Friday, May 24, 2019

Evaluation of health care systems Essay

AbstractAs a health care organization, it is important that the saint Johns Hospital takes the trade protection department measures brass and secrecy of its patients breeding very seriously. patient of data in the venerate Johns Hospital is electronic and managed by the information systems department. In the organization, the security and silence of any information is the responsibility of the Information Systems (IS) Manager. As the IS Manager, based on the following information on security and privacy, a Management Plan has been developed to be used as the process for the maintenance of patient information privacy and security.ScenarioThe administration at St. Johns Hospital takes pride in their sound policies and procedures for the protection of confidential client information. In fact, they serve as a model for otherwise institutions in the area. However, print push throughs discarded in the restricted-access IS department are non chopped. On numerous occasions, p ersonnel working late observed the cleaning provide nurture discarded printouts. What actions, if some(prenominal), should these personnel take toward the actions of the cleaning staff? What actions, if every, should be taken by IS administration?Management plan contain security opinion of infirmary systemIn the development of any improvement system, the first step is to digest an judgement of the existing system. This will be used as the baseline measurement. To consume this assessment, an foreign IS maestro will be invited to conduct two executes. The first would be a security assessment of the system during which the IS professional would perform ethical hacks against the system to assess how secure the information is from fraudulent computer users (hackers). The second assessment exercise to be conducted by the IS professional is information privacy assessment. Social engineering would be used in carrying out this assessment. The IS professional would visit the hosp ital as an ordinary person and interact with staff of the hospital.During these interactions, the professional would use social engineering skills to find out how much patient information could beextracted from the hospital staff. After the assessment exercises, the IS professional would present a report to the IS Manager of the hospital with recommendations on how the security holes could be blocked and the weak privacy of patient information quite a little be streng then(prenominal)ed. Improve security and privacy of patient informationThe findings and recommendations from the assessment report would be used in the improvement of the security of the system and also strengthening the privacy of any information taken from the hospitals patients. Schneier (2000) stated, Security is a process, not a product (Computer Security Will We Ever Learn? 2). This means that the security of the information contained in any system is largely dependent on how security conscious the staff that w ork with the system are and not the do of sophisticated security devices inst entirelyed to protect the system. Information privacy, similar to information privacy, is also largely dependent on the level of awareness of the people who input, store, process, and utilize the information. This is because any release of patient information would originate from one of the people stated above. TrainingTo improve the security and privacy of patient information at the Saint Johns Hospital, the staff need to be educated on the importance of maintaining the security and privacy of information. Training sessions will be organized for all employees at least once a year to refresh their knowledge of privacy and security in compliance to with Health Insurance Portability and Accountability human activity (HIPAA) rules. HIPAA Privacy and Security Rule set a national standard for the security and privacy of electronic protected health information and the confidentiality provisions of the Patient Safety Rule. The US Department of Health and Human Services (2010) stated, the Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The educational activity guide will be as followsA.Take employees through the privacy and security rules of HIPAA Here, employees will be instructed on the security and privacy expectations of theHIPAA law. Employees will be expected to adhere to these rules in order to keep to the scratch of ethics of St Johns Hospital. B.Train staff on importance of privacy to the core business of the hospital Employees of the hospital will be retrained on the fact that the reputation of the organization not only when depends on the kind and level of service provided but also on maintaining patient privacy. C.Educate employees on what privacy and security areEmployees need to what the words privacy and security mean. How they affect the patients information as well as the health care organization. D.Explain in details the importance of privacy and security with respect to patient health care information Employees will be educated how important it is to maintain the privacy of patients. They will be informed on the importance of not discussing patient information with any unauthorized party as well as not on any social network. E.Educate on the consequences of security woundEmployees will be informed and educated on what consequences can result from a security breach if it goes public. Consequences may include pliant the integrity of the health care organization, legal suits against the hospital as well as job security of employees who are tangled in the breach.Staff training on code of conductAfter the staff training on the importance of information security and privacy, a code of conduct will be prepared and delivered to the staff. The code of conductThe code of conduct appli es to all employees of Saint Johns Hospital. The code outlines guidelines for staff conduct and provides guidance on how to exercise judgment in ethical issues. The International Monetary Fund (1998) stated, every employee is expected to observe the highest standards of ethical conduct, consistent with the values of integrity, impartiality and discretion ( 9). The code of conduct for the Saint Johns Hospital is as follows Under no circumstance should a patients personal or medicalinformation be released to a third party without the prior consent of the patient in question The