Summary Statement
The safety and security of patient health information should not be taken lightly. Numerous instances of data breaches have underlined the need for health organizations to reconsider their practices targeted at securing important information and to invest in innovative solutions to protect against attacks. The case of the Henry Ford Health System breach shows that employees of health organizations are usually the weakest links in protecting patient data, pointing to a need to raise awareness of the problem and to implement the strategies that health informatics specialists recommend.
Background
On October 3, 2017, Henry Ford Health System (HFHS) in Detroit was hacked, “leading to the exposure of more than 18,000 patients’ personal health information” (Greene, 2017, para. 1). Greene (2017) further reported in Modern Healthcare that officials failed to determine the reasons behind this massive security breach as well as whether patients’ information was later used for inappropriate purposes. Patient information stolen during the breach included “name, date of birth, medical record number, provider’s name, date of service, department’s name, location, medical condition, and health insurer”; however, it is important to note that no financial information was compromised (Greene, 2017, para. 10).
Key factors that contributed to the breach of health information included insufficient protection of employees (whose email credentials were also stolen), ineffective employee education regarding measures necessary for data production, weak initiatives for strengthening the protection of patient information, and an overall lack of attention on the part of the organization’s management toward guarding both employees and patients against information breaches.
HFHS’s failure to protect its clients from the loss of important health data contributes to the need for change in the overall operation of the organization in three major ways. First, the organization needs to establish an intensive course of employee education to provide workers with available resources and knowledge necessary to strengthen their own and patients’ data security. Second, the organization might be subject to litigation from patients whose information was compromised, leading to possible financial losses. The third and most important outcome is that HFHS will have to issue new medical health record numbers, a process having the potential to consume much time that should optimally be spent on patient care.
The position of the leaders, in this case, was that they were sorry for the security breach and the misuse of information and took the situation seriously. However, David Olejarz, the Henry Ford Health System spokesperson, reported that there was no criminal investigation of the breach (“Henry Ford Health data breach affecting 18K patients,” 2017). The leaders of Henry Ford Health reported that they would instead conduct their internal investigation to determine how the breach had happened. It should be mentioned that the organization already had all the available resources that might have prevented the data breach but had paid little attention to risks. For instance, in 2010, the system experienced a data breach when someone stole a laptop from an office that employees had forgotten to lock (Greene, 2017). This shows that the organization has already had previous experience with compromising patient data.
The outcomes for the organization are serious. First, the security breach involves the issues of safety and reliability, meaning that health providers could choose to use other medical health records systems to protect their clients from future breaches. Second, HFHS could be subjected to public scrutiny due to the lack of effort to initiate a criminal investigation to determine whether the stolen data was used maliciously. Third, a need for in-depth employee education is evident since employees were likely the weakest links in allowing the data breach to occur. Overall, the situation with the Henry Ford Health System is unfortunate, and the attitude of the management toward the attack is confusing since no serious measures were immediately taken. In the patient data breach report, the organization acknowledged the fact that investigations of patient data breaches usually took less than sixty days, but the complex nature of the incident prolonged the investigation (Henry Ford Health, 2018). It is important to note that HFHS provides medical record services to a large number of hospitals, emergency rooms, and medical centers, meaning that millions of patients can be affected by such breaches if the organization fails to take appropriate safety measures.
Recommendations
In learning from the mistakes made by Henry Ford Health System, it bears mentioning that the best practices to prevent data breaches from occurring must be associated with better employee education due to the company’s evident lack of attention to the importance of ensuring the security of patient information. For example, it is highly recommended to implement initiatives associated with email retention and multi-factor authentication—new models that could limit the usability of stolen credentials within minutes—as reported by Leventhal (2017) in Healthcare Informatics. It is unfortunate when employees rarely follow standard rules requiring them to change their passwords every ninety days and not reuse old ones; therefore, more serious and security-oriented measures are needed to ensure that workers in health-care organizations take the topic of safety seriously.
Another recommendation for ensuring the safety of patient data is associated with fostering a culture of best-practice sharing to encourage facilities to learn from each other. A health-care organization can foster the culture of reviewing, analyzing, and testing data security practices that other facilities have already adopted to determine whether they could be effective. External checking and validation of data security practices are highly likely to strengthen facilities’ efforts to protect patient information in the same way that best practices of financial accountability and integrity benefit organizations within the industry (Care Quality Commission, 2016).
Lastly, the example of the Henry Ford Health System breach shows that the organization did not invest in employee education aimed at teaching workers how to secure their information as well as the personal health data of the patients they serve. According to Bloomfield (2017), lack of employee education and awareness presents the greatest threat to patient data security as shown by the 2017 Level 3 Healthcare Security Study, which revealed that nearly 80% of the study’s participants acknowledged that employee awareness was the greatest concern even though 85% of the participants mentioned existing security programs. Thus, just as HFHS should invest in employee education and raise awareness about the importance of security, all health-care organizations should continuously enhance their workers’ knowledge to prevent health information breaches.
An important government requirement that can be used in the context of this case is the HIPAA Security Rule, which requires entities to ensure the confidentiality and integrity of electronic health records, to protect against reasonably anticipated threats to the integrity and security of information, to protect against prohibited disclosure of information, and to ensure workforce compliance (Office for Civil Rights, 2013).
References
Bloomfield, C. (2017). Lack of awareness and education are the greatest threats to healthcare security. Web.
Care Quality Commission. (2016). Safe data, safe care. Web.
Greene, J. (2017). 18,470 Henry Ford Health System patients’ data hacked.Modern Healthcare. Web.
Henry Ford Health data breach affecting 18K patients. (2017). Detroit News. Web.
Henry Ford Health. (2018). Required substitute notice. Web.
Office for Civil Rights. (2013). Summary of the HIPAA security rule. Web.