Privacy and Security Issues

1059 words | 4 page(s)

Health information systems have become essential operational components in modern day healthcare settings due to their ability to capture, manage, store, and transmit information with higher efficiencies than traditional methods. The provided scenario is that a board of directors of a national health system is considering to adapt an electronic health record system in its constituent facilities. As the IT consultant, the requirement is to work with various team members to gather and analyze system information with an aim of developing effective, safe, and secure system. The intention is to help them identify security and privacy threats, recommend optimal solutions to mitigate breaches, and provide procedures to follow in case of an actual breach.

According to Krishna, Subrahmanyam, Anjaneyulu, & Kim (2015), cloud computing has appeared as a state of the art information technology justifying its current adoption in all economic sectors. Healthcare organizations are also adopting cloud based solutions due to their innovative deployment models that suffice unique user needs. Regardless, confidentiality, privacy, and security of user information are primary concerns that must be addressed before the system is commissioned. The concerns are about establishing rules that prohibit unauthorized access, usage, and transmission of private organizational and client information. As indicated in chapter ten [threats to healthcare information], human threats are of major concern because they are considered as vulnerable entry points to any protected system.

puzzles puzzles
Your 20% discount here.

Use your promo and get a custom paper on
"Privacy and Security Issues".

Order Now
Promocode: custom20

Another security and privacy scenario is a threat that comes external data breaches on both the cloud system and traditional network within the healthcare institution. Cloud providers have reported frequent attempts on their systems where perpetrators use more sophisticated tools with each try. The rate at which criminals are evolving relative to organizational measures have posed security concerns because successful data breach means access to private patient data, fines, and legal suits. Another threat comes from the ability to implement a system that can thwart authentication attacks; particularly, when users are required to log into the system using their devices of choice (Murphy, 2015).

The essence of implementing the electronic health information system is to improve access to data with utmost efficiency. However, having more devices is a security threat as it makes their tracking, authentication, and authorization challenging. Allowing users to use their devices introduces vulnerabilities especially if their native apps have been compromised. Compromised devices act as pivots to other unauthorized activities like account hijacking, interface hacking, and injection of malicious code into the healthcare system. All these are security and privacy risks whose existence is detrimental to successful functioning of electronic systems especially the ones with a cloud feature.

Insiders are major security threats especially if they are not adequately trained on issues of information security, protection, and how to work in a secure manner. In chapter 11[slide on human threats], sometimes threats caused by operators are intentional, other times they are deliberate based on their motivating factors. For instance, they may install unauthorized applications, provide their credentials, or access the system with unsecure devices. Other times, technological solutions may also pose threats to the system if they are not patched or updated like in the scenario of Keck Medicine in Los Angeles where unpatched servers were compromised.

Having the afore-discussed threats, it is important to make recommendations on ways to prevent security breaches. Based on the work of Junior, Antonio, Ortolani, & Pisa, (2016), the first recommendation is establishment of security guidelines and standards. In chapter 10 [Standards Development Process], formal processes should be established in connection with software vendors, government agencies, institutional requirements, and other interested stakeholders. Establishing and following these standards ensures that workers use secure workplace processes to protect information from unintended breaches. The second recommendation is user training to mitigate human threats. Good training gives knowledge on important of protecting private information, routines that minimize chances of breach, and procedures that guarantee safe handling of private information.

The third recommendation is implementation of administrative safeguards according to user privileges. In chapter 11[Administrative Safeguards], the organization should assign security responsibilities to users, manage information access, and develop reporting processes in case of security incidences. Junior, Antonio, Ortolani, & Pisa (2016) also adds that the organization should adhere to the principle of minimal privilege to ensure that users access what is relevant to their level of clearance so that in case of a breach, minimal information of compromised. Fourth recommendation is implementation of hardware and software security solutions depending on systemic exposure to security threats.

There should be anti-malware programs, network authentication solutions, firewalls, and secure configurations in all network devices as per the established security protocols. Although it is hard to conclude that these recommended solutions provide total protection from breaches, it can be justified at this point that they make unauthorized access difficult. In case a breach occurs, the first step is to report it to the management and other concerned stakeholders so that they can make decisions to remediate the incidence. Then it becomes imperative for the technical staff to handle the breach immediately by determining which devices have been compromised, formulating a containment strategy, and ensuring the compromised device does not infect others.

The next critical step is formation of a taskforce to deal with the breach. Breaches cannot be reported to authorities and legal department without this professional team handling communication and generating analytical evidence for presentation. Then, technical staff can develop a security fix for the remaining devices and isolating the infected ones for additional analysis. It is at this point that external stakeholders can be informed of the breach and any related problem fixed to avoid similar incidence in the future.

  • Bruns, E. J., Hyde, K. L., Sather, A., Hook, A. N., & Lyon, A. R. (2016). Applying user input to the design and testing of an electronic behavioral health information system for wraparound care coordination. Administration and Policy in Mental Health and Mental Health Services Research, 43(3), 350-368. doi:10.1007/s10488-015-0658-5
  • Junior, d. C., Antonio, M., Ortolani, C. L., & Pisa, I. T. (2016). Health Information System (HIS) security standards and guidelines history and content analysis. Journal of Health Informatics, 13(84), 83-92. doi:10.1186/1472-6947-13-84
  • Krishna, B. C., Subrahmanyam, K., Anjaneyulu, S. S., & Kim, T. H. (2015). A Novel Dr. KSM Approach for Information Security and Risk Management in Health Care Systems. International Journal of Bio-Science and Bio-Technology, 7(4), 11-16. doi:
  • Murphy, S. (2015). Healthcare Information Security and Privacy. New Jersey, NJ: McGraw-Hill Education. doi:978-0071831796

puzzles puzzles
Attract Only the Top Grades

Have a team of vetted experts take you to the top, with professionally written papers in every area of study.

Order Now