Breaching the Security of an Internet Patient Portal
Synopsis
Health care information system is a fundamental facet in any health care organization, attributed to the fact that the system holds all the data and records that are useful in patient care, and this is clearly depicted in the Kaiser Permanente Internet Patient Portal case. Kaiser Permanente was an amalgamated health care information system that was privileged to serve over eight million people in nine states and Columbia District. The system introduced an Internet Patient Portal, also referred to as KP online in the late 1990s, purposefully to enhance a plethora of processes. The processes encompassed appropriation of appointments and prescription, clinical advice, refills, acquisition of health care services and participation in patient forums, online. However, with all the efficiency, the system experienced a considerable setback in August 2000. In the stated period, there was a breach in the security of the KP refill application section, and programmers had designed a blemished script that caused a mix up in over 800 individual e-mail messages. In light with these, a number of patients using the system were able to detect the irregularity in the system and notified the origination, which in turn took considerable steps in rectifying the system, as well, ensuring patients’ privacy.
Discussion
The e-mail security breach of Kaiser Permanente Internet Patient Portal was extremely grave, and the privacy and confidentiality of the patients was put into peril, as well, the trust between patients and the caregivers was likely to be jeopardized (Wager, Lee & Glaser, 2009). This was clearly evinced in the case, since nineteen members using the system, obtained crucial medical information about other patients (Wager, Lee & Glaser, 2009). In line with this, it was in order for the administration to move in quickly and curb the situation, so as prevent the defilement of the patient privacy and confidentiality (Wager, Lee & Glaser, 2009). Also, the information systems are beneficial in management of healthcare information, and the benefits constitute; collection of data to demonstrate the clinic effectiveness of the patients, analysis of data for statistical comparison, and the utilization of data for outcome measurements (Lundy & Janes, 2009), thence, constituting the urgency of attending to the situation.
In conjunction to this, addressing the issue of the breach is quite technical and various measures should be taken into consideration, in order to restore the systems and patients confidence. Apart from offering apologies to the affected patients, the key step is to establish a well planned response that involves a set of guidelines, which is in accordance to Kanellis, Kiountouzis, Kolokotronics and Martako (2006) affirmation on the principle guidelines that aid in the analysis of the effect and severity of the breach. The guidelines given by Kanellis et al (2006) encompass, filtering the countermeasures approaches, so as to prevent the attacker’s source address from getting through and consequently, isolating and disconnecting the infected system. Similarly, shutting down any and all systems would be necessary to prevent the patient’s private information from being accessed (Kanellis et al, 2006). In addition, there will be the formation of a replica database, for staff to go through the information without destroying the evidence, also, all the network logs from firewalls will be captured and copied for examination (Kanellis et al, 2006). Lastly, the information collected would help in examining; the method of breach, the type of information revealed, if the there is still vulnerability on a different system, and whether the intruder left any root kit (Kanellis et al, 2006). Conventionally, the information obtained, will be exceedingly crucial in the notification of the federal law enforcement.
In case the issue is not addressed and the relevant measures used in resolving underlying group and organizational issue put in place, the system (KP online) would be susceptible to frequent breaches, ascribed to lack of the development of a proficient and secure system that can handle all the data (Wager, Lee & Glaser, 2009). Further, the inconsistencies and lack of harmony within the organization would also lead to the formation of a complex organizational structure, which would also not allow the development of an efficient system that can promote patient privacy (Lundy & Janes, 2009).
However, there are crucial steps the administration can take in protecting the health information systems and patients’ privacy, through adhering and emphasizing on the relevant policies and code of ethics (Lundy & Janes, 2009). Similarly, the administration should also be on the fore front in ensuring a safe health care information system. According to Lundy and Janes (2009), American Health Information Management Association (AHIMA) has formulated code of ethics that assist in the identification of core values, establishment of ethical principles and promotes high standards of health information management (HIM) professional practice, which in turn amounts to safeguarding of the health information system.
Besides, Mizani and Baykal (2007) argue that, despite the existing polices, the privacy in electronic health care is not fully protected. Further, Mizani and Baykal (2007) still affirm that the enforcement of the privacy policies should be represented and enforced electronically and managed through exceptional generated software tools that can detect the underlying hidden errors. Structured Patient Privacy Policy (S3P) is a software tool designed to enhance electronic privacy policy. In addition, it is a computer program structured using eXtensible Access Control Markup Language (XACML), and written in Java (Mizani & Baykal, 2007). In line with this, S3P offers a platform for the definition, test, and comparison of different privacy policies, so as to detect or disclose inefficiencies (Mizani & Baykal, 2007). Further, the software tool provides tractability and dynamism, which enables policy makers to detect faults in the existing policies, amend them and formulate other proficient policies (Mizani & Baykal, 2007).
Further, championing for organizational credentialing is also remarkably indispensable so as to set regulatory mechanism that allows the safety of the public’s health, privacy in the health information system, as well as integrity (Lundy & Janes, 2009). Similarly, organizational credentialing also provide the best basis for the legal and ethical requirement that can be used by health care professionals, inclusive of nurses, to maintain confidentiality of patient information, hence offering a quality security for the system and proper management of care plans and networks (Lundy & Janes, 2009). Some of the voluntary organizations that offer the accreditation include; Joint Commission on Accreditation of Health Care Organizations (JCAHO) for integrated delivery networks and health plans, National Committee on Quality Assurance (NCQA), National Association of Insurance Commissioner (NAIC), America Accreditation Health care Commission (URAC), and Community Health Accreditation Program (CHAP) (Lundy & Janes, 2009).
References
Kanellis, P., Kiountouzis, E., Kolokotronics, N. & Martako, D. (Eds.). (2006). Digital Crime and Forensic Science in Cyberspace. Hershey, PA: Idea Group Publishing.
Lundy, S. K. & Janes, S. (2009). Community Health Nursing: Caring for the Public's Health (2nd Ed.). Sudbury, MA: Jones and Bartlett Publishers, LLC.
Mizani, M. & Baykal, N. (2007). A Software platform to analyze the ethical issues of electronic patient privacy policy: the S3P example. Medical Ethics, 2007; 33:695-698 doi:10.1136/jme.2006.018473.
Wager, A. K., Lee, W. F. & Glaser, P. J. (2009). Health Care Information Systems: A Practical Approach for Health Care Management (2nd Ed.). San Francisco, CA: John Wiley & Sons, Inc.