Security and Privacy Management

Securityand Privacy Management


Ensuringconfidentiality of the patient information has remained to be one ofthe critical duties within the medical practice. In line with theprinciple, the healthcare providers are supposed to keep personalhealth information of patients privately unless the permission toshare or have it public is granted by the patient.

Thispaper explores the case scenario of administration of St. JohnHospital that is to take pride in the various sound policies andprocedures to protect the various confidential information of theclient. The confidentiality of the information and the discussions onthe structure of such confidentiality is to act as a model for otherinstitutions. The institutions that will find the discussions here ofgreat help include those that have their printouts discarded in therestricted-access information systems department and instead notshredded. The case of St. John’s hospital revolves around the issueof cleaning staff reading discarded printouts, which absolutely is abreach of the confidentiality rules. The various actions that need tobe taken against the cleaning staff are discussed. Further,recommendations on the actions taken by the system administration arealso discussed.

Further,this paper incorporates the management plan and development of thepatient privacy and security. A detailed plan that touches on privacyand security is in line with the scenario that St. John Hospitalfaces. The plan entails physical, technical, and administrativesafeguards in place to ensure the protection of privacy, security,and integrity of the recorded information of patients (Juels, 2006).This is integral for St. John even while they appreciate theappropriate access given to health providers for the purpose of careand management. Critical in this paper is the discussion on auditingand monitoring of system users. In addition, various trainingprovided to the staff on handling the issues are also discussed. Incoming with the plan, significant part of it is analysis of theconsiderations of HIPAA and patient privacy compliance requirementsin the planning process. The report also includes the analysis of theneed for information technology management plan for naturaldisasters. Evaluation of how the implementation plan for theorganization will be realized is also discussed.

Confidentialityhas remained to be an integral duty within the medical practice.According to this principle, health care providers are required tokeep the personal health information of patients privately unless thepatient provides the permission for the release of the information(Appari &amp Johnson, 2010).

Inmost cases, patients share personal information with the health careproviders. If the information shared by these patients is notprotected by keeping it confidential, then the trust in therelationship between physician and patient would come to an end.Patients are then in a position where they do not easily shareinformation, and this can in a way impact their care negatively. Thesignificance of confidentiality cannot be underestimated. Thecreation of a trusting environment through respect to the privacy ofpatients ultimately nourishes the relationship between patients andphysicians. This makes them seek care and increasingly become honestas much as possible when visiting the healthcare.

Thispaper seeks to explore this interesting topic by studying the casescenario of St. John’s Hospital. According to the administration atSt. John Hospital, they take pride in the various sound policies andprocedures to protect the confidentiality of the clients’information. In most cases, this has served as a case study and amodel for other institutions in the area. Nonetheless, the printoutsthat are discarded from the restricted-access information systemsdepartment are never shredded. In most cases, the cleaning staffshave been observed reading the discarded printouts. This then raisesthe question of the actions that need to be taken by the personneltowards the cleaning staff. Important is the actions that need to betaken up by the information systems administration.

Thispaper presents a management plan and develops a process through whichpatient privacy and security can be maintained. Further, there is thecreation of detailed management plan for the patient data privacy andsecurity in case such a security breach case comes up.

ManagementPlan and Maintenance of Patient Privacy and Security

Theduty and responsibility that comes with confidentiality stop anyhealth care provider from disclosing information that concerns thecase of the patient to others without getting the permission of thepatient. Further, these individuals and healthcare systems areencouraged to be cautious to guarantee access to authorized personsonly (Al Ameen, Liu &amp Kwak, 2012).

Puttingup appropriate care entails discussions of information among thehealth care teams only. Therefore, all the health care team have theauthorized access to confidential information regarding the patientsthey care for and at times assumes duty in the protection of suchinformation from the persons who do not access them (McGuire et al.,2008). Of great challenge among the medical records are theelectronic records that bring issues in regards to confidentiality.According to the requirements of the Health Information Portabilityand Accountability Act of 1997 (HIPAA), various institutions musthave policies in place to ensure the protection of patient’sprivacy including electronic information, the procedures for computeraccess and security (Appari &amp Johnson, 2010).


Thereis a need for them to have physical, technical, and administrativesafeguards in place to ensure the protection of privacy, security,and integrity of the recorded information of patients (Juels, 2006).This should be in place at St. John even while they appreciate theappropriate access given to health providers for the purpose of careand management. Some of the physical safeguards that St. Johnhospital can consider putting in place include isolation of device,allowing direct physical access to the authorized individuals only.Further, the management of St. John should consider having back up ofdata as some of the copies of their materials are disposed of. Inplace for the hospital should also include emergency contingencyprotocols and having proper disposal mechanism to help curb the issueof paper getting into hands of the cleaners papers that could havevery crucial information.

