Question

Patient Portal

Kaiser Permanente is an integrated health delivery system that serves more than eight million members in nine states and the District of Columbia. In the late 1990s, Kaiser Permanente introduced an Internet patient portal, Kaiser Permanente Online (also known as KP Online). Members can use KP Online to request appointments, request prescription refills, obtain health care service information, seek clinical advice, and participate in patient forums.

Information Systems Challenge

In August, there was a serious breach in the security of the KP Online pharmacy refill application. Programmers wrote a flawed script that actually concatenated over eight hundred individual e-mail messages containing individually identifiable patient information, instead of separating them as intended. As a result, nineteen members received e-mail messages with private information about multiple other members. Kaiser became aware of the problem when two members notified the organization that they had received the concatenated e-mail messages. Kaiser leadership considered this incident a significant breach of confidentiality and security. The organization immediately took steps to investigate and to offer apologies to those affected.

On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis team was formed. The crisis team began a root cause analysis and a mitigation assessment process. Three days later Kaiser began notifying its members and issued a press release.

The investigation of the cause of the breach uncovered issues at the technical, individual, group, and organizational levels. At the technical level, Kaiser was using new web-based tools, applications, and processes. The pharmacy module had been evaluated in a test environment that was not equivalent to the production environment. At the individual level, two programmers, one from the e-mail group and one from the development group, working together for the first time in a new environment and working under intense pressure to quickly fix a serious problem, failed to adequately test code they produced as a patch for the pharmacy application. Three groups within Kaiser had responsibilities for KP Online: operations, e-mail, and development. Traditionally these groups worked independently and had distinct missions and organizational cultures. The breach revealed the differences in the way groups approached priorities. For example, the development group often let meeting deadlines dictate priorities. At the organizational level, Kaiser IT had a very complex organizational structure, leading to what Collmann and Cooper (2007, p. 239) call “compartmentalized sensemaking.” Each IT group “developed highly localized definitions of a situation, which created the possibility for failure when integrated into a common infrastructure.”

Discussion Prompt Answer the following questions in 2-4 sentences

1. How serious was this e-mail security breach? Why did the Kaiser Permanente leadership react so quickly to mitigate the possible damage done by the breach?
2. Assume that you were appointed as the administrative member of the crisis team created the day the breach was uncovered. After the initial apologies, what recommendations would you make for investigating the root cause(s) of the breach? Outline your suggested investigative steps.
3. How likely do you think future security breaches would be if Kaiser Permanente did not take steps to resolve the underlying group and organizational issues? Why?
4. What role should the administrative leadership of Kaiser Permanente take in ensuring that KP Online is secure? Apart from security and HIPAA training for all personnel, what steps can be taken at the organizational level to improve the security of KP Online?

Answer 1

1. The e-mail security breach was a serious violation of the 1996 HIPAA Privacy Rule. , KP’s actions disregarded HIPAA’s five following components:

· Boundaries, disclosure of information for health purposes only

· Security, information should be safeguarded by KP

· Consumer control, patients are to informed of disclosed information

· Accountability, KP would be charged under criminal and civil law for PHI disclosure

· Public responsibility, individual interests must not override national priorities in public health, medical research, or law enforcement .

Kaiser Permanente’s leadership reacted quickly because the company could face criminal charges and civil lawsuits. Although HIPAA Security Rule was under review in 2000, KP wanted to provide “evidence of Kaiser’s good faith and basic competence” by notifying affected members and relevant regulatory agencies . In fact, “the public press praised Kaiser’s forthright response” and members did not litigate .

2. I would recommend eight steps as found on the HIPAAdvisory.com website to the crisis team. Adherence to Weil’s eight steps will “improve the health care organization’s information security program” . For boundary definition, I would recommend asking KP personnel, via interviews and questionnaires, to list all patient-specific health information, external and internal healthcare information systems, and users of the information and systems. In addition, I would recommend the team inspect the organization to develop its own system list. In regards to threat identification, I would suggest the team identifies and lists possible threats to KP’s healthcare information systems. This list would include floods, fires, power outages, and human factors. In this instance, conducted investigations would primarily cover the repercussions of the operation technician’s patch for the pharmacy application server and the two KP programmer’s flawed e-mail script .   With reference to vulnerability identification, I would advise the team to list the company’s flaws or weak areas. According to Perrow, KP’s complex and tightly coupled system is “bound to fail eventually” . Due to their “early stage of an organizational [IT] life cycle” and changing environment, Vogus and Welbourne (2003) state KP was more likely to encounter “unexpected and unfamiliar sequences, and incomprehensible interactions” . Therefore, the crisis team should categorize KP IT’s recent national reorganization and launching of KP Online as weaknesses. Concerning security control analysis, the team should analyze KP’s security and preventive controls. This would involve investigating access controls, authentication procedures, and controls that detect actual or potential breaches. Unfortunately, the team will not find any controls in place. As for risk likelihood determination, I would recommend the team examine KP’s complex and tightly coupled system, and non-integrating IT departments. After a thorough assessment of KP’s organization, the team should rate the company’s risk as high, intermediate, or low for a threat to penetrate its system; level of impact as high, intermediate or low for the threat to capitalize on the company’s weak areas; and adequacy level of security controls as high, intermediate, or low risk. Similarly, the team will rate KP’s risk determination as high, intermediate or low for a future, repeat threat. By following these eight steps, the crisis team will develop proper policies and procedures for risk management to implement; and sanctions or consequences for noncompliant employees or individuals. In turn, the team will deter possible breaches and security violations.

3. If KP did not undergo organizational restructuring, then future HIPAA violations would have been unpreventable. The company’s inherent creation of errors and breaches was due to the “compartmentalized sense making characteristic of the various components of KP-IT” and employment of “high-hazard technological systems” . The departments were distinct entities with different set guidelines, procedures, and missions. Each IT department had its own problem-solving techniques. Incapable and untrained to function as a team, the compartmentalized departments functioned as separate businesses rather than as conjoined subunits of the IT department. Essentially, KP’s one hand did not know what the other hand was doing. KP’s technological structure mirrored a tightly coupled, complex system.  a tightly coupled system has interrelated component parts “in such a manner that there are few possible substitutions, time-dependent processes, and minimal slack and buffers” . Subsequently, KP’s complex system will continue to experience unanticipated events due to its intricately interacting components. Hence, KP’s dark future would be filled with incomprehensible occurrences tied to disastrous events .

4. To ensure that KP Online is secure, KP’s administrative leadership should design a system that protects “not only patient-specific information but also the organization’s IT assets - such as the networks, hardware, software, and applications- from potential threats” arising from human behavior and natural or environmental causes . The designed system should follow and adhere to the rules and regulations set by HIPAA Security Rule’s administrative, physical, and technical safeguards . However, the security program should safely balance restriction of the healthcare information system to invalid users with granting authorized users access to applicable healthcare data and information . To verify proper implementation of security measures, Wager, Lee, and Glaser (2009) recommend KP administration seek input from system end users and consultations from legal counsel and technical experts . To improve KP Online’s security, employees should avoid nonsecure websites; should not share passwords; should not install unauthorized software; should not use KP’s computers for personal use or profit; and protect hardware from theft.