organizations had weak secure sockets layers (SSL) that enabled easy authentication and encryption by malicious parties (Alunge, 2020). Furthermore, the IT staff in the HIMS divisions lacked the sufficient skills that would lead to the practice of the cyber kill chain. As a result, the staff had carelessly handled the systems by leaving the databases open to personnel who did not work in the department hence contributing to the attack significantly.
Three Outcomes for the Facilities
The suggested outcomes for the facilities would be low patient turn to get health services. Additionally, some involved personnel would be scrutinized, and upon being guilty, they would lose their jobs. Lastly, the facilities would experience losses if stakeholders withdrew from the contractual agreements (Beltran-Aroca et al., 2016). The overall verdict is fairly important because that would make the hospitals have strong security obligations that would mean a sustainable business in the future.
Practices that Can be Adopted to Prevent HIMS Failures
To prevent health information management systems, hospitals can use secure transmissions, segregate data, and perform the cyber kill process frequently. Secure transmission means that any healthcare firm should transfer health data through a safe channel, such as applying Advanced Encryption Standard (AES) 256 to encrypt health data (Hammouchi et al., 2019). Data segregation may involve gathering health data and presenting it in a summarized format by using software cohorts to keep the information safe. Cyber kill chain can be done by using strong SSL databases such as key-in values to protect data information.
Current Government Requirement for Preventing HIMS Breaches
The Health Insurance Portability and Accountability Act (HIPAA) is an example of a current government requirement that is meant to ensure that hospitals prevent potential cases of health information failures and breaches. The Act, which is under US federal law, requires all healthcare institutions to conform to the national standards that are created to protect sensitive patient data from being explicitly accessed by unwanted personnel without the consent of the stakeholders (Beltran-Aroca et al., 2016). Through HIPAA, there has been adherence to appropriate administrative and technical safeguards that have ensured there is confidentiality and security of the protected patient’s information.
Additionally, the Act requires all hospitals to have integrity checks on the staff by following the track records in terms of implementation and execution of several health policies (Hammouchi et al., 2019). HIMS has been a common issue in healthcare institutions not only in FOI and BRC cases, but many more examples can be used to show the extent of the matter. By performing recommended health information system management measures, medicate firms can prevent harm to stakeholder data which would mean the flexible practice of healthcare.
Sources
Beltran-Aroca, C., Girela-Lopez, E., Collazo-Chao, E., Montero-Pérez-Barquero, M., & Muñoz-Villanueva, M. (2016). Confidentiality breaches in clinical practice: What happens in hospitals? BMC Medical Ethics, 17(1), 10-12. Web.
Dimov, D., & Tsonev, Y. (2020). Observing, measuring, and collecting HDD performance metrics on a physical machine during a ransomware attack. Information & Security: An International Journal, 47(3), 317-327. Web.
Hammouchi, H., Cherqi, O., Mezzour, G., Ghogho, M., & Koutbi, M. (2019). Digging deeper into data breaches: An exploratory data analysis of hacking breaches over Time. Procedia Computer Science, 151(5), 1004-1009. Web.
Alunge, R. (2020). Breach of security vs personal data breach: Effect on EU data subject notification requirements. International Data Privacy Law, 3(12), 22-30. Web.