Forthe crucial information, getting into hands of cleaners in thehospital through the hardcopy would also mean that the soft copy datais at risk or the staffs care less. To this end, there is a need fortechnical safeguards to be put in place, and this would includehaving firewalls and secure transmission modes in place to allow forcommunication (Meingast, Roosta &amp Sastry, 2006). The safeguardsin this place would entail the virtual private networks (VPN) or thesecure sockets layer (SSL) and various encryption techniques inplace.


St.John hospital should consider having in place various administrativesafeguards and these would include documentation of the securitypolicies, providing the staff with proper training in regards to thepolicies. Keya as part of the administrative training is themaintenance of audit trails for all the system logs that happensthrough user identification and activity. Ideally, there is also anaspect of enforcement of policies for storage and retention ofelectronic data and backing up of the systems (Appari &amp Johnson,2010). There is also the bit adhering to the specific methods thatinvolve incident reporting and resolution of matters security. Thereis also a concern of documenting accountability, having sanctions anddisciplinary actions in case of violation of the policies andprocedures. This would help warn individuals who discard theconfidential information of patients at St. John.

Therecords that are within the electronic system at St. John mainlyreferred to as electronic medical reports must have some componentswithin their system that takes into consideration the securitypolicies and procedures and these include authorization,availability, confidentiality, authentication, nonrepudiation andintegrity of data. Some of the methods that could be used to controlaccess or authorization entail single sign-on databases or lists thatassign rights and privileges to the users to access some definedresources (Juels, 2006). As part of this security system, there is aneed to have automatic logoff after a given period of inactivity, andthis would be significant in the prevention of access by invalidusers and control physical access.

Authenticationis known to refer to the process through which the identification ofthe user to a given computer is verified and often it can be realizedusing login passwords, digital certificates and applying the use ofsmart cards and biometrics (Meingast, Roosta &amp Sastry, 2006).Often, authentication only establishes the identification of a personand is not a party to granting or denying access rights orauthorization to a person.

Havingthe EMRs in place on continuous basis allows the systemadministrators to defend against certain threats that provide faulttolerance for the systems. This system includes data archives, thepower and networking systems and duplication of hardware. To deterpeople from getting access to the data and information deemedconfidential between the patients and the hospital, there is a needto provide physical safety to the servers as well as incorporatepreventive virus and intrusion detection (McGuire et al., 2008).

Tomaintain the level of confidentiality desired between the patientsand the hospital, unauthorized third parties have to be preventedfrom accessing and viewing medical data. This can easily be realizedthrough prevention of physical access to the data by use of differenttechnologies including the use of switched networks (Juels, 2006).Further, there can be encryption of data so that even when the datais physically obtained then it cannot be read.

Maintenanceof data integrity when transferring information is important,especially when verifying the information and ensuring that suchinformation was not modified in any given way (Li, Lou &amp Ren,2010). Some of the methods that would be applied to maintain dataintegrity include the detection like the use of tripwire and messagedigest as well as hashing or even detecting any alteration of data(Appari &amp Johnson, 2010).

Further,through non-repudiation there is a transfer of message sent andreceived by the individuals who would be claiming in a way or anotherto having sent and received the message. This, in fact, provides aproof of a record for the transaction. Using the digital signaturesand the audit logs of the user activity are all methods ofnonrepudiation.


St.John hospital needs to strengthen their policies. The strengtheningshould include designing the policies in a manner that allows ease ofimplementation to protect the medical or personal information that isprovided by the client. The physician or doctor has the duty tomaintain confidentiality, and this covers all the information thatare obtained either directly or indirectly from the patient. Thepolicies should be tightened to have hospital staff involved inkeeping confidentiality defined, and they include receptionists,nurses, the practice staff, and managers. Further, in their contractthere need to have a contract of secrecy and should be applied to allthe persons defined and such contract should be applicable even afterthe death of a patient.

Attimes while undertaking their duties, the doctors and hospitals getrequests to release information concerning some of their patients.These requests are at times from the employers, courts, police,insurers or even solicitors. Nonetheless, the decision to disclosethe information should be in consideration and through consultationwith legal experts. Moreover, the law requires that doctors andhospitals maintain the confidentiality of patients.

Restrictionon Defined Information

Additionally,it is required that in order to maintain the trust and confidence inthe relation that doctor-patient has then it is obligated that theydo not release any form of genetic or inherited information to anyperson including even the family members of a patient without askingfor the permission from the patient (Meingast, Roosta &amp Sastry,2006). In instances where patients are suffering from geneticdiseases, doctors need to persuade and encourage the patients fromsharing and giving the information themselves to the members of thefamily.