release of a patients information to a third party without the patients prior consent is subject to punishment dogged by the disciplinary committee.The gravity of the punishment is determined by the amount of damage created by the breach of the code of conduct. It is the responsibility of each staff to police other staff and ensure that the code of conduct is being adhered to by all staff. Computers containing patient information should have their monitors facing away from patients. The password policy of the hospital should be strictly adhered to. Passwords should not be written down and placed under keyboards or any other obvious and open access area. All paper documents should be thoroughly shredded and the shredded paper thoroughly mixed up before placed into the dust bin. All computers that are to be donated, auctioned or s obsolete out should be first sent to the IS department for the hard disk drive to be either removed completely and replaced with a new one or the old hard disk drive should be completely wiped off the information that was contained on the drive. Breach occursThere are many situations under which the code of conduct covering the security and privacy of patients information can be breached. One of such situations is the one in which cleaning staff feature access to patients cards from the restricted-area of the Information Systems department because the cards to b e discarded from this department and simply thrown into the dust bin instead of being shredded. In such a situation, the first action will be to conduct an assessment to see how much information the cleaners got their hands on. The cleaners involved in this action will be called and educated on the implication of their actions. They will be made aware of the legal implications of reading patients medication and/or personal information without the prior consent of the patient (U.S. Department of Health and Human Services, 2010). The duties and responsibilities of the cleaning crew will be hammer and they will be made aware of the fact that they do not have the right to look through such information even if it is not shredded. They will then be advised of the punishment if such an action is observed again.The Information Systems department will immediately procure a shredder and break up shredding all documents or cards that they wish discard.In addition, the IS department should inv estigate other areas where sensitive information could become accessible by unauthorized personnel. Conduct an incident assessment / evaluate the risks associated with the breach After the occurrence of a breach, the first thing to be done is the performance of a detailed assessment of the incidence and how it happened. Following this, a risk analysis needs to be performed to be able to know the level of damage that was caused or to be expected. The assessment will evaluate the extent to which the information was spread. If it is just within the cleaning crew only, then it will be handled internally but if any information is gone out, the affected patients will be contacted and the appropriate action taken. This assessment needs to be performed as soon as possible so that the hospital will be in the position to respond to any allegations that may come from the patient(s) that was affected by breach. With this done, it would be possible to know if the risk can be mitigated or elimina ted completely. Prepare incident reportOne of the responsibilities of the IS Manager is to keep the hospitals management board constantly updated with all activities related to the information systems. Every code of conduct breach needs to be reported in an incidence report prepared for the hospital management board. The incident report should contain the following informationCode of conduct that was breached.Person(s) responsible for the breachDate and time of the breachHow the breach was discovered adventure assessment of the breachPrevent future breaches/talk about how incident occurredWith the incident report properly prepared, it would be clear to the IS Manager how it was possible for the breach to have been breached. This knowledge can now be used to document, in detail, how the code was breached and how such an action can be prevented in the future. The appropriate actions would then need to be carried out to ensure that there is no repetition of the act in the future. Impl ementing the management planTo implement this change in the organization, Plan-Do-Check-Act (PDCA) roulette wheel will be used as a model for change as well as continuous improvement. ASQ (2011) stated, The plan-do-check-act cycle is a four-step model for carrying out change. The implementation of the management plan will be undertaken by the human resource department in conjunction with the information system department. The security training will be conducted by the security engineer of the information systems department and the human resource department will handle the privacy training. The complete process will be supervised by the information systems manager.ConclusionTo ensure the continuous security and privacy of patient information, medical institutions need to earn that there has to be continuous staff training and assessment and improvement of the information systems, therefore, the PDCA cycle will be continued and encouraged among staff. A system that is not incessan tly reviewed and improved will be a static system that will vulnerable to identified system vulnerabilities. Staffs need to be unendingly trained and updated on privacy issues concerning the health care industry. Information security and privacy need to be approached as dynamic processes which need to be continuously monitored and improved to ensure that they are always at the best levels.ReferencesASQ. (2011). Project planning and implementing tools. Retrieved March 31, 2011 from http//asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html International Monetary Fund. (1998). IMF Code of Conduct for Staff. Retrieved March 29, 2011 from http//imf.org/external/hrd/code.htm, on December 15, 2011 Schneier, B. (2000). Computer Security Will We Ever Learn? Cryto-Gram Newsletter. Retrieved March 28, 2011 from http//www.schneier.com/crypto-gram-0005.html U.S. Department of Health and Human Services. (2010). Health Information Privacy. Retrieved April 1, 2011 from

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.