University of Maryland University College
9 January 2018
Technology is something that is ever evolving and changing the way many businesses and places complete their day to day operations. One of the fields that are affected the most by the advancement of technology is in healthcare facilities like hospitals. Electronic documentation and patient histories help streamline the ability to provide care to the patient. “As of 2016, over 95 percent of all eligible and Critical Access hospitals have demonstrated meaningful use of certified health IT through participation in the Centers for Medicare & Medicaid Services (CMS) Electronic Health Record (EHR) Incentive Programs” (Health IT 2017). With the electronic patient histories, they can more effectively treat and manage patients when in their care. During their duration of the hospital visit admitted patients will interact with tons of doctors and nurses during their stay and instead of having to explain what each person has done for this patient or read entire paper charts with barely legible handwriting. This helps streamline the process at which this patient can receive quality and effective care. With all patient files going electronic poses a risk for the patient due to all their information is being stored on the internet and hackers will always attempt to steal that information and IT personnel need to keep their networks as secure as possible to prevent breaches to keep all patient information confidential.
Many steps can be taken to help protect patients’ information from both internal and external attackers. To start off to help protect against internal attacks all employees should have documented logins with multifactor authorization which means that after an employee logs on with their credentials they should provide a second form of verification such as a fingerprint to log onto a station computer to complete their job. Also with internal attacks to better preserve patient information no employee should have access to patient information outside of the hospital network. If you are only able to access the data from one source you can better protect the single network instead of having to worry about individual networks such as someone’s home private network. That brings the next big issue with attacks would be hackers from an outside source. The Chief Information Officer (CIO) should perform penetration tests frequently to find any vulnerabilities within the networks and the CIO can then do a risk management analysis to determine the next course of action with the vulnerabilities. There are a few things that can be done in performing a risk analysis. A CIO can either do nothing about the risk he was informed about, transfer the risk, mitigate the issue, or eliminate the issue. Is the CIO does nothing about the risk does not mean he is ignoring the issue but he is going to prepare his staff to be able to deal with the risk if anything would occur. Next the CIO could transfer the risk where they can outsource the issue to a third party relieving him of the risk and having them handle the situation. The next way is to mitigate the risk and this can be achieved by only having employees trained by personnel who are qualified to teach them new security measures and not a third party such as a coworker. Finally, the last way to deal with it is to eliminate the issue which is an extremely hard issue to complete because technology and security protocols and devices update causing everyone to learn the new protocols and upgrades.
These updates are expensive but mandatory. For example, a 280-bed hospital to start the electronic records cost about $19 million (Menachemi & Collum, 2011). To upkeep a network it would cost about $8400 bucks per full-time employee. This may seem extremely expensive but the protection of your patients’ personal information is important. With how efficient and effective electronic patient records are there are a few drawbacks in the way of getting it set up. First, you will have network down time at the hospital while the new network gets installed and set up. This could potentially delay patient care or delay the billing cycle of the patient once they are discharged. With that said electronic health records is an advancement towards the direction of more quality and efficient healthcare but these files need to be secured and dealt with appropriately by trained IT staff.
Healthcare in today is an ever evolving and ever changing environment that keeps adapting and providing better and more sufficient and effective care by utilizing the new and ever-changing technology. The hospital is a complex system that has many different parts and entities that need to work together and be secured for the patient’s medical information to safety be secured. Doctors, nurses, and technicians treat patients while keeping all patient information confidential and IT personnel play an important role in protecting patient information. All healthcare systems have an infrastructure and this hospital’s infrastructure is as follows:
The biggest system to protect is the patient record system since all hospitals at this point have made the transformation to Electronic Health Records (EHR). Once this information is done transmitting in the Emergency room if the patient is then admitted it is send up to the admitting floor so the nurses and doctors on the admitting floor can continuously treat the patient with no delays or repeat tests. With how much Healthcare relies on technology, setting up a stable and efficient network is important. Is is important to have the equipment in a secured room that has adequate ventilation and the facility has a plan to keep the network up and running in times of power outages. After the patient is treated the treatment files from the physicians and nurses care the files must be transferred to billing. Throughout your care, all documentation is done electronically on computers or laptops. All of these systems should be protected with open systems interconnections. This should be created for the means of transferring data between the different areas of the hospital so that all data can not only be monitored and tracked but securely moved throughout the network. This enables devices to work together on a network and IT should monitor and TCP and IP protocols to make sure that if there is any failed data transmissions do not fail because of network problems.
