Healthcare Management Case Analysis Essays Example

Introduction

The healthcare industry has become reliant to Information Technology. With the huge load of information and data that are being recorded in every transactions and operation, IT has becomes an essential component of every healthcare provider. However, the industry’s reliance to IT has also exposed healthcare providers to the security threats and vulnerabilities of having a highly computerized system. Just recently, this organization has experienced a terrible incident where the names of 4,000 HIV+ patients that are being treated in this facility have been leaked. While the incident does conjure legal implications, the organization’s reputation is apparently placed in question because of this major information breach. After a thorough investigation, it was found that employees have been lax and negligent in using the IT system of the institution. Also, the current IT management system has certain gaps that need to be addressed. For the same reason, this paper would like to explore the vulnerabilities of the current IT system and provide recommendations on how it can be mitigated.

Problem Identification

An internal investigation was conducted clandestinely in order to identify the cause of the breach and it was found that serious disregard to IT security is being practiced. Nurses were found to leave their station computers open and running. Doctors do the same and worse still, they leave their system passwords taped on their computers. On the other hand, printers and fax machines can be easily accessed since they are placed in rooms without locks. It is also found that there is a certain log in password that provides access to all the database of the institution including its human resources department. The system also allows people to keep their password indefinitely without reminding them to change their password every now and then. Lastly, it is evident that most employees do not place high regard to information security since they are all willing to give away their passwords while request of sensitive information are rarely questioned. After careful investigation, it is quite obvious that most of the organization’s employees have utter neglect to IT security; placing the whole system vulnerable for security breach. This finding is consistent with studies, which indicates that employees or human vulnerabilities are the leading cause of IT security issues.

Importance of Information System Security

Information Technology as applied in healthcare encompasses a wide variety of services and support systems. As observed, “The role of health IT in care management is to support care management functions, including patient data capture, aggregation, analysis, and reporting”. Currently, several technologies are being developed to further improve the utilization of IT in healthcare. IT health services, for example, can be used to consolidate patient records for health maintenance organizations (HMO) purposes as well as utilize it for telemedicine to support health services in remote locations. Because of the wide range of support potential of IT in healthcare, going back to manual set up is not an option. For the same reason, healthcare institutions have no choice but to embrace and improve on its IT systems. Over the years, a healthcare institution accumulates vast data not only of their patients’ medical records but also including their patient’s personal records. For the same reason, with this rich information resource, the healthcare industry has been a target of most cyber-attacks in the recent decades. Cybercrimes and their perpetrators have also grown in sophistication. As observed, cybercriminals today are employing ingenious strategies and complex technologies to avoid detection and to prey on useful data that can be used for their own personal gain such as stealing account numbers, identity theft or gathering information for the purpose of selling them to interested companies. Because of these risks, it is important that healthcare information is safeguarded against IT threats.

Security Threats

Among the common threats associated with using IT systems are:
Social Engineering - defined as “the act of breaking corporate security by manipulating employees into divulging confidential information”. As observed by researchers, social engineers exploit the weakest link in an organization’s information system and that is the people who are using them. Among the most common modus of people who conduct these scams is to pretend that they are an employee in order to extract information from unsuspecting users.
Malwares – are malicious software that can take the form of viruses, worms, Trojans, and spywares. Malwares have the ability to decipher username, passwords, codes and other security measures. Some malwares have the ability to make their developers access a computer enabling them to monitor its activity remotely.
Removable Storage Devices – are devices that can be used to extract information directly from the system. Today, several devices can have this capacity such as USB, cellphones and other devices that can electronically store data that is not part of an internal hardware of a system. These devices can be used to copy confidential information from an open system. This type of unauthorized information gathering is one of the easiest yet devastating as it could copy large files in just seconds.

