Patient security and privacy

Explain the characteristics of technical, physical, and organizational privacy and security
concerns.



Questions for Discussion:
1.Who is responsible for the breach in confidentiality? The technician? Kaiser Permanente?
And why?
2.Will this breach of confidentiality discourage subscribers from accessing the Kaiser Web site
to fill prescriptions and seek medical advice? How can subscribers be reassured that their information
will be kept confidential in the future?

SECURITY AND PRIVACY 2
1.Should healthcare institutions conduct background checks on new employees who will be
allowed access to confidential patient information? What information should be accessible to such
employees?
2.How could the hospital have prevented the misuse of patient information from occurring?
Was the hospital’s security system at fault for this breach of security?
3.Should the hospital be held accountable for the actions of the technician?
Case 4.44: University Tightens Computer Security
A university is tightening its computer security after hackers broke into a computer at the
medical school and secretly used it to generate a flood of e-mail advertisements. Efforts by the
university to cope with the break-in have caused balky and intermittent e-mail service for seven
months for hundreds of staff members. At least once, e-mail service throughout the system shut
down for two days. University officials did not detect the break-in until at least a couple of weeks
later, when someone forwarded an advertisement sent by the computer.
A university spokesperson said that no file information was improperly accessed. Instead the
hackers merely used the system to generate e-mail promoting other websites. The university
announced that $150,000 would be spent to install new equipment to restore the e-mail system. A
number of security measures were being upgraded to prevent the computer system from being
broken into in the future.
Source: Birch D. Hopkins tightens computer security. The Baltimore Sun. May 29, 1999: 1B-2B.
Questions for Discussion:
1.Are university medical center information systems especially vulnerable to hackers? Why, or
why not?
2.Is the medical center accountable for any harm that is caused by unauthorized entry into
patient records?

Patient Security and Privacy

Section 1
The physical, technical, and organizational privacy and security concerns are categorized
into two main forms; concerns about the flow of information systematically within the whole
healthcare industry and concerns over the inappropriate release of information within an
organization. This may arise when some individuals are given access to some confidential
information hence violating a company’s privacy policy (Kshetri, 2013). The systemic concern,

SECURITY AND PRIVACY 3
on the other hand, is the release of particular patient identifiable information about their health
that may be against their wishes hence presenting a major invasion of patient privacy.
The concerns hold different characteristics. For example, there is organizational threats
which involve vulnerability of individual organization electronic health records to external or
internal agents. Internal agents are those with authorization and have access to information yet
they abuse their privileges.
Conversely, external agencies do not have access to the information, yet they try to
manipulate the data or rendering the system unusable. Another characteristic includes the
concerns that may arise due to sensitive information that could easily be used against the patients
as a means of acquiring a leverage over them (Boric-Lubecke et al., 2014). The information
mostly targeted are those of celebrities, employers, politicians, and journalists.
The basic approach to countering threats to privacy in healthcare is erecting policies
against the act of violation and setting heavy fines against anyone who violates privacy rules.
Organizations should also have continuous checkup of their system’s accessibility and employ
trustworthy workers to man the system.
Section 2
Case 4.8: Emails Goes Astray
Question 1
The technician was in charge of the breach. The act of not checking the backlogged
information before confirming who the email was sent to, suggests so. The other reason was the
number of emails sent before realizing the mistake; the medical information of 858 of its
members had compromised which is a high volume. Also, instead of reporting the problem to the
superiors, the technician left the insurance company to deal with the mistake he had committed.

SECURITY AND PRIVACY 4
Kaiser Permanente was not responsible for the breach as they even tried to correct and put the
subscribers at ease as they handled their information. Under HIPAA privacy rule, the
responsibility of health insurers and organizations is to be accountable to the disclosure of their
patients and confidential communication. Therefore, Kaiser Permanente did the right thing of
informing its subscribers about the technical challenges on the website. They also emphasized on
the pretenders warning them in the case of such an issue.
Question 2
The breach will discourage subscribers from the Kaiser web due to reduced trust in
confidentiality of the organization. People tend to learn or fear from others mistakes. The
subscribers can be reassured by integrating a better system that requires constant change of
passwords thus narrowing the margin of email being hacked and informing them. This also
ensures that the company adjusts well to the need of the subscribers. Notifying them that they are
securing the site for them will make them feel assured and valued. This goes hand in hand with
reassuring them that their information is safe. Employing better technicians, to prevent
incompetence at work and informing subscribers of the root of the problem after an investigation
is essential as it informs the subscribers that the case was not completely forgotten and they are
involved in the processes taking place in the organization.
Case 4.7: Patients Files Used for Obscene Calls
Question 1
Clinical centers should carry out background checks on all new employees before
allowing access and employ them. It should be carried out by searching through their public
records, private investigations, checking their websites and face to face interviews that requires a
detailed history of all previous endeavors and checking if it all fits public record (Yüksel, Küpçü

