I need some help on how to start and some references. I really appreciate the help.
The following Scenario:
In a service-related Health Care organization with a staff to patient ratio of approximately
1:100, your role is to assess the quality of security of patient medical records. What
technology threats might this organization face? What information is contained in
electronic medical records that needs to be protected? What products are available to
deter security threats? What can you do to keep your organization's medical records
Detail the ideas, strategies, and recommendations you might make to the management of the organization.
Let's look at some information to consider for each question, which you can draw on for your final copy. It will get you started on this interesting paper.
1. In a service-related Health Care organization with a staff to patient ratio of approximately 1:100, your role is to assess the quality of security of patient medical records.
a. What technology threats might this organization face?
The technology threats are to do with violation of the privacy and confidentiality of patients medical information, such as 'hackers' obtaining protected personal medical information by the federal standards under HIPAA (1996) (please see the next question).
There are other threats that are not so cut and dry. For example, Clinical data management (CDM) also presents significant patient privacy and confidentiality issues, among others, which executives and planners must recognize. Understanding these issues insures that CDM systems are effective without exposing its hosts and users to liability. For potential risks, consider the following examples:
A physician with remote access to and authorization to enter data in electronic patient records asks his medical assistant to log on to the system and retrieve a record, and gives the assistant his access code.
A physician who has been sued for malpractice accesses the patient records of a co-defendant physician and prints them out, even though the patients' paper records have been sequestered.
A patient requests her medical records from a hospital and is given a computer printout which identifies her heretofore unknown birth mother who, twenty years prior, placed her into adoption.
An employer with limited access receives a report, identifying a patient only by age and sex, which lists the patient's prescription costs for AZT; the employer matches the age and sex with its records and identifies the individual.
An insurer with CHIN access uses an individual's genetic testing data to deny coverage.
Successfully identifying which of the above scenarios expose the CDM system's host or its partners to liability for invasion of privacy, defamation or a statutory violation is difficult, at best. Some of the above examples are based on actual circumstances where allegations of invasions of privacy and defamation have been successfully prosecuted against providers and employers, albeit in a paper record environment (excerpted from http://www.netreach.net/~wmanning/cdm.htm).
See http://www.netreach.net/~wmanning/cdm.htm for other ideas.
b. What information is contained in electronic medical records that need to be protected?
You would advice the hospital to comply with the privacy rule regulations under HIPAA, which defines the type of medical information that is protected. The privacy rule involves National Standards to protect the privacy of personal health information (PHI) (see http://www.hhs.gov/ocr/hipaa/finalreg.html).
Specifically, Congress called on HHS to issue patient privacy protections as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA included provisions designed to encourage electronic transactions and also required new safeguards to protect the security and confidentiality of health information. The final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. Most health insurers, pharmacies, doctors and other health care providers were required to comply with these federal standards beginning April 14, 2003. As provided by Congress, certain small health plans have an additional year to comply. HHS has conducted extensive outreach and provided guidance and technical assistant to these providers and businesses to make it as easy as possible for them to implement the new privacy protections. These efforts include answers to hundreds of common questions about the rule, as well as explanations and descriptions about key elements of the rule. (http://www.hhs.gov/news/facts/privacy.html)
From the same website:
Therefore, the HCO needs to comply with the new privacy regulations to ensure a national floor of privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. The HCO would comply with the key provisions of these ...
In reference to the case scenario and by example, this solution discusses the possible technology threats, the electronic medical records that need to be protected; the products that are available to both deter security threats and to keep medical records secure. In other words, it details the ideas, strategies, and recommendations that a person might make to the management of the organization.