Recommendation

In order to address the Information system of the organization, several strategies must be employed, which will focus on strengthening security awareness and security breach prevention. Among the strategies that will be employed are:
Creation of a dedicated IT department. In every large organization, division of labor is an important element in order to delegate important tasks. The reason behind the creation of a dedicated department for IT services is to provide internal control and maintenance of IT systems for easy identification, mitigation and resolution of IT issues. IT systems are complex systems that need professional support. For the same reason, any organization that uses complex IT systems such as the health care industry must have a dedicated and competent IT professional. An IT department can provide a host of important services for the organization. Examples of such are maintenance and improvement of the organization’s IT system, which includes detection and prevention of virus and malwares, monitoring of log-in information and maintenance of software and hardware components of the system among many other functions.
Information Technology Security Awareness Campaign. It is quite obvious that employees of the healthcare organization take IT security for granted. Most likely, this behavioral issue is related with lack of information and awareness. According to research, new employees, contractors and executive assistants are at high risk of being involved in social engineering and phishing attacks because of ignorance. On the other hand, 34% of organizations do not make any attempt to educate their employees of the risk associated with an unsecure IT system. It is, therefore, necessary to emphasize the importance of IT security by making sure that every employee is aware of its risk factors.
Increasing accountability by providing individual log in information. As identified in the initial investigation, employees of the organization can freely access information just by logging in with a single password. In such situation, in a case a breach of information occurs, it would be very difficult to trace the source. By providing individual log in information, the accountability of employees towards the IT system of the organization is increased. In effect, employees would be more careful in using their accounts and to use their log ins with utmost secrecy and confidentiality.
Providing information in a need-to-know basis. Not all employees should have access to every information on the system. For the same reason, the level of information that should be provided to each employee must be limited to a need-to-know basis. Nurses, for example, would only be able to access information that is critical in the completion of their duties. Same goes with doctors, Human Resources department, Billing, etc. This strategy aims to limit the security breach in case it successfully infiltrates the system. If an employee, for example, decides to conduct malicious attacks using his log in, then the information that he can get would only be limited to the information allowed for the employee.
Create an implementation and monitoring plan. The effectiveness of these recommended strategies depends on its implementation and monitoring plan. In order for these strategies to be effective, there has to be a sense of urgency and importance. This can be accomplished by incorporating these IT strategies in the organization’s policies and regulations. It means that every violation to the IT security policies of the organization will have its administrative consequence. It is also important that these strategic plans are monitored for compliance.

References

Abbas, Z., Burney, A., & Mahmood, N. (2010, July). Information and Communication Technology in Healthcare Management Systems: Prospects for Developing Countries. Retrieved March 2015, from http://ijcaonline.org/: http://ijcaonline.org/volume4/number2/pxc3871138.pdf
Appari, A., & Johnson, E. (2008, August). Information Security and Privacy in Healthcare: Current State of Research. Retrieved March 2015, from http://www.ists.dartmouth.edu/: http://www.ists.dartmouth.edu/library/416.pdf
Chitrey, A., Singh, D., & Singh, V. (2012, June). A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model . Retrieved March 2015, from http://core.ac.uk/: http://core.ac.uk/download/pdf/9428698.pdf
Dimensional Research. (2011). THE RISK OF SOCIAL ENGINEERING ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS. Retrieved March 2015, from http://www.checkpoint.com/: http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf
Jayakumar, A. (2014, February). Cyberattacks are on the rise. And health-care data is the biggest target. Retrieved March 2015, from http://www.washingtonpost.com/: http://www.washingtonpost.com/blogs/wonkblog/wp/2014/02/05/cyberattacks-are-on-the-rise-and-health-care-data-is-the-biggest-target/
Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk Management Guide for Information Technology Systems . Retrieved March 2015, from http://www.hhs.gov/: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
Wirth, A. (2011, January). Cybercrimes Pose Growing Threat to Medical Devices. Retrieved March 2015, from http://www.aami.org/: http://www.aami.org/hottopics/cybersecurity/AAMI/2011JF_CyberCrimes.pdf