Southern New Hampshire UniversityCYBER SECU 630

Security breaches threaten patient privacy when confidential health information is made available to others without the individual's consent or authorization.

Two recent incidents at Howard University Hospital in Washington showed how inadequate data security affects a large number of people. On May 14, 2013, federal prosecutors charged one of the hospital's medical technicians with violating HIPAA. Prosecutors said that over a 17-month period, an employee used their position at the hospital to gain access to patients' names, addresses, and Medicare numbers in order to sell their information. The employee subsequently pleaded guilty and was sentenced to 6 months in a halfway house and fined $2,100.

A few weeks earlier, the same hospital informed more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patient's files onto a personal laptop, which was stolen from their car. The data was password protected, but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers and in a few cases, "diagnosis related information."

Discuss the differences between the two cases above and whether the contractor should have been charged and if not, why not? What precautions could the hospital have taken to prevent or mitigate the potential damages of both cases?

ANSWER:

Part A:

In this case study, the differences between the two cases are accompanied by violations in this way:

• In the first case, the violation of was done by an individual who is an employee of the hospital therefore an insider while; in the second case the violation was done by an outsider who was just a contractor therefore not employed by the hospital. 
• In the first scenario, the employee accessed the data with an intention of selling it out for individual gain or trade the information for money without any authorization while; in the second case scenario the contractor download the files to their personal laptop only but without an intention to sell it out.
• In the first case the employee violated the Security Rule of Confidentiality which is a Security Act in HIPAA hence there must be consequences since the employee broke the law. In the second case, the contractor did not violate any law because they had access to the system yes but downloaded files without authorization which might have happened accidentally.
• In the first case the employee incurred a penalty fine and a sentence charge for six months as a repercussion for the behavior while; In the second case there are no penalties involved since the contractor's intentions with the downloaded file cannot be fully established.

To discuss whether the contractor should have been charged or not, in my opinion I would say they, the contractor, should not be charged. 

This is because the contractor had access to the system in the first case but downloaded the files to their personal computer which is wrong yes, but may be the download happened accidentally. They should not be charged because their intention with the data downloaded still cannot be established clearly to be malicious or not because perhaps they downloaded the file just to test is or perform a penetration test.

Part B:

The precautions that Howard University Hospital could have taken to prevent the damages caused by the two cases are as follows:

• The could have used encryption for their data to ensure privacy of the information. In this way, the information can only be read by individuals having the  relative decryption keys like for the case of the contractor where the information lost in the stolen laptop was not encrypted.
• The hospital should have reinforced controls and, security policies and procedures that would have served to keep and manage the patients' information privacy and confidentiality.
• Howard University Hospital would have employed a security expert specifically a Security Officer and put them in charge of the information security operating together with the IT health experts.
• The hospital should have conducted random auditing periodically to establish the value of the security policies and procedures. This would have helped in revealing the cause of inappropriate access in time in relation to both the two cases in the case study above.
• The hospital would have used cloud service together with encryption, for storage of their information and deploy intrusion detection software to ensure integrity of their data. 

• Health Insurance Portability and Accountability Act(HIPAA) is a Security Rule that was formed by Health and Human Services(HHS) to enforce the privacy and security f health information.
• Stored patient information in a system is categorized as an Electronic Health Record(EHR) which is a structured electronic storage of patient and population health information, in a digital manner.

Reference:

• Fouzia F. Ozair. (2015). Ethical issues in electronic health records: A general overview. Ethical Issues in Electronic Health Records: A General Overview. Published. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4394583/
• HHS.gov. (2013). Summary of the HIPAA Security Rule. Summary of the HIPAA Security Rule. Published. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• Wikipedia. (2021). Electronic health record. Electronic Health Record. Published. https://en.wikipedia.org/wiki/Electronic_health_record