Security Breach Plan Paper
Security Breach Plan
Bridget Baca
HCS/533
January 28, 2012
Chong Daleiden
Security Breach Plan
Patient privacy and security is one of the most important aspects of the St. Johns Hospital code of conduct, they take pride in the sound policies and procedures set to maintain customer confidentiality. Each employee is held to a high standard of maintaining the highest level of privacy and confidentiality when it comes to patient health information (PHI). This paper will outline the plan that St. John’s hospital has created in case of a security breach or security threat in the facility. The primary cause of a security breach is usually related to the people or business side of and organization (Rhoades, MBA, RHIA, CHPS, CPHIMS, FHIMA, 2009). …show more content…
Management in the St. John’s Hospital have recently been notified that personnel has observed some of the cleaning staff reading paperwork that was thrown away in the Information Systems (IS) department, this has happened on numerous occasions. The cleaning staff is provided by a third party company and are not direct employees of St. John’s Hospital, which makes the security breach even more serious. Personnel have been instructed to confront the cleaning staff if they witness something like this going on but many of them would rather have a member of management confront the staff. The staff in the IS department have been trained on what steps to take when handling PHI and confidential information, but it seems some have become lax when following the policies and procedures that they are required to follow. Employees in the IS department have been instructed to shred any paperwork they are finished with that contains confidential information regarding a patient or the organization, if they are not finished with the paperwork they are to lock it in a file cabinet where it can only be accessed by authorized personnel. The training is performed upon hiring of the employees and is also required to be performed annually as a refresher on the privacy policies and procedures.
Responding to this situation takes some planning, management must come together to create an action plan for situations where the security of patients is compromised. Since there is no real way to tell what the cleaning staff saw or if they removed any of this paperwork when nobody was paying attention, the plan must be created to prepare everyone involved for the worst. A security response team should be formed with a member of each department in the organization, the person chosen from each department should be able to establish and implement a sustainable security response process.
Management Plan
One of the first things that have to be done when there is a security breach and that is to notify any and all victims that may have been affected by this breach. Victims of a security breach also have to take steps and precautions after learning that a breach has occurred and can directly affect the patients. These patients have to first find out what information was included in the security breach, if it includes sensitive information, such as a social security number the patient should set up fraud alerts with the credit reporting agencies (Privacy Rights Clearinghouse, 2012). This will notify them if any new accounts are opened under their social security number. This information should be communicated to all patients that have been compromised in this security breach. There are three steps that should be taken to do this: * Risk Assessment – A security risk is a known, yet unrealized situation. * Trigger Events – The risk assessment should identify threats and identify a system to monitor for security breach events. The security response team should be able to identify trigger events and respond promptly. * Mitigation Plan – The team must create an incident response protocol that outlines the mitigation plan.
A Security risk analysis should be performed before any security breach management plan can be created, it is a HIPAA requirement. This is an appropriate method of identifying any areas or departments within the organization that may be vulnerable to the breach of any confidential medical records or PHI. There are three types of security safeguards outlined in the HIPAA security rule that should be addressed during the risk analysis they are administrative, physical, and technical safeguards. There are a few steps that have to be followed to create a successful security management plan, Health Information Management (HIM) employees have to work closely together with IT professionals to ensure all policies and procedures of this management plan reflect HITECH requirements (Eramo, 2011). There are three main elements that should be included in the management plan: 1. Discovery: Weekly reports should be run to identify laptops and devices that have not been accessed in five to seven days; this could mean the device is lost or stolen, which could cause a breach. Passwords should be changed regularly for each employee, and there should be a contract set up with a shredding company and locked receptacles should be available throughout the hospital so that confidential documents may be disposed of safely and securely. If these steps are not followed it could cause a breach. 2. Reporting: All employees should be aware that they need to report any incident they witness that does not follow the organizations policies and procedures. There will need to be a no retaliation policy set up so these employees feel comfortable coming forward with any information they may have regarding a possible breach. 3. Notification: Identify who has been compromised, patients, media, state or federal agencies, and the timelines for which they should be notified of a breach. Keep a list of contact information for all of these entities to communicate the breach and what steps will be and should be taken if this happens.
Management should stay involved in the day-to-day procedures required to prevent a breach, they should do a weekly audit of any patient logs that are regularly kept, and create a detailed training program to outline all of the policies and procedures that all employees are required to comply with. Any vendors that enter the building should have to sign in and out and should be able to thoroughly explain the duties they performed while in the facility, this includes the cleaning staff. This will help prevent any un-authorized personnel from accessing PHI or other confidential information.
