Expert answer:Health Care Computer Applications 3-4 pages, healt

Answer & Explanation:The paper will be 4-5 pages 
Each paper must be typewritten with 12-point font and double-spaced with
standard margins. Follow APA format
For this assignment you are encourage generating a Security
Plan and implemented in a Health Care Facility of your choosing.
Work with your EHR vendor(s) to let them know that
protecting patient health information and meeting your HIPAA privacy and
security responsibilities regarding electronic health information in your EHR
is one of your major goals. Involve your practice staff and any other partners that
you have to help streamline this process.
1.  INFORMATION SECURITY MANAGEMENT PLAN
(10%):
This Information Security Management Plan
(ISMP) describes the ACE’s safeguards to protect confidential data and
information.
2.  SECURITY POLICY (20%):
The Information Security core policy
concepts are maintained in the Privacy, Confidentiality and Security of Patient
Proprietary Information Policy and the Computer Use and Electronic Information
Security Policy.  These policies are
reviewed every 2 years.
3.  ACCESS CONTROL: (20%):
Access to confidential information must
follow the “need to know” guideline. Only those employees who have a business
need to know the information shall have permission to utilize the data. Each
employee is assigned a user name and password. Each employee is trained on
developing a secure password. Passwords must be changed according to Password
Security Policy.
4.  MEDIA PROTECTION: (20%):
The ACE has established policies and
procedures which clearly define where data can be stored and how the data stored
on media is to be protected.  The ACE
highly discourages storage of data on any medium except for storage on network
drives within the secured data center. 
However, in the case where data cannot be stored in the data center it
must be stored on an encrypted medium.
5.  PHYSICIAL AND ENVIRONMENTAL PROTECTION:
(20%):
The ACE has multiple data centers. 
Evaluation will be based on how clearly you respond to the
above, in particular:
a) The precision with which you analyses the articles;
b) The complexity, possibility, and organization of your
paper; and,
c) Your conclusions, including a description of the impact
of these articles and Chapters on any Health Care Setting.
416.pdfguide_to_privacy_and_security_of_electronic_health_information.pdf9781133787778_ppt_ch07.pptx
416.pdf

guide_to_privacy_and_security_of_electronic_health_information.pdf

9781133787778_ppt_ch07.pptx

Unformatted Attachment Preview

1
Information Security and Privacy in Healthcare:
Current State of Research1
Ajit Appari (Ajit.Appari@Tuck.Dartmouth.edu)
And
M. Eric Johnson (M.Eric.Johnson@Tuck.Dartmouth.edu)
Center for Digital Strategies
Tuck School of Business
Dartmouth College, Hanover NH
Abstract
Information security and privacy in the healthcare sector is an issue of growing importance. The
adoption of digital patient records, increased regulation, provider consolidation, and the increasing
need for information between patients, providers, and payers, all point towards the need for better
information security. We critically survey the research literature on information security and
privacy in healthcare, published in both information systems, non-information systems disciplines
including health informatics, public health, law, medicine, and popular trade publications and
reports. In this paper, we provide a holistic view of the recent research and suggest new areas of
interest to the information systems community.
Keywords: Information Security, Privacy, Healthcare, Research Literature.
August 2008
1
This research was supported through the Institute for Security Technology Studies at Dartmouth College, under awards 60NANB6D6130 from
the U.S. Department of Commerce and U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001. The
statements, findings, conclusions, and recommendations are those of the authors and do not necessarily reflect the views of the National Institute
of Standards and Technology (NIST), the U.S. Department of Commerce, or U.S. Department of Homeland Security.
2
1
Introduction
Recent government initiatives envision adoption of a universal electronic health record (EHR) by all health
maintenance organizations (HMO) by year 2014 (Goldschmidt 2005). Healthcare information systems are largely
viewed as the single most important factor in improving US healthcare quality and reducing related costs. According
to a recent RAND study, the US could potentially save $81B annually by moving to EHR system (Hillestad et al.
2005). Yet information technology (IT) spending in healthcare sector trails that of many other industries, typically in
3-5% of revenue, far behind industries like financial services where closer to 10% are the norm (Bartels 2006).
Anecdotal evidences from recent years suggest lack of adequate security measures has resulted in numerous data
breaches, leaving patients exposed to economic threats, mental anguish, and possible social stigma (Health Privacy
Project 2007). A recent survey in the United States suggests that 75% of patients are concerned about health Web
sites sharing information without their permission (Raman 2007). Possibly this is because medical data disclosure is
the second highest reported breach (Hasan and Yurcik 2006).
