Technology Applications in Healthcare - Essay Example

Part A. Create Planning, Organizing, Directing, Controlling (PODC) HIPAA Training Model By Doing The Following:

Describe how you would teach the hospital employees the rules and regulations regarding HIPAA.

Planning

Strategic planning is an essential requirement that every organization must enforce if the desired goals and objectives will become achieved (Taj and Payton, 2010). Without careful planning, an organization is bound to end up with undesirable results. Before executing a training program for the hospital staff, there is a need for a high-level strategic planning meeting by the executive. HIPAA requires extensive training due to the numerous questions and confusion that might arise (Downing et al, 2013). The executive must ensure they determine the length of the training program and which topics will become appropriate for training. Through careful planning, the program should be one that will not only educate but also motivate.

Organizing

For one to come up with a valid training program, it is essential to organize it using a systematic, step-by-step process (Kinicki et al., 2014, Tan and Payton, 2010). It is essential for one to identify what are the organizational goals. This will allow an individual to organize the program in such a manner that it aligns itself with these objectives. Recognizing the different personnel at the hospital is essential. It is because, not all employees will become trained in the same way. For some staff, they may have various functions but have minimal involvement with protected health information and patients. Such employees will not require training in HIPAA. Therefore, the program must be one that is relevant to the employee staff functions.

Deliver

The training program will become delivered through using a role-based training model. It relates to the function of an employee within the hospital. The approach takes into account a variety of aspects unique to the employees role in the company. The training will become carried out through group and general presentations. Similarly, the trainees will receive documentation on HIPAA via emails which they will have to go through.

Control

It is crucial for the trainers to ensure they determine how successful the training program will become through checking the actual performance of the employees against the recommended HIPAA standards (Kinicki et al., 2014). To ensure that the attendees avail themselves during the training session, a daily attendance sheet will have to be signed. The establishment of support groups among attendees will ensure that they remain up-to-date with information learned from the program. The creation of spot-checks during the training session will help one determine how the program is running through receiving feedback from employee via questionnaires. A delayed questionnaire will allow one to determine how much the trainees still remember about their HIPAA training.

Identify three appropriate types of PHI that can be shared among staff.

Phone Records

Patient Name

Medical File Number

Identify where in the facility the information sharing should take place.

Physician offices

Laboratory

Hospital wards

Identify three individuals who can use and disclose this information.

Patient

Individuals Family

Physicians

Describe two penalties associated with breaching patient information.

Civil penalties occur to an individual for the first-time infringement of HIPAA and fine ranges from $100 to $25,000 in a calendar year. Criminal penalties arise when one releases PHI knowingly. It will see one getting a $50,000 fine including a one ear jail sentence. In case an individual receives the information via pretenses, it amounts to a five-year jail sentence and a $100,000.In case one releases the data with the aim of causing harm or sells the information, it attracts a $250,000 fine and a ten ear jail sentence.

Identify two appropriate ways to secure data from one working shift to another using HIPAA guideline.

Availability of physical safeguards to prevent the access of PHI during working shifts which will prevent any unauthorized people from accessing these entities. Having in place unique security mechanism will ensure data from one working shift to another remains secure.

Complete an internal audit plan of all security measures meant to protect health information by doing the following:

Identify which department will oversee the audit.

The appropriate unit to carry out the audit is the human resources for it knows which of its staff have access to the PHI and the level of access granted to each. The human resource department will outline the storage of information and its transmission via the organizations network and helps in the development of various access controls lists and defines the type of access to become allowed to its different employees.

Explain three security practices the audit will review

PHI sign-out sheets

It will make it easy to identify who accessed specific information at what particular time in case of a data breach. Users who do not sign out on the PHI sheets increase the risk of PHI getting into the hands of unauthorized users.

Record location

Paper records still contain health information about the patients. It is essential to ensure that all these documents get stored in a safe place which cannot quickly become accessed by unauthorized personnel.

Secured storage

The storage devices must have protection to avoid any data copying, deletion or access, and in case they lack data authentication programs, they pose a security threat and increase the chances for unauthorized access.

Describe three potential changes that can be made within the organization to address the results of the audit (e.g., additional employee education).

Additional employee training

The best means to ensure some employees do not ignore simple tasks about PHI is to offer the employees further education on such matter to avoid any data breaches.

