Abstract
With accelerated technological development, health informatics has been adopted to various degrees in healthcare facilitating better monitoring of a patient’s health information while ensuring its safety. The paper looks at an email security breach in Kaiser Permanente and its effect, and how a company can prevent the repetition of such a mistake. Security breaches, no matter how small, put an organization and its patient’s information at risk. Breaches do however happen despite policies put in place to avoid them, and regulations that help increase patient privacy. What matters most is how well an organization can manage the situation and what ways and measure it will improve to prevent future accidents.
Introduction
No matter how minute a breach is, there is high risk and concern of people’s private information getting exposed. According to 2017 Accenture research, 26% of Americans have had their personal health information stolen. Hospitals, urgent care clinics, and pharmacies had the highest percentage of data breaches. A breach, as that of Kaiser’s email system, and the potential access to patient health information raises major concerns about patient privacy, organizational structures, and image. With patients mostly affected by a breach and the risk of having their health and personal information exposed, a company needs to move quickly to comply with requirements that mandate prompt reporting.
Damages and Mitigation to Security Breach
HIPAA enforcement and privacy rules control most telemedicine companies with the Breach Notification Rule requiring all covered entities to promptly notify individuals and the Health and Human Services of any impermissible use, loss or theft of Protected Health Information (PHI). In 2006, the Enforcement Rule and Breach Notification Rules, which established civil money penalties for violations and procedures in investigating violations, went into effect (Bell, 2018). Kaiser Permanente needed to move fast because, although two people reported the issue, more emails were sent, and a large quantity of personally identifiable patient information was revealed. While the financial cost of the breach may be borne by Kaiser, the impact on the health system’s image is a significant issue for any possible or real data breach, as is the impact on the organization’s present patient base and the society it serves. Notwithstanding, others who received the email might have decided to report the incident to a news station, causing the company public embarrassment. They intended to appear to have discovered the problem immediately and independently before the public learned about it from another source.
Recommendations for Root Cause Investigations
The first step in the investigative process is assessing the full scope of the breach, to know which prime areas to focus on. The first and most important priority would be to ensure company continuity and that catastrophe recovery contingency plans are been implemented. A root cause study is required during such an event. The team will investigate the events that occurred once the problem has been detected to determine the root cause (Liang et al., 2020). Over 800 separate email messages containing sensitive health information were concatenated and sent to various recipients in this case study, with at least 19 of them being received. There is a need for all systems to be evaluated for any new security threats as part of the recovery process and identification of the reason, followed by contact with impacted departments and patients. There is the use of Toyota’s Sakichi Toyoda “5 Whys” strategy used to get to the fundamental cause of the issue (Gangidi, 2018). The approach is a straightforward way for getting to the root cause of a problem rather than simply focusing on the surface reason, which in this case would be an untested fix created by two programmers.
Resolving Underlying Group and Organizational Issues
If the fundamental flaws from this breach are not addressed, future breaches will remain a significant danger. Internal breaches are a persistent concern, even with a thorough risk analysis and the deployment of new procedures, rules, and consequences for infractions. There are always new techniques to steal or leak information, and organizations have to be on the lookout for them. A one-time sweep will not be sufficient. Kaiser Permanente, in fact, has had several breaches after this one, and has been punished for HIPPA violations under the harsher restrictions in place since then.
The breach does not imply that Kaiser Permanente does not care about patient privacy and security. Information breaches are a typical way of corporations attempting to fix the numerous security flaws that arise naturally and over time. Covering all the bases is a huge undertaking with so much technology phased in at different times and in different versions, laptops and other devices being stolen or misplaced, and different employee skill levels in the firm.
If Kaiser does not address underlying organizational concerns, such as any outstanding policy evaluations addressing cyber security and HIPAA policies, the danger of another breach will persist. Additional medical safeguards will reduce the danger of a breach. However, the human aspect and staff management are required to ensure that these preventative measures are maintained.
Administrative Leadership Role
The importance of security must be evident at the administrative leadership level. If this level does not make it a priority, the other levels in the organization will not either. The administration should therefore maintain effective and efficient policies concerning quality control checks and installation of applications before their execution. To ensure that Kaiser Permanente Online is secure, the administrative leadership should work to ensure their budget includes funds for regular IT hardware and software upgrades as well as ensuring they use the best and updated antivirus. There is a need to encode clients’ private health and personal data, and regularly take part in risk analysis which should include remediation. Such measures however require a trained IT team or one empowered to thoroughly test and make sure that the changes being implemented are functional and follow proper development or installation. The organization can also hire an Information Security team or manager. Employees also need to know how to handle confidential data and be regularly taken through the various information security policies. They ought to be properly trained on what to do in case of an error, and how to communicate faults and failures as soon as they happen.
Conclusion
I do not believe the HIPAA standards have been strict enough. While the standards that require breach notifications can cause a company to be embarrassed and lose clients, most organizations are relatively resistant to these alerts because they occur frequently and in all industries that use digital data. Fining a corporation has an impact if the fine is significant enough, but if the fine is little, it will become a cost of doing business.
References
Bell, K. (2018). Public policy and health informatics. In Seminars in Oncology Nursing (Vol. 34, No. 2, pp. 184-187). WB Saunders.
Gangidi, P. (2018). A systematic approach to root cause analysis using 3× 5 why’s technique. International Journal of Lean Six Sigma.
Liang, C., Zhou, S., Yao, B., Hood, D., & Gong, Y. (2020). Toward systems-centered analysis of patient safety events: Improving root cause analysis by optimized incident classification and information presentation. International Journal of Medical Informatics, 135, 104054.