Nonetheless,it is the ethical duty of the doctors to let the family members knowthat they are suffering from the genetic risk that are carried by thepatient even if the patient may not be willing to disclose theinformation or share it even with the close family members. Thismeans that before doctors or physicians go on, establish arelationship, and even initiate healthcare they should considerobtaining the consent of the patient or even should discuss with thepatients and get their permission before telling the family membersof the genetic information (Appari &amp Johnson, 2010). However, itis imperative to take note that the general rule of maintainingconfidentiality is observing the set rules and considering thecritical role that the doctors play. Important enough is ensuringthat the doctors indeed take it as both their legal duty and ethicalduty to do so.

Identificationof workstation usage is also critical in the process of ensuring datasecurity. This includes having a set of privacy filters at eachworkstation. In addition, the process involves distinguishing thedifferent capabilities of the workstations in place.

Auditand Monitoring of System users

St.John can also involve itself in auditing and monitoring the users ofthe systems. This will include identification of any weaknesses inthe system (McGuireet al.,2008). Also, the process involves detecting the various securitybreaches or any attempt of the breach. The authorized users also needto undergo a regular audit to establish any bad intention that mightarise. For the employees that breach the guidelines or do not followthem should be punished as defined within the compliance guidelines.

Havingthe above in place is according to the HIPAA privacy rule thatrequires that personal health information of persons be protected.The rule also requires that there be development and implementationof privacy policy, and this is some of the recommendations fronted inthis study. Additionally, the rule also requires training ofemployees to ensure that they are in a position to comprehend andcomply with the various privacy policies and procedures as requiredwithin this field. Another critical point is designating a person toensure that the privacy policies are in place and are followed to thelatter. Designating a person, in this case, would be a privacyofficer who would be put in charge. Also, there is the bit ofensuring that the records of patients are secure and accessible onlyin the appropriate time or instances.

Thispaper has discussed in details the matter of keeping and maintainingthe security and privacy of patients by keeping confidentiality. Thisconfidentiality mainly involves that which covers the medicalconditions and any other private personal information that thepatient has not consented to (Halperin et al., 2008). Even though itis mandated within the law that doctors have the ethical and legalduty to keep the information regarding their patients or obtainedfrom their patients confidential, there are certain circumstanceswhere it becomes necessary to disclose information (Appari &ampJohnson, 2010). On a certain occasion, there arise situations whereinformation may get into hands of the wrong persons as was the casewith St. John Hospital and under this circumstance the patients haveto be guarded by all means. The significance of confidentialitycannot be underestimated (McGuire et al., 2008). The creation of atrusting environment through respect to the privacy of patientsultimately nourishes the relationship between patients andphysicians. This makes them seek care and increasingly become honestas much as possible when visiting the healthcare.


AlAmeen, M., Liu, J., &amp Kwak, K. (2012). Security and privacy issuein wireless sensor network for healthcare applications. Journal ofmedical systems, 36(1), 93-101.

Appari,A., &amp Johnson, M. E. (2010). Information security and privacy inhealthcare: current state of research. International Journal ofInternet and Enterprise Management, 6(4), 279-314. Accessed from&lt 27thNovember, 2015.

Halperin,D., Kohno, T., Heydt-Benjamin, T. S., Fu, K., &amp Maisel, W. H.(2008). Security and privacy for implantable medical devices.Pervasive Computing, IEEE, 7(1), 30-39. Retrieved from&lt 28thNovember, 2015.

Juels,A. (2006). RFID security and privacy: A research survey. SelectedAreas in Communications, IEEE Journal on, 24(2), 381-394.

Li,M., Lou, W., &amp Ren, K. (2010). Data security and privacy inwireless body area networks. Wireless Communications, IEEE, 17(1),51-58. Retrieved from&lt 28thNovember, 2015.

McGuire,A. L., Fisher, R., Cusenza, P., Hudson, K., Rothstein, M. A., McGraw,D., … &amp Henley, D. E. (2008). Confidentiality, privacy, andsecurity of genetic and genomic test information in electronic healthrecords: points to consider.&nbspGeneticsin Medicine,&nbsp10(7),495-499. Retrieved from&lt 28thNovember, 2015.

Meingast,M., Roosta, T., &amp Sastry, S. (2006, August). Security and privacyissue with health care information technology. In Engineering inMedicine and Biology Society, 2006. EMBS`06. 28th AnnualInternational Conference of the IEEE (pp. 5453-5458). IEEE. Retrievedfrom&lt 26thNovember, 2015.