Researchers, mainly in information systems, have adapted several reference disciplines such as psychology and
sociology to analyze the role of individuals and employees in information security risk management (Dhillon and
Backhouse 2001; Straub and Collins 1990; Straub and Welke 1998; Vaast 2007; Baker et al. (2007)) and economics
to characterize investment decisions and information governance (Cauvsoglu et al. 2004; 2005; Gordon and Loeb
2002; Khansa and Liginlal 2007; Kumar et 2007; Zhao and Johnson (2008)) Despite this growing stream of research
on information security, very limited research has focused on studying information security risks in healthcare
sector, which is heavily regulated and calls upon business models quite different from other industries.
Since Anderson‘s seminar work on security in healthcare information systems (Anderson 1996), scholars have
examined the information security problem in different ways. In this paper, we review the current state of
information security and privacy research in healthcare, covering various research methodologies such as design
research, qualitative research and quantitative research. Our review illuminates the multifaceted research streams,
each focusing on special dimensions of information security and privacy. For example, on one hand, a large body of
research focuses on developing technological solutions for ensuring privacy of patients when their information is
stored, processed, and shared. On the other hand, several researchers have examined the impact of Health
information technology adoption on care quality. Additionally, the enactment of the Health Insurance Portability and
3
Accountability Act (HIPAA) and emergence of web-based healthcare applications has turned researchers‘ attention
towards patient as well provider perspectives on HIPAA. Surprisingly, very limited attention has been given to the
financial risks, especially those arising from medical identity theft and healthcare fraud.
The rest of the paper is structured as follows. First we present a general view of information privacy and security in
healthcare, briefly discussing HIPAA and the evolving threat landscape. Next we identify several research domains
that we use to classify the literature. Building on this classification, we summarize the literature focusing on key
application areas of information security in healthcare. Finally, we conclude by identifying future research
directions.
2
Background of Health Information Privacy and Security
Privacy is an underlying governing principle of the patient – physician relationship for effective delivery of
healthcare. Patients are required to share information with their physicians to facilitate correct diagnosis and
determination of treatment, especially to avoid adverse drug interactions. However patients may refuse to divulge
important information in cases of health problems such as psychiatric behavior and HIV as their disclosure may lead
to social stigma and discrimination (Applebaum 2002). Over time, a patient‘s medical record accumulates
significant personal information including identification, history of medical diagnosis, digital renderings of medical
images, treatment received, medication history, dietary habits, sexual preference, genetic information, psychological
profiles, employment history, income, and physicians‘ subjective assessments of personality and mental state among
others (Mercuri 2004).
The figure 1 shows a typical information flow in the healthcare system. Patient health records could serve a range of
purposes apart from diagnosis and treatment provision.
For example, information could be used to improve
efficiency within healthcare system, drive public policy development and administration at state and federal level,
and in the conduct of research to advance medical science (Hodge 2003). A patient‘s medical records are also shared
with payer organizations such as insurance, Medicare or Medicaid to justify payment of services rendered by
physicians. Healthcare providers may use records to manage their operations, to assess service quality, and to
identify quality improvement opportunities. Furthermore, providers may share health information through a regional
4
health information organization to facilitate care services. Medical information of patients is also used for common
good through federal and state government interventions regarding public health management, hospital
accreditation, medical research, and for managing social and welfare systems.
Figure 1: A Graphical View of Information Flow in the Health Care System
Extended Enterprise
Payers
Health Bank (personal health
records)
Health Vault (Microsoft)
Google Health, etc.
Health Plans
Private Insurance,
Medicare
Medicaid
Employers
Pharmacists
Primary Provider
Patient
Physicians
Clinics
Hospitals
Home Healthcare & Hospice
Nursing homes
Institutional services
(Military, prisons, schools)
Secondary Provider
Physicians
Clinics
Labs
Regional Health
Information Organizations
Business Associates
(Subcontractors)
Social Uses of Health Data
Public Policy
Disaster response,
Disease control,
Fraud Control,
Law enforcement & Investigation,
Medical & Social Research
National Health Information Network
2.1
Credential & Evaluative Decisions
Insurance,
Employment,
Licensing,
Education, etc.