Data Encryption

Through data encryption, one cannot read the data unless it becomes decoded using an encryption key. All external data storage devices should become decrypted to avoid unauthorized access to the information (Li et al., 2010).

Storage of paper records in safe

The facility should build strong room through which all the past paper records become stored. The reason for storing such documents is for reference purposes in case a mistake becomes made when entering the patient information into the EHR.

Create a risk assessment plan to identify the potential for any future security breaches.

Threat Sources

A threat is an adverse occurrence that brings about negative impacts on an organizations day to day operations. An organization is susceptible to multiple threat sources and types which might include adversarial, environmental, structural and accidental (Sallam, 2015).

Threat Events (Adversarial)

Fraud and Theft

The attackers can employ the use of various techniques such as social engineering, social media, and advanced persisted threat (Hasan et al., 2010).

Insider Threat

Some of the events that might arise from this source include destruction of the hardware a facility, system crashing, deletion and entering of incorrect information, prevention of passwords regarded as being administrative and insertion of malicious codes that will affect the data

Malicious code

These consist of computer programs which aim at accessing, deleting or copying the data. They include viruses, logic bombs, worms and Trojan horses.

Threat Events (Non-Adversarial)

Errors and Omissions

They can lead to the emergence of database errors, data integrity, complications and an entire degradation of the system.

Loss of infrastructure and physical support

The emergence of natural and human-caused disasters might affect the information systems. They include fires, power failures, and damage to communication, floods, civil unrests, and transportation disruption which will lead to system downtime.

Vulnerabilities

Threat sources exploit any weaknesses in the system security procedures, internal controls, and system. Through the vulnerabilities, the entire system becomes exposed to a variety of challenges that can bring about massive losses not only to the organization but the patients correspondingly (Lu and Li, 2016). Examples of vulnerabilities include the following;

Terminated employees account still active in the system accessed by current employees.

In case the organization is using Microsoft Window based operating system, it has severe vulnerabilities such as internet explorer, IIS, and MS-SQL which can become exploited by the adversarial threat sources such as hackers, phishers, and spammers.

Poor hospital protocols

Likelihood, Impact, and Risk

The risk is the perspective for an undesirable consequence resultant from an occurrence as resolute by it likelihood and allied magnitudes. The combination of the threat and vulnerability brings about the quantity of risk that is bound to occur and can be high, medium or low. The likelihood is the probability that a prospective weakness may become exercised depending on the threat environment. The most common likelihood ratings include; high, medium and low. The impact outlines the magnitude of a threat affecting the information system. The effect modifies different or all the organizational functions such as loss of data integrity, availability, and confidentiality. Potential impact ratings include; high, medium and low.

Application Inventory

Clinical Decision Support system

The primary role of the CDS is to analyze data and help physicians in coming up with decisions making it a clinical system. It is a critical system and plays a huge role towards diagnosis and treatment of the patient. It is an indication that its data classification is confidential for it has PHI used in coming up with an appropriate diagnosis plan.

EHRS

Its primary role is to serve as a digital version of the patients paper record. The availability of PHI information adheres to HIPAA. However, about 2.5 GB of data is unencrypted with data transmission occurring electronically between physicians and patient

Hardware Inventory

Database servers

The primary purpose is for storing clinical applications including PHI and other critical information related to the hospital day-to-day operations. The HDD storage capacity is 1TB.

Backup servers

The primary purpose is to back-up all clinical applications, PHI and day to day operational information. The servers are 3 in number with each having HDD capacity size of 1TB.

Desktop and laptops

Help in entering data and are 50 in number with each having a 750 HDD capacity with 6GB/s HDD speed.

Risk Assessment Report

Cracking and guessing of users passwords Adversarial, Internal users Passwords have a seven-alphanumeric combination and a symbol medium medium Medium Adopt a two-factor authentication password

Running of unnecessary services by servers Unnecessary applications None Low low Low Reconfiguring server software to eliminate the unnecessary applications from running

Entering of SQL commands into the PHI database to extract or modify the data Adversarial, external and internal users Minimal input validation checks High High High Validation of all input parameters before being used.

Identify how often this assessment plan should be completed.

The risk assessment plan should become after every six months from the last date of update.

Identify who will complete this assessment plan.

The most suitable branch to supervise the auditing process is the human resource. It is mainly due to the department's involvement and ability to know which of its employee has access to what information...