Howard university hospital security breach

Patient Privacy

Patient Privacy Issues

Name

Class

Date

Professor

Patient Privacy Issues

New technology has brought many benefits to the healthcare industry but it has also resulted in challenges involving keeping patient information private and confidential. As more and more healthcare facilities go digital the threat of the private patient record going public is an alarming problem. Not only do patients risk someone hacking into their private patient file there is also the risk of their information being sold. Patient privacy is no longer as secure as it was in the past with the written record. Keeping a patients record from being accessed requires the healthcare facility to take steps to properly secure this information. Even then this private information is at risk from internal and external sources at the healthcare facility.

One situation where the private information of the patient becomes vulnerable is a case where an employee sold patients private information for illegal gains. An employee at Howard University Hospital named Laurie Napier used her position as a hospital tech to access private hospital records and to sell them to criminals so they could be used for criminal purposes (Shultz, 2012). In this situation the employee was caught selling the private information of patients. This private information includes name, address, birth date, Medicare health numbers, and social security number. This private information can be used by criminals to create fraudulent accounts, open credit cards, and create new identities.

The employee was able to steal the private information of tens of thousands of patients because the patient files were password protected but the information was not encrypted to prevent theft. Not only did patients become vulnerable to fraud, the reputation of the healthcare facility also becomes damaged due to their inability to protect patient records. As a result of the illegal actions of Napier she was charged under the HIPPA law. The Health Insurance Portability and Accountability Act (HIPPA) privacy rule ensures the healthcare facility does not release the private information of the patient without their express permission.

The Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes but also ensure this information is held in confidence (DHS, 2015). The Security Rule defines the necessary security safeguards required to be put into place by the healthcare facility, business associates, and healthcare clearinghouses that share patient’s healthcare information. When Laurie Napier stole the private information of over 34,000 patients she violated the privacy rights of the patients and broke the law. Her violation was criminal but they hospital was also at fault due to their failure to protect private patient information.

Prior to the Napier theft the hospital had a previous situation where another employee downloaded patient files in order to sell them. Under federal law Napier was charged with wrongful disclosure of patients’ individually identifiable health information. Because she yielded less than $5,000 dollars for her crime she received house arrest with three years probation. Napier is responsible for paying a fine of $2,100 dollar fine and will have to complete 100 hours of community service (Narasi, 2012). Before she can go on house arrest Napier must first six months in a halfway house.

Hospitals are considered covered entities under the HIPPA. All covered entities are responsible for taking the necessary steps to protect the patient’s private information. This includes taking steps to block the information from being stolen electronically. While Howard University Hospital placed password protection on patient files it was not sufficient to stop employees from stealing the information and selling it to others. When the first theft occurred by an employee the hospital should have taken immediate steps to rectify the security issues. If the hospital had simply placed encryption software on hospital computers any stolen information would have been unreadable.

While the employee is responsible for her illegal behavior she took advantage of an opportunity to steal information that was not properly protected. If the hospital had the proper protections in place the two breaches would never have occurred. New reporting rules require that the healthcare facility warn the patient, the public, and the media of the breach. Because the healthcare agency is required by law to report these breaches there has been a growing number of cases were the private records of the patient are breached. In November of last years the countries larges data breach in the healthcare industry when thieves stole the private information of five million patients of TRICARE, a military healthcare insurance agency.

According to an HHS database, more than 40 percent of medical data breaches in the past two and a half years involved portable media devices such as laptops or hard drives (Shultz, 2012).In the Napier case and the case earlier in the year a laptop was used in order to obtain the private information. When private information is accessed through a third party device it increases the security risk especially when the private data is not encrypted.

If Howard University Hospital was in full compliance with HIPPA the security breach would have been prevented but the hospital was not in full compliance of the law. HIPPA requires that health care entities, under the Security Rule, apply administrative, physical, and technical safeguards to ensure the private information of the patient is secure. By failing to protect this information the company is vulnerable to private information being lost. When this happens patients have the right to sue the hospital for their failure to protect patient privacy. In response to the two security breaches the administration of the hospital claimed they were taking steps to fix the problem.

Healthcare facilities have an ethical duty to their patients that includes upholding their privacy. When Howard University Hospital failed to take the steps to protect the patients they failed in their ethical duty. If a healthcare organization fails to displays the ethical behavior expected of them it can result in damage to the reputation of the hospital and result in a loss of trust by patients. Healthcare organizations have other ethical duties to the patient but making sure the confidentiality of the patient is upheld is an important one especially in the 21st century. When a patient’s private information is not properly secured it becomes vulnerable to security threats. The Howard University Hospital has a legal and ethical duty to properly secure the patients private information.

In order to prevent security breaches in the healthcare setting the same level of security applied to financial sector should be applied to the healthcare industry. The financial sector has long recognized the need to develop a comprehensive, multi-tiered, security plan that will ensure no avenue is left open for the criminal to breach the private data of the hospital. This begins with conducting an assessment to identify security vulnerabilities and then developing a plan to address the vulnerabilities. In the case of Howard University Hospital the hospital failed to recognize the vulnerability associated with not using encryption software to protect employee files and the vulnerabilities associated with the use of third party devices accessing sensitive hospital data.

The first step is to place encryption software on all hospital data and to add additional layers of security. This would include placing computers servers in a secure location that can only be accessed by personnel with the authority to access the sensitive data. When too many people have access to passwords and computer servers it can create security breaches. Lastly the hospital needs to restrict the use of third party devices to access sensitive hospital data unless the device is assigned by the hospital after it has been properly secured.

The healthcare industry is changing. It is no longer a simple matter to keep track of patient information in patient files that could simply be locked up. With new electronic patient files the healthcare industry has no choice but to enter the 21st Century and make sure that patient information is properly protected. This means restricting access to patient files and putting the proper security measures in place. The Howard University Hospital was negligent when they failed to properly secure patient files especially after the first incident. In order to ensure security breaches like the one committed by Napier do not happen again the hospital needs to be in compliance with HIPPA and establish a more effective security approach to protecting patient information.

References

Narasi, S. (2012). Hospital employee sold 40 patients’ protected health information. Retrieved

January 23, 2015 from http://www.healthcarebusinesstech.com/hospital-employee-sold-40-

patients-protected-health-information/

Shultz, D. (2012). As Patients’ Records Go Digital, Theft And Hacking Problems Grow. Kaiser

New Health. Retrieved January 23, 2015 from http://kaiserhealthnews.org/news/electronic-

health-records-theft-hacking/

U.S. Department of Health & Human Services. (2015). Understanding Health Information

Privacy. Retrieved January 23, 2015 from

http://www.hhs.gov/ocr/privacy/hipaa/understanding