Health Information Privacy Regulations
In the last four decades, the US healthcare industry has undergone revolutionary changes, driven by advances in
information technology and legislation such as the 1973 Health Maintenance Organizations Act. As personal health
information is digitized, transmitted and mined for effective care provision, new forms of threat to patients‘ privacy
are becoming evident. In view of these emerging threats and the overarching goal of providing cost effective
healthcare services to all citizens, several important federal regulations have been enacted including the Privacy and
Security Rules under HIPAA (1996) and State Alliance for eHealth (2007).
5
HIPAA was enacted to reform health insurance practices as a step towards moving to a nationwide electronic health
records system and standardizing information transactions. The goal was to reduce costs by simplifying the
administrative processes to provide continuity of care services.. The technology component involved in managing
health information and necessity of disclosure to third parties has led to stipulations of privacy compliance and
provision of security safeguards under HIPAA (Mercury 2004). The Privacy Rule of HIPAA addresses the use and
disclosure of a patient‘s protected health information by healthcare plans, medical providers, and clearinghouses,
also referred as ―covered entities‖. By virtue of their contact with patients, covered entities are the primary agents of
capturing a patient‘s health information for a variety of purposes including treatment, payment, managing healthcare
operations, medical research, and subcontracting (Choi et al. 2006). The Security Rule of HIPAA requires covered
entities to ensure implementation of administrative safeguards in the form of policies and personnel, physical
safeguards to information infrastructure, and technical safeguards to monitor and control intra and inter
organizational information access (ibid.)
Apart from HIPAA, by 2007, nearly 60 Health IT related laws have been enacted in 34 states, plus the District of
Columbia (RTI 2007). Moreover, the US Congress has been considering various new legislation including ―Health
Information Privacy and Security Act‖ (US Congress 2007a), ―National Health Information Technology and Privacy
Advancement Act of 2007‖ (US Congress 2007b), and ―Technologies for Restoring Users‘ Security and Trust in
Health Information Act of 2008‖ (US Congress 2008). This new legislation is intended to improve the privacy
protection offered under previous regulations by creating incentives to de-identify health information for purposes
necessary, establishing health information technology and privacy systems, bringing equity to healthcare provision,
and increasing private enterprise participation in patient privacy.
2.2
Threats to Information Privacy
Threats to patient privacy and information security could be categorized into two broad areas: (1) Organizational
threats that arise from inappropriate access of patient data by either internal agents abusing their privileges or
external agents exploiting vulnerability of information systems, and (2) Systemic threats that arise from an agent in
the information flow chain exploiting the disclosed data beyond its intended use (NRC 1997).
6
Organizational Threats: may assume different forms, such as an employee who accesses data without any
legitimate need or an outside attacker (hacker) that infiltrates organization‘s information infrastructure to steal data
or render it inoperable. At the outset, these organizational threats could be characterized by four components –
motives, resources, accessibility, and technical capability (NRC 1997). Depending on these components, different
threats may pose different level of risk to organization requiring different mitigation and prevention strategies.
Motives could be both of economic or noneconomic nature. For some, such as insurers, employers, and journalists,
patient records may have economic value, while others may have noneconomic motives such as a person involved in
romantic relationship. These attackers may have resources ranging from modest financial backing and computing
skills to a well-funded infrastructure to threaten a patient as well as the operations of a healthcare organization. The
attackers may require different types of access to carry out their exploits, such as access to the site, system
authorization, and data authorization (See table 1 for hypothetical examples for level of access). In addition, threats
could depend on technical capability of attackers who may be novice or sophisticated programmers. Moreover, with
the growing underground cyber economy (Knapp and Boulton 2006), an individual with the intent to acquire data
and possessing adequate financial resources may be able to buy services of sophisticated hackers to breach
healthcare data.
Recent studies suggest that the broad spectrum of organizational threats could be categorized into five levels, in the
increasing order of sophistication (NRC 1997; Rindfleisch 1997):
1.
Accidental disclosure: healthcare personnel unintentionally disclose patient information to others, e.g.
email message sent to wrong address or an information leak through peer-to-peer file sharing.
2.
Insider curiosity: an insider with data access privilege pries upon a patient‘s records out of curiosity or for
their own purpose, e.g. a nurse accessing information about a fellow employee to determine possibility of
sexually transmitted disease in colleague; or medical personnel accessing potentially embarrassing health
information about a celebrity and transmitting to media.
3.
Data breach by insider: insiders who access patient information and transmit to outsiders for profit or
taking revenge on patient.
4.
Data breach by outsider with physical intrusion: an outsider who enters the physical facility either by
coercion or forced entry and gains access to system.
7
5.
Unauthorized intrusion of network system : an outsider, including former vengeful employees, patients, or
hackers who intrude into organization‘s network system from outside and gain access to patient
information or render the system inoperable.
