Security Management Plan John's Hospital

Privacy of client information is an assurance that every patient wants and this assurance is what the hospital can build patient confidence on. The lack of it therefore may have consequences such as loss of confidence in the hospital, loss of clientele and the emergence of a poor reputation. This paper looks at the St. John's Hospital which has experienced the leakage of confidential information a problem that needs to be addressed. It highlights the steps the hospital must take in its management plan. In the first step, hospital must identify how widespread the problem is and where exactly there are weaknesses in the system. Secondly, the hospital's staff must receive adequate training in methods to deal with confidential information especially its destruction. A culture must be developed to deal with this information discreetly. In this same breadth breach must be understood by all staff as far as HIPAA is concerned. The hospital must also include methods of protecting information held from natural disasters. An information technology plan that makes room for offsite backups would work well here. The plan must also receive support right from the top of the organization's chain of command so as to be adopted throughout the organization. As with any other change, there are challenges highlighted in the paper that the hospital can anticipate. Resistance to change, inadequate resources to carry out the plan, lack of proper communication systems are just some of these challenges. However with support from the board, these challenges can be overcome.

Introduction

It is in the interest of every organization to ensure the security of its information. There can be grave consequences when information is handled carelessly. An organization can lose the trust of its customers, and in the case of hospitals, patients will seek help where they feel that their information is not kept private. Therefore, in order to ensure that there are minimal risks of litigation, the business reputation is protected and profitability remains unaffected, security of information must be made a priority. A management plan ensures this by bringing together all the necessary processes, policies, technology and structures needed. It also ensures that where these are in place, there is an ongoing check to ensure that they are working. Organizations face the problem of information leakage, be it customer information or organizational secrets, every day. Rhodes (2009) proposes that there should be a breach notification process, and this will form part of the information security plan in the management plan.

Statement of the Problem

At St. John's Hospital, the issue of the leakage of confidential patient information needs to be attended to. Important information on patients in print form is left in accessible areas, where the cleaners have been able to read through it. This paper will look to address this issue by providing ways through which the hospital can protect this kind of information on a continuous basis.

Analysis of Response to the Situation

Those in charge of the information systems at St. John's Hospital can start this process by doing a thorough check on the current information security in place. This will involve establishing whether there is adequate security in existence and whether there are any loopholes, which need to be addressed. Thus, threats to security will be identified. Sources of information breach should be identified and addressed, and in this case, would involve tasking those who print reports on patients to shred these documents when they are no longer in use. At the same time, a team needs to be set up to come up with the actions to be taken against those accessing information without the necessary rights or authorization. These actions should be communicated through a communication plan that highlights actions, both internally and externally, following a breach, so that employees can see the seriousness of breaching information security. It can also help them comply with policy and organizational guidelines as well as communicate to patients, state agencies, media and HHS' Office of Civil Rights of the breach (Roney, 2012).

Evaluation of Staff Training

The staff members at St. John's Hospital require intensive training on the importance of information security and prevention of breach. In order to guard confidential information, the hospital needs to regularly review procedures followed, through audits, and then highlight any breaches in their staff training, together with new procedures that need to be put in place. Correct disposal of materials through actions, such as burning, shredding and galvanizing, need to be emphasized. These actions should be prescribed and followed strictly so that all confidential information is protected.

Secondly,...

These protocols entail the process of auditing documents to separate those ready for destruction, how to destroy these materials, auditing of the correct destruction of these and even how the hospital engages certified vendors for this destruction, which after successful action, issue a certificate of destruction. To minimize the risks that result in breach of data, a business must ensure that information is taken seriously throughout the organization (Carnell and Bushee, 2013). This should be the case for St. John's Hospital. They must pass on this culture of treating information seriously to staff. This will help them take up processes like shredding, protecting information by locking up vital documents and making sure that information that is confidential is only accessed by those authorized to do so. These steps will help the hospital in the long-term, assuring their patients of information security. Training their staff on all these procedures will reduce cases of breach and bring in a culture of taking care of information.
The Consideration of HIPAA and Patient Privacy Compliance Requirement

As a federal statute, HIPAA attempts to govern the security of personal health information of individuals through rules and regulations. Carnell and Bushee (2013), state that HHS considered the risk of harm standard to be too subjective and would not meet its objective as it could be misconstrued for something unintended. This was after listening to public opinion on the same. Thus, a different definition of breach was advanced, which is that any impermissible disclosure or use of personal health information is assumed to breach, requiring notification. Exceptions apply to this, including where there is little possibility of the personal health information being compromised as demonstrated by the covered entity or business associate. This exception, however, requires the covered entity or business associate to conduct a risk assessment on specific factors that will determine whether the Personal Health Information has been compromised or not. A little leeway is extended by the HIPAA on new requirements compliance deadlines in terms of updating and reissuing of new privacy practice to clients, training of employees on new requirements, revising definitions of breach and on evaluations of business associations.

In order to ensure that there is compliance with the HIPAA Privacy and Security Rules and Breach Notification Standards, HHS is required by the HITECH Act to do regular audits on covered entities and business associates (Carnell and Bushee, 2013). They continue to highlight one such audit sanctioned by the Office for Civil Rights, which was piloted in November 2011 to December 2012 and within the period, 115 covered entities were audited by the appointed firm KPMG LLP. This serves as an example for other entities to follow, ensuring that they are in compliance with the standards. Other policies that they should be in compliance with are those on email, mobile devices, privacy policies development, privacy practice notices, frequent risk assessments, breach protocol adoption and implementation.

The Need for an Information Technology Management Plan for Natural Disasters and Security Breaches

According to Scallan (2013), there are many things that cause the loss of data and system downtime and these include: internet threats, failure of equipment as well as natural disasters. These vulnerabilities should be addressed once identified through the regular risk analyses. This way, problems can be identified before they become impossible to manage. Having an information technology plan will allow the hospital to address possible gaps in the protection of information constantly as the plan will ensure necessary systems are in place. These systems should be tested in order to make sure that they are adequately protecting relevant information, and that recovery of the said information relating to patients, including billing, schedules and records, is possible. Such measures ensure that continuity of business is taken care of and that the hospital is in compliance with HIPAA. Cloud systems can also be used by the medical practitioners as well as the hospital as a secure backup. Information technology management plans also allow for offsite servers to be used to back up information, ruling out information loss from physical or natural disasters. Given the great importance of information technology, having a management plan with reference to natural disasters and security breaches will guarantee the safety of the information that the hospital uses.

How to Implement the Security Management Plan

Once all the steps highlighted above have been done, the management committee of the hospital should have the plan submitted to them so that they can discuss…