In cybersecurity, there are constant threats to network systems which revolve around three security attributes that are confidentiality, integrity, and availability. Those three attributes are considered the CIA triad and many security measures are designed to protect the attributes of the triad. Confidentiality is protecting a persons’ information from discovery and ways of doing this would be file permissions, access control, and the most widely used being data encryption. The next part of the triad would be integrity which has to do with protecting information from being changed by unauthorized individuals and the best way to protect the information is cryptography. The final part of the triad is the availability which means allowing authorized personnel to have access to information when it is needed. This triad serves as the security measures for securing networks and databases but there are always people trying to steal information.
There are many different reasons on why systems are intruded and the main reasons are for Financial motives, Military Motives, Political Motives, and Corporate Motives. The Financial motive is self-explanatory as people intrude systems for monetary gain. According to BGR payment for a stolen credit card information in the Unites States is about 5 to 30 dollars depending on how much additional information is with your credit card (Heisler 2015). For example, the target breach affected about 40 million people and if each one of their credit cards were sold on the black market the hackers would have made a profit of about 200 million dollars if they sold each credit card number for 5 dollars only. The next reason on why networks are intruded are for military motives and this is hacked for foreign countries to try to steal our latest technology to use in potential future wars. The next reason would be political motives and that is done to spur political conflict between national groups. Finally, the last reason would be corporate motives and a reason for hacking would be to steal prototype information of new technology so they can make that technology or tweak it to make it even better than what the original company had in mind. They could also hack some corporations to set them back on their research methods into new technology.
Threats can come from all over and contrary to popular belief, not all hacks are incoming attacks from the outside sources but insider threats too. People can be manipulated for monetary gain causing them to steal classified information from their employer and send it to a competitor. In a hospital setting especially one with research occurring at, this could be a very likely scenario because employees who would want to be part in the study into the future of medicine can access the data while at work and potentially send it to other doctors or scientists conducting research to help push their current research along giving them the credit. For outside threats, you need to be concerned about protecting your patient data due to the patient data having everything about them such as their names, address, and social security number which can put them in massive risks and the biggest one being identity theft. Many doctors use mobile devices for documentation such as a laptop and on that laptop, they have scribes who are people who document everything the doctor does when treating a patient and these devices since they are over a wireless connection are more vulnerable than their LAN connection. Since this device is portable there are many things that should be done to protect the information on that computer. The first step in protecting the computer would be authorization rules which when the doctor logs on to that computer he should only have access to patient health records and documentation because that is all the doctor is responsible for when treating that patient. The next step to securing those computers would be access control and eliminate the access to any programs or external websites that do not affect the documentation of patient care. The next step would be the use of strong passwords that contain capital letters, lower case letters, numbers, and symbols. These passwords should also try to avoid peoples’ names and common places as they are easily cracked by password crackers in a short time. Finally, the last piece of security on the laptop that should be implemented should be multifactor authorization. For example, entering your fingerprint after you enter your password to verify that it is actually you accessing the system would be a great way to prevent breaches of mobile technology such as laptops or tablets. In the hospital I have researched they have implemented this feature in medication withdrawal so any provider getting medication not only has to enter a password but also enter their fingerprint so they can verify their identity when withdrawing medication and with that implication, the amount of medication that went missing has almost been completely eliminated.