Table 1: Likely Combinations of Access Privileges in Healthcare Data Breach [source:
NRC 1997]
Level of Access
Example
None
Outside Attacker
Site only
Maintenance worker
Site and System
Employee in the billing department who has access to
information systems but not to clinical information
Data and System
Vendor or consultant with remote access privileges
Site, System, and Data
Care provider such as doctor or nurse
Systemic Threats: Etzioni (1999), in discussing the ‗Limits to Privacy‘, makes a strong case that a major threat to
patient privacy occurs not from outside of the information flow chain in healthcare industry but from insiders who
are legally privileged to access patient information. For example, insurance firms may deny life insurance to patients
based on their medical conditions, or an employer having access to employees‘ medical records may deny
promotion, or worse, terminate employment. Patients and /or payer organizations may incur financial losses as a
result of malpractices including upcoding of diagnoses, and rendering of medically unnecessary services.
In summary, healthcare information systems could be subjected to security threats from one or more sources
including imposter agents, unauthorized use of resources, unauthorized disclosure of information, unauthorized
alteration of resources, and unauthorized denial of service (Win et al. 2006). Denial-of-service attacks via Internet
worms or viruses, equipment malfunctions arising from file deletion or corrupted data, and the lack of contingency
plans pertaining to offsite backup, data restoration procedures, and similar activities may also trigger HIPAA
violations (Mercuri 2004).
3
State of Information Security Research in Healthcare
In this sections, we present a comprehensive review of information security literature in healthcare sector (refer to
appendix 1 for categorization of articles reviewed in this paper). For this survey of information security literature,
we conducted a multidisciplinary search in a diverse set of publications from a range of fields including information
8
systems, health informatics, public health, medicine, and law. Furthermore, we searched for articles in popular trade
publications and reports as well. Figure 2 shows the link between many important healthcare research problems and
information security. For example, a significant body of research examines the impact of IT investments on quality
improvement, in particular the reduction of medical errors. This body of research has a noteworthy overlap with
information security research since medical errors arising from erroneous data entry or unwarranted data
manipulation/ obfuscation may lead to future potential risks. Another stream of research focuses on introduction of
personal health record (PHR) technology which offers patients direct control over their health records. Scholars
focusing on privacy and information security aspects of PHR are examining important privacy concerns such as
information disclosure in the online PHR systems. We will use Figure 2 throughout our review to highlight the link
between security research and other large streams of research.
It is noteworthy that past research has used diverse range of research methodologies, including design research,
qualitative research and quantitative research. Design research focuses on developing artifacts such as models,
algorithms, prototypes, and frameworks to solve specific information system problems (Hevner et al. 2004). In
healthcare information security research, we find articles focusing on technological solutions for maintaining
patients privacy in the wired and wireless network of a provider organization, (authorized) disclosure of patient data
for secondary usage such as academic research, and data sharing in a network of providers among others (e.g., Dong
and Dulay 2006; Malin 2007; Malin and Arioldi 2007). Qualitative research involves examining a social
phenomenon using a range of qualitative instruments/ data such as interviews, documents, participants‘ observation
data, researcher‘s observation and impression (Myers 1997). In healthcare research, most of the qualitative research
centers around impact of HIPAA regulation on healthcare practices (e.g. Ferreira, et al. 2006; Hu, et al. 2006; Terry
and Francis 2007). Lastly, healthcare information systems research have adopted several quantitative methods
including survey based research, econometric analysis, and statistical modeling among others in the areas of
patients‘ privacy concern, public policy, fraud control, risk management, and impact of health information
technology on medical errors (Bansal, et al. 2007; Koppel, et al. 2005; Miller and Tucker 2008, Rosenberg 2001a,b).
9
Figure 2: Research Domains in the Healthcare Information Security
•Data Interoperability [D], [QL]
•Regulatory Implications to Health Practice/
Technology Adoption, [QN], [QL]
•Secured Data Disclosure (Data truncation,
Data anonymization, etc. ) [D]
Public Policy
•Medical research
•Judicial Process & Law enforcement,
•National health information network
•Social welfare programs,
•Disaster response/ Disease control
•Pricing of health services
Patient
•Personal health record management
•Clinical trial participation
•Personal disposition to data disclosure
Information Security
Confidentiality/privacy,
Integrity,
Availability,
Accountability
Inter-Organizational Productivity
and Quality
•Access Control, [D]
•Data Interoperabil …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades