In: Computer Science
Business and Data Management
Module 3
Case Study One Instructions
Scenario:
You have been hired as a security analyst for Garbo Rheumatology Research Center. This lab is producing cutting edge treatments for rheumatology and similar autoimmune diseases. Despite being cutting edge, this research is not top secret. Funding is provided by government grants and sponsored by a major research university in the area.
While there is not an intense amount of security required, the data being researched does include medical and laboratory data taken from human and animal subjects. This information comes from a small, attached, on-site clinic and several small animal labs on university premise. Currently, accessibility to the facilities employ appropriate physical controls to ensure that only authorized individuals are permitted within the given facilities; via a combination of security badges and pin codes.
Laboratory
The labs are dedicated to research materials. Lab technicians utilize three shared desktops located in the rear of the labs to register their data. They use separate logins and are required to log out after they complete their work. Many of these technicians are Ph.D. candidates or post doctorate students who, also, utilize these computers to correspond with their advisors. Some of these advisors are the researchers who work on projects within the labs, while others are professors on the university’s main campus.
The actual data itself is stored in a server room, which also functions as the office of the systems administrator. Access to this room is available only to the systems administrator and the Primary investigator (PI) of the project. The medical doctors/researchers, who work on site, each have a private office where they review and analyze the research data. Each office is accessible only to the occupant and building maintenance. These researchers deal with patient medical records, student coursework, and research data produced by the lab.
Data held in the database -
Paperwork spread around the office -
Medical Clinic
The medical clinic is permanently staffed with receptionists, office staff, and nurses. The medical doctors/researchers rotate shifts seeing patients and do not have permanent office space in this area. Instead they share desks and computers, while the nurses and office staff have permanent space and computers assigned to them individually. There is a shared workspace at the front desk which is utilized for patient booking, patient sign-in, and processing patient payments. Patients pay for appointments with credit and debit cards.
Data found in the Clinic –
Assignment:
Part of evaluating the security of an organization is understanding the environment which the business operates. It is important not to just identify the data being handled, but, also, to understand what laws and regulations protect the data. This information might force us to handle and protect the data in ways that we would not otherwise have planned to in order to comply with the regulations.
Let's discuss the laws and regulations that the organization should consider in terms of welfare and data privacry best practices:
Below table give us a idea of laws and regulations that any act can cover related to Patient Data Privacy:
Laws and Regulations | Purpose or Objective |
Privacy Rule |
According to various acts like HIPAA, the patient details should not be used at anycost without permission. This is the most important regulation that every hospital has too follow. |
Security Regulations |
The Electronic Medical Records(EMR) has to be protected correctly and there should not be any shared desktops. This should addresses the technical aspects of protecting electronic health information (majorly administrative security, physical security and Technical security) |
Transaction and Code Set Rules |
This rule mainly talks about the predefined transaction standards for communications and transactions in the health-care industry (Standards 5010 and ICT-10 are examples for this one) |
Unique Identifiers |
By following the unique identifiers laws and regulations, we can achieve standardization, efficiency and consistency |
Enforcement Law |
If some orgranizations are not following the above rules, then they have to pay the penalities for not following the rules. |
Breach Notification Rule |
organizations have up to 60 days to notify patients according the data usage, once it is crossed then it will be treated as data breach. |
Final Omnibus Rule |
It further tightens and clarifies provisions to the privacy, security laws. |
Permitted Uses and Disclosures |
The patient information should not be shared with any individual, organization or other hospitals etc., as per this rule. |
Authorization Law |
Only the authorized individual has to deal with data, other then the person no one is allowed to the data laboratory for any data. |
Best practices for healthcare compliance requirements:
Note: Current situation is like getting a patient data is easy through physical and virtual. So it is very important to know all possible ways of misusing data and implement the system such that patient data is protected and properly used.
PLEASE GIVE A THUMBS UP, IF THIS ANSWER IS HELPFUL
THANK YOU!