SECURITY AND PRIVACY 5
& Özkasap, 2017). The main benefits include increased in value of hire, prevents shame of
employing criminals, ensures regulatory acquiescence; satisfies industrial standards, reduces
chances of drug abuse and less absenteeism and improves workplace safety and security.
Information that should be accessible to such employees should be petite. The technician should
only be given access to names of patients and medical records under supervision. Allowing such
minimal ensures that they do not get the personal information that can be used to irritate patients.
The medical files would be required to conduct his work.
Question 2
There are multiple ways of preventing such a breach. The hospital could have performed
a full background check on the technician which could have reduced the risk employing an
incompetent individual. In the case study, the hospital had employed the technician yet he was
previously convicted of indecent assault and child rape. The hospital should have regularly
updated the accessibility passwords. The incident in the case study was due to a failure of
updating password allowing for the access of the orthopedic technician even after he was fired.
The hospital should have to conduct more frequent vulnerability assessments tests; monthly or
every two months. Updating the software systems would also have prevented failure on alerting
the people in charge of maintaining information systems. The hospital security system was
responsible for the breach as it failed to inform the employees in charge of maintaining
information systems.
Question 3
For the technician’s actions, the hospital should be held liable. The hospital was
responsible for the employment of a rape offender and indecent assault, to begin with; they did
not conduct background checks while hiring new employees. The security system of the hospital

SECURITY AND PRIVACY 6
allowed the technician access even after he was fired. During his time as a technician,
supervision was not provided giving him freedom of action. The hospital also granted access to
personal confidential information to a technician, yet receptions and secretaries are the people
supposed to possess such information. The hospital was not aware till the girl’s obscene calls
were traced inside the hospital. The hospital information system, including employees, were
incompetent as this could have been noted at early stages but it got to four months.
Case 4.44 University Tightens Computer Security
Question 1
The University Medical Center Information Systems are not vulnerable to hackers. As
from the context the hacker who secretly used them to obtain a flood of e-mail for just
advertisement purpose suggests that he or she was not interested in the medical information or
records within the system. No information is recorded to be missing as reported by the
spokesman. The main aim was to create flood email, and any of the superior computer systems
would also have been an easy target. Hackers use an external server to avoid detection while
sending emails or viruses like Trojan to render a given site useless. They look for the easy access
mainframes to operate; in this case, the medical school computers were previously not as well
protected the efforts done after the hack. To restore email system they spent $150,000
installation of new equipment and numbers of security measures were upgraded in the process.
Question 2
The health center is responsible for any harm that happens on patient health records. The
spokesperson touched on the issue of improper access of information saying that none was
obtained. This shows that the medical center should beef up the security of the information and
prevent similar hacking cases from occurring in future. Medical centers are bound by Health

SECURITY AND PRIVACY 7
Insurance Portability and Accountability Act, (HIPAA) rules to prevent disclosure privacy and
security of the patients’ information, confidential communication. HIPAA privacy rule
safeguards all identifiable health information of patients that is relayed by a covered entity or
business associate. The university had the right of protecting its clients’ information against any
hackers with the intention of violating the rules of privacy, as per HIPAA, within the medical
center. Therefore, expenses on the installations were put across as well as an upgrade and
prevent future hacking incidents.

SECURITY AND PRIVACY 8

References

Boric-Lubecke, O., Gao, X., Yavari, E., Baboli, M., Singh, A., & Lubecke, V. M. (2014, June).
E-healthcare: Remote monitoring, privacy, and security. In Microwave Symposium (IMS),
2014 IEEE MTT-S International (pp. 1-3). IEEE.
Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and
institutional evolution. Telecommunications Policy, 37(4), 372-386.
Yüksel, B., Küpçü, A., & Özkasap, Ö. (2017). Research issues for privacy and security of
electronic health services. Future Generation Computer Systems, 68, 1-13.