Training on the security Management plan is to be conducted upon hiring of new employees along with any other training needed; it will also need to be conducted annually to cover any changes that may have occurred.
If a breach occurs a reminder memo should be sent out companywide to refresh the employees of the policies and procedure that should be followed. The annual trainings are to be required computer modules that employees must do on their own time by a set date each year, once the employee completes this module a notification will be sent to his/her manager that it has been completed. If there are changes that occur, a memo should be delivered to all employees outlining the change as well as providing them with an outlet to ask any questions they may have regarding the changes. Any employee that is known to have compromised PHI or any company confidential information will be reprimanded and depending on the severity of the breach can be fired and even …show more content…
prosecuted.
Patients have to be notified of the steps they can take if a breach occurs and who they can contact if they have questions. The hospital has a responsibility to notify patients of a breach as soon as possible so they can take the proper precautions to protect themselves after the breach. Information on the HIPAA regulations are available on the hospital’s website and on the HIPAA website and can be accessed by anyone, this is a good resource for patients as well.
Any organization has to have a management security plan in place to protect private information, especially a St John’s Hospital.
Keeping many patient records on file makes this and any hospital an easy target for a security breach. When the management of such an organization decides to use a third-party company for their janitorial service they must first conduct a background check on that company in order to verify they are reliable and trustworthy. Since there is such delicate information at stake they should also be sure they are insured and bonded, as well as perform background checks on their employees to ensure the safety of the information they may come in contact with. Once a management plan is implemented it is important for the organization to update it and notify employees of any changes that are made to the plan at any time. Having this type of plan in place will make patients feel more comfortable with being treated at this organization and will help build a better reputation for St. John’s Hospital. Patient security and confidentiality are of the utmost importance to St. John’s Hospital and they are committed to following all policies and procedures that are regulated by federal and state
laws.
References
Eramo, L. (2011, January 31). Keys to Effective Breach Management. Retrieved from http://www.fortherecordmag.com/archives/013111p14.shtml
Privacy Rights Clearinghouse. (2012, November). Fact Sheet 17b: How to Deal with a Security Breach. Retrieved from https://www.privacyrights.org/fs/fs17b-SecurityBreach.htm
Rhoades, MBA, RHIA, CHPS, CPHIMS, FHIMA, H. (2009). Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response Planning. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673
Bridget Baca
HCS/533
January 28, 2012
Chong Daleiden
Security Breach Plan
Patient privacy and security is one of the most important aspects of the St. Johns Hospital code of conduct, they take pride in the sound policies and procedures set to maintain customer confidentiality. Each employee is held to a high standard of maintaining the highest level of privacy and confidentiality when it comes to patient health information (PHI). This paper will outline the plan that St. John’s hospital has created in case of a security breach or security threat in the facility. The primary cause of a security breach is usually related to the people or business side of and organization (Rhoades, MBA, RHIA, CHPS, CPHIMS, FHIMA, 2009). …show more content…
Management in the St. John’s Hospital have recently been notified that personnel has observed some of the cleaning staff reading paperwork that was thrown away in the Information Systems (IS) department, this has happened on numerous occasions. The cleaning staff is provided by a third party company and are not direct employees of St. John’s Hospital, which makes the security breach even more serious. Personnel have been instructed to confront the cleaning staff if they witness something like this going on but many of them would rather have a member of management confront the staff. The staff in the IS department have been trained on what steps to take when handling PHI and confidential information, but it seems some have become lax when following the policies and procedures that they are required to follow. Employees in the IS department have been instructed to shred any paperwork they are finished with that contains confidential information regarding a patient or the organization, if they are not finished with the paperwork they are to lock it in a file cabinet where it can only be accessed by authorized personnel. The training is performed upon hiring of the employees and is also required to be performed annually as a refresher on the privacy policies and procedures.
Responding to this situation takes some planning, management must come together to create an action plan for situations where the security of patients is compromised. Since there is no real way to tell what the cleaning staff saw or if they removed any of this paperwork when nobody was paying attention, the plan must be created to prepare everyone involved for the worst. A security response team should be formed with a member of each department in the organization, the person chosen from each department should be able to establish and implement a sustainable security response process.
Management Plan
One of the first things that have to be done when there is a security breach and that is to notify any and all victims that may have been affected by this breach. Victims of a security breach also have to take steps and precautions after learning that a breach has occurred and can directly affect the patients. These patients have to first find out what information was included in the security breach, if it includes sensitive information, such as a social security number the patient should set up fraud alerts with the credit reporting agencies (Privacy Rights Clearinghouse, 2012). This will notify them if any new accounts are opened under their social security number. This information should be communicated to all patients that have been compromised in this security breach. There are three steps that should be taken to do this: * Risk Assessment – A security risk is a known, yet unrealized situation. * Trigger Events – The risk assessment should identify threats and identify a system to monitor for security breach events. The security response team should be able to identify trigger events and respond promptly. * Mitigation Plan – The team must create an incident response protocol that outlines the mitigation plan.
