Question

The HIPAA privacy and security rules provide federal protection for individually identifiable health information. Consider a physician practice that is transitioning from being paper based to electronic medical records. The receptionist area contains both hanging folders and the desktop computer on which the practice management system runs. During the transition, a patient’s health information (valued asset) will exist in two states: on paper in a hanging folder and in an electronic record on a computer.

Identify and evaluate the risks for each state in terms of:

Threats

Vulnerabilities

Probability of a breach (low, medium, or high).

In your answer include a discussion of authentication, integrity, and accountability

Answer 1

Securing the information of a patient have utmost importance in healthcare. There are various risks involved in both physical data (paper data) as well as in EHR (Electronic Health Record)

Medical records that are kept in hanging files are susceptible to theft, misplacement and risk for physical damage. Papers kept in files are more vulnerable to loss of data due to improper storage, damage caused due to mechanical factors like fire caused due to short circuit or flood. Probability for breach is less when compared to electronic health record storage system. Possible cause would be robbery or misuse by hospital or any other employee of the institution. Authentication and accountability of these data is also more when compared to EHR as it is directly written by hand and initialled by the medical practitioner. Though, integration of these data is less to ERH.

Electronic Health records are highly vulnerable to hacking without any proper cyber security.

It can mislead a patient’s treatment in emergency as per the information entered on EHR and puts the life of the patient at risk. And possible cause for the loss of such data is through damage or theft of laptops, hard drives and through malware. Other reason of breach in EHR is by not discontinuing the login facilities of employees who have left the institution. Even though EHR is highly vulnerable, tightening cyber security could improve the authentication, integrity and accountability. For instance, OTP or one time passwords could be generated in order to secure the use of patient’s record as well as the accountability to make entries to EHR.