January 10th, 2018
Levels of Threat to Healthcare Organizations
The increasing use of electronic health records (EHRs) has created new challenges for healthcare organizations to create and maintain privacy and safety of patient information. Threats to security and confidentiality of patient information can arise from internal or external agents. In this respect, increasing use of mobile devices to transmit information, availability of embedded devices connected, for instance, via Wi-Fi, desktop virtualization processes that enable running desktop activities from a single server, and viruses from social media engagement and misuse pose high risks of unauthorized access.
Use of portable devices by healthcare professionals to access patient information increases the risk of loss of data in case the device is lost, or enhances chances of unauthorized access when such information is carried out of the organization’s precincts (Gallagher, 2013). Further, such information may be subject to malicious exposure where vulnerabilities exist in the devices’ operating systems. Additionally, as Gallagher (2013) observes, texting of patient information, for instance to the patient, may subject such information to disclosure to unauthorized parties. Concerning embedded devices, the connectivity of devices such as printers and scanners via wide area network may subject information collected or outputted through such means to be accessed by third parties who can access such networks. Such a case of access to third parties would occur even in case of desktop to server virtualization where, for instance, the authorized users fail to log out their sessions in the server, allowing potential access by other users of the application. In respect to social media, various risks abide such as presence of applications that collect data from the devices being used, or misuse of social media to convey patient information by an individual who has authorized access to such information (Gallagher, 2013).
The Health Insurance Portability and Accountability Act (HIPAA) fits into such security and privacy discussions since it places a responsibility for health care organizations and their associates to monitor and proactively guard against such breaches. For instance, by requiring business associates of covered healthcare entities to comply with HIPAA guidelines (Crandall, 2013), the Act seals loopholes where, for instance, agents of the associates may misuse patient information. Provisions for disclosure of breaches, limitations to use protected health information, and requirement for patient authorization for marketing communications concerning treatment (Crandall, 2013), have implications on how patient information is to be accessed and shared by various stakeholders in the healthcare sector.
Crandall, D. (2013). Key provisions of the HIPAA final rule: Modifications of importance to physical therapists. PT in Motion, May, 38-41.
Gallagher, LA. (2013). Accessing and sharing data to avoid security risks. Nurse Practitioner, 38(5), 8-11, doi:10.1097/01.NPR.0000428822.80127.6a