A Security risk analysis should be performed before any security breach management plan can be created, it is a HIPAA requirement. This is an appropriate method of identifying any areas or departments within the organization that may be vulnerable to the breach of any confidential medical records or PHI. There are three types of security safeguards outlined in the HIPAA security rule that should be addressed during the risk analysis they are administrative, physical, and technical safeguards. There are a few steps that have to be followed to create a successful security management plan, Health Information Management (HIM) employees have to work closely together with IT professionals to ensure all policies and procedures of this management plan reflect HITECH requirements (Eramo, 2011). There are three main elements that should be included in the management plan: 1. Discovery: Weekly reports should be run to identify laptops and devices that have not been accessed in five to seven days; this could mean the device is lost or stolen, which could cause a breach. Passwords should be changed regularly for each employee, and there should be a contract set up with a shredding company and locked receptacles should be available throughout the hospital so that confidential documents may be disposed of safely and securely. If these steps are not followed it could cause a breach. 2. Reporting: All employees should be aware that they need to report any incident they witness that does not follow the organizations policies and procedures. There will need to be a no retaliation policy set up so these employees feel comfortable coming forward with any information they may have regarding a possible breach. 3. Notification: Identify who has been compromised, patients, media, state or federal agencies, and the timelines for which they should be notified of a breach. Keep a list of contact information for all of these entities to communicate the breach and what steps will be and should be taken if this happens.
Management should stay involved in the day-to-day procedures required to prevent a breach, they should do a weekly audit of any patient logs that are regularly kept, and create a detailed training program to outline all of the policies and procedures that all employees are required to comply with. Any vendors that enter the building should have to sign in and out and should be able to thoroughly explain the duties they performed while in the facility, this includes the cleaning staff. This will help prevent any un-authorized personnel from accessing PHI or other confidential information.
Training on the security Management plan is to be conducted upon hiring of new employees along with any other training needed; it will also need to be conducted annually to cover any changes that may have occurred.
If a breach occurs a reminder memo should be sent out companywide to refresh the employees of the policies and procedure that should be followed. The annual trainings are to be required computer modules that employees must do on their own time by a set date each year, once the employee completes this module a notification will be sent to his/her manager that it has been completed. If there are changes that occur, a memo should be delivered to all employees outlining the change as well as providing them with an outlet to ask any questions they may have regarding the changes. Any employee that is known to have compromised PHI or any company confidential information will be reprimanded and depending on the severity of the breach can be fired and even …show more content…
prosecuted.
Patients have to be notified of the steps they can take if a breach occurs and who they can contact if they have questions. The hospital has a responsibility to notify patients of a breach as soon as possible so they can take the proper precautions to protect themselves after the breach. Information on the HIPAA regulations are available on the hospital’s website and on the HIPAA website and can be accessed by anyone, this is a good resource for patients as well.
Any organization has to have a management security plan in place to protect private information, especially a St John’s Hospital.
Keeping many patient records on file makes this and any hospital an easy target for a security breach. When the management of such an organization decides to use a third-party company for their janitorial service they must first conduct a background check on that company in order to verify they are reliable and trustworthy. Since there is such delicate information at stake they should also be sure they are insured and bonded, as well as perform background checks on their employees to ensure the safety of the information they may come in contact with. Once a management plan is implemented it is important for the organization to update it and notify employees of any changes that are made to the plan at any time. Having this type of plan in place will make patients feel more comfortable with being treated at this organization and will help build a better reputation for St. John’s Hospital. Patient security and confidentiality are of the utmost importance to St. John’s Hospital and they are committed to following all policies and procedures that are regulated by federal and state
laws.
References
Eramo, L. (2011, January 31). Keys to Effective Breach Management. Retrieved from http://www.fortherecordmag.com/archives/013111p14.shtml
Privacy Rights Clearinghouse. (2012, November). Fact Sheet 17b: How to Deal with a Security Breach. Retrieved from https://www.privacyrights.org/fs/fs17b-SecurityBreach.htm
Rhoades, MBA, RHIA, CHPS, CPHIMS, FHIMA, H. (2009). Developing Breach Notification Policies and Procedures: An Overview of Mitigation and Response Planning. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_044673.hcsp?dDocName=bok1_044673