CIO and Leadership
The CIO and the leadership team need to be aware of any potential risk of the network and the first step to accept that their network has risks. Some things to keep in mind if the CIO decided to accept the risk and do nothing is if they have a breach that affects 500 or more people they need to report that to the media (Secretary & OCR, 2013). This is not ignoring the issue like some may see but accepting that there is an issue with your network and you may need to come across it and not all risks are a potential for a breach. There are a few reasons on why the CIO may choose to accept the risk and not act upon the risk and a few of those reasons are they never happened at this facility, don’t have the time or resources, and it is not cost beneficial for the company. The CIO and leadership team work hard to ensure that risks are acknowledged and if the issue cannot be handled in-house with the IT team provided they can look to transfer the risk.
CIO Risk Transfers
The CIO can look into transferring the risks when the risks are too much for him and his team to handle. When a breach is noticed they can contact a third party team that specializes in breaches to help determine where the breach is and eliminates it before it becomes more of an issue. For this to be effective a team must be contacted immediately to reduce the amount of data lost from the breach. Another way to transfer the risk is to get cybersecurity insurance which helps transfer the financial risk to the insurer who if a breach occurs will cover forensic investigations, customer notification, credit monitoring, public relations, and legal defense (Constantin 2014). Although the company when purchasing the insurance is not transferring all risks it helps take the burden off of the company if a breach will occur.
Risk Mitigation and Eliminating Risks
Risk mitigation is a way to help reduce the impact of a risk. For example, all employees should only be taught about the networking systems by trained professionals who set up the networks rather than getting the information second hand from a co-worker who may not fully understand the way the system is set up. Eliminating the risks are an extremely hard thing to do entirely but some ways to attempt eliminating the risk are internally having people perform penetration testing on your network to see where your vulnerabilities are so that they can be addressed and a solution can be made so an actual breach does not occur due to that vulnerability. Another thing is that all electronic patient files should stay on the network and not be downloaded to any personal device. By only allowed access on the hospital networks it helps bring down the potential for a leak by not allowing employees to download personal files they reduce the risk of the employee opening the files from an unsecured connection elsewhere. With being only able to access the data when on the hospital network helps keep data secure in the case that someone lost their password it’ll help secure the confidential information. Eliminating risks is an extremely difficult task to complete but with the right precautions and preventive measures you can almost eliminate it down to nothing.
The Projected Costs
The cost of keeping a network on a yearly basis is a but expensive with it coming into about $8412 per full-time employee which the cost is distributed mostly on the hardware and software being kept up to date, support fees, and paying for information system staff or external contractors. Along with this needs to come ongoing training to all employees with whenever there is a system update. At first to upgrade there will be some down time due to the upgrade to the electronic systems for hospital systems. If you just implement the electronic files you have to also expect some down time if there is a problem which could lose money to start. A 280-bed hospital to start the electronic records cost about $19 million which they broke down into a 7-year plan (Menachemi & Collum, 2011). This may seem expensive but once the network is up and running and you have it secured it is a much more efficient way to get the care provided and pushed through to billing so that all claims can be sent out to either the individuals or insurance companies responsible. Although it is an expensive startup it is a mandatory upgrade to help provide more quality and effective care.
Constantin, L. (2014, April 25). 5 Things You Need to Know About Cybersecurity Insurance.
Retrieved January 09, 2018, from https://www.cio.com/article/2376802/security0/5-t hings-you-need-to-know-about-cybersecurity-insurance.html
Health IT Quick Stats. (2017, August 3). Retrieved January 13, 2018, from
Heisler, Y. (2015, November 30). Here’s how much your stolen data is worth on the Dark Web. Retrieved January 09, 2018, from http://bgr.com/2015/11/30/dark-web-stolen-data/
Lanz, J. (2016, December 19). Accepting the risk requires more than doing nothing. Retrieved
January 09, 2018, from https://www.csoonline.com/article/3151467/security/accepting-the-risk-requires-more-than-doing-nothing.html
Menachemi, N., & Collum, T. H. (2011). Benefits and drawbacks of electronic health record
systems. Risk Management and Healthcare Policy, 4, 47–55. http://doi.org/10.2147/RMHP.S12985
Secretary, H. O., & (OCR), O. F. (2013, July 26). Breach Notification Rule. Retrieved January 09, 2018, from https://www.hhs.gov/hipaa/for-professionals/breach notification/index.html