Breaching the Security of an Internet Patient Portal
NI Topic:
Breaching The Security of An Internet Patient Portal
Nur-531
May 18, 2013
Introduction
Kaiser Permanente is a health system which serves over eight million members in nine states and the District of Columbia. In the 1990’s the KP Northern California region created an Internet Patient Portal known as “Kaiser Permanente Online” (KP Online)(Wager, 2009). KP Online provides members access to request appointments and prescription refills, obtain health information, and receive medical advice from staff. In August 2000, a breach occurred when an Operations technician applied patches to servers in support of a new KP Online pharmacy refill application. Subsequently, the outgoing e-mail function of KP Online failed and created a dead letter file of outbound messages with replies to patient inquiries that contained individually identifiable patient information (Collmann & Cooper, 2007). In trying to clear the e-mail file, a flawed computer script was created that concatenated over 800 individual e-mail messages, which contained personal identifiable. At least nineteen of the e-mails reached their intended destination (Collmann & Cooper, 2007). Two members who received the email messages reported the incident to KP. Kaiser considered the breach was a significant incident due to the number of messages sent. As a result, the company created a crisis team to find the cause of the breach. The Kaiser crisis team notified its members and issued a press release three days after the breach.
Major Issues This case study protected sensitive patient information was comprised during the e-mail security breach. The Kaiser Permanente leadership reacted quickly to mitigate the damage of the breach because the company was non-compliant with good information security practice and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which established standards for the
Breaching The Security of An Internet Patient Portal
Nur-531
May 18, 2013
Introduction
Kaiser Permanente is a health system which serves over eight million members in nine states and the District of Columbia. In the 1990’s the KP Northern California region created an Internet Patient Portal known as “Kaiser Permanente Online” (KP Online)(Wager, 2009). KP Online provides members access to request appointments and prescription refills, obtain health information, and receive medical advice from staff. In August 2000, a breach occurred when an Operations technician applied patches to servers in support of a new KP Online pharmacy refill application. Subsequently, the outgoing e-mail function of KP Online failed and created a dead letter file of outbound messages with replies to patient inquiries that contained individually identifiable patient information (Collmann & Cooper, 2007). In trying to clear the e-mail file, a flawed computer script was created that concatenated over 800 individual e-mail messages, which contained personal identifiable. At least nineteen of the e-mails reached their intended destination (Collmann & Cooper, 2007). Two members who received the email messages reported the incident to KP. Kaiser considered the breach was a significant incident due to the number of messages sent. As a result, the company created a crisis team to find the cause of the breach. The Kaiser crisis team notified its members and issued a press release three days after the breach.
Major Issues This case study protected sensitive patient information was comprised during the e-mail security breach. The Kaiser Permanente leadership reacted quickly to mitigate the damage of the breach because the company was non-compliant with good information security practice and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which established standards for the
References: American Nurses Association. (2012). ANA Ethics Position Statement Privacy and Confidentiality. Silver Springs, MD: Author. Retrieved May 18, 2013 from ANA website. Collmann, J., & Cooper, T. (2007). Breaching The Security Of The Kaiser Permanente Internet Patient Portal: The Organizational Foundations Of Information Security. Journal of the American Medical Informatics Association, 14(2), 239-243. Harrison J., & Booth N. (2003). Applying new thinking from the linked and emerging fields of digital identity and privacy to information governance in health informatics. Informatics in Primary Care Journal, 11(4), 223-8. Retrieved from CINAHL database. HIPAA FAQs. (2002, August 1). Corporate Responsibility Resources For Businesses And Marketers. Retrieved May 18, 2013, from http://www.dmaresponsibility.org/HIPPA/. Rossel, C. L. (2003). HIPAA: An informatics system perspective, Chart, 100(1). Retrieved May 18, 2013 from CINANL database. Saba, V., & McCormick, K. A. (5th Ed.). (2011). Essentials of Nursing Informatics. Trustworthy Systems for Safe and Private Healthcare (pp. 271-277). New York: McGraw-Hill Companies. Wager, K. A., Lee, F. W., & Glaser, J. (2009). Health care information systems: a practical approach for health care management (2nd ed.). San Francisco, CA: Jossey-Bass.