Strengths
Paul, the hospital CEO has implemented Information Technology to assist in business processes. The Electronic Medical Records system replaced the paper system used to record the patient’s information. The doctors, nurses and system administrators now use electronic readers to access patients’ files and medical details and are designed in such a way that they are the only ones authorized to access the readers. The EMR system checks automatically errors and drug prescriptions. The ERMs system is more secure than paper records and has improved the hospital’s operations (Eisenmann, 2009).
Sunnylake Hospital has the financial resources to maintain its current product base and develop new more modified products. The implementation of the Electronics Records system shows that the hospital has the necessary Information Technology funding. The hospital also has the financial resources to engage the services of a professional consulting company. The hospital has insurance cover over IT risks and could cover blackmail costs.
Weaknesses
The hospital failed to implement a layered security system and this made it vulnerable to hackers to capture the EMR system. The hospital implements a down-top approach to security management, and the CEO over-relied on one IT director, Jacob to operate the whole system. The management should be involved in making IT decisions. When the system was hacked, Paul just sat back and wait for Jacob to work a way out. Also, the IT team is too small to manage the whole department solely.
Failure to put up sound security management has really affected the hospital’s operation adversely. This involves risk assessment, information security procedures, standards, rules, baselines, security initiatives, and security enlightenment. Furthermore, the hospital has not implemented any changes in its processes for the past three years to pace up with the industry (Bohm, 2009).
Sunnylake had outdated security software and the security outsourcer was not dependable. It had a small IT team that was mainly dependent on one man to run the system. Initially, the system security details were aimed at keeping off intruders only and did not address any case of hackers. The IT department installed a system-based infection detection network that wards off impostors but also hackers or any unauthorized user.
Before the implementation of the ERMs, Sunnylake applied outdated processes, and it was still using paperwork records. Although the EMRs had faced challenges initially, as it was thought that the new technology could divert attention from patient’s diagnosis, but with time the doctors came to recognize the efficiency advantages of the ERMs. The management thought that the system was impossible to infiltrate through, only to realize later that it was too weak. Although the patient’s data had been backed up in the network and could not be tampered with, no one could access the records. The hospital also had over-relied on the EMRs, thus making it vulnerable to hackers.
Sunnylake doctors and nurses use machines in treating patients whereas IT systems are only supposed to aid in the process, thus failure of the system paralyzes the hospital operations.
Opportunities
During the attack the hospital has an option of paying the hackers as an immediate solution; also, the management could engage in negotiations with the hackers. Furthermore, it had an IT risk insurance cover and the money could be paid out by the insurance company.
The hospital may consider reorganizing or creating a new management team. The new management ought to keep in contact with the doctors, nurses, administrators and users of the system and should know to what extent the hospital should disclose information to the users. The hospital should put in place damage control measures to ensure that in case such kind of incidents happens in the future is curbed on time before adverse consequences occur. The management should adopt a top-down approach to security issues and be engaged directly in security matters (Bohm, 2009).
The management needs a “good business judgment” in securing against the scare. The problem started with Paul who ignored the first email message, all IT scares ought to be considered seriously and reported immediately. The hospital needs a plan in place when they are uncertain of the limit to which their system has been interfered with. Doctors and nurses are supposed to diagnose, make decisions, and efficiently attend to the patients.
ISP/Security experts could be contracted to combat the hacker and work in conjunction with the IT team. Also, the hospital can implement a phone or paging system and written records system backup.
Threats
By the fact that Sunnylake Hospital depends on technology, no IT network is bulletproof, it makes the organization vulnerable to such kind of attacks and makes it a target for people with malicious purposes or for personal gain. Sunnylake is faced with a threat of lack of public trust and goodwill it had in the industry. The doctors and nurses are losing trust in the EMR system due to its unreliability. Paul would lose personality credibility from senior management and could even lose his job since he was in charge of the strategic resources of the organization and he failed to account for their utilization.
Sunnylake was faced with a threat that if it paid the ransom, it would encourage the extortionists to do future hacking attacks and could also result in attacks on other hospitals. The hospital is faced with a liability risk for malpractice suits if it is sued for mistakes made by the doctors due to the failure of the system.
The occurrence of such incidents puts the lives of patients at risk and also the hospital counts losses in terms of productivity and money, and if considerable measures are not put in place to curb their recurrence, this could paralyze the hospital’s operations completely (Eisenmann, 2009).
Reference List
Bohm, A. (2009). The SWOT Analysis. München: GRIN Verlag.
Eisenmann, C. (2009). When Hackers Turn to Blackmail. Harvard Business Review, 39-50.