The Health and Human Services (HHS) settled a case with Blue Cross Blue Shield of Tennessee (BCBST) for $1.5 million for violating the Health Insurance Portability and Accountability Act (HIPAA) and security rules. There are security issues with BCBST in regard to confidentiality, integrity, availability, and privacy. There are also security requirement by HIPAA which could have prevent the security issue if it has been enforced. There are correction actions taken by BCBST which were efficient and some may have not been adequate. There are HIPAA security requirements and safeguards organization need to implement to mitigate the security risk in terms of administrative, technical, and physical safeguards.
On 5 October 2009, computer equipment from a network data closet was stolen from BCBST. The items stolen were 57 unencrypted hard drives which contained over 300,000 video recording and over one million audio recordings. According to Whitman & Mattord (2010), confidentiality, integrity, and availability makes up the C.I.A triangle which is the basis of Committee on National Security model for information security, an industrial standard, (Whitman & Mattord, 2010). Confidentiality can be a synonym for encryption but also means only the people with the correct permission can access the information. One of the major security issue is the hard drives were not encrypted. The hard drives should be encrypted to prevent people from reading the information the computer. Software can be purchased which will encrypt files on hard drive with such as Folder Lock, SensiGuard, Secure IT, and more. There are open source encrypting software which are free for use which could have been used. If the hard drives were not needed, the data should hav...
... middle of paper ...
...earn from other companies who have been involved with the breaches on how to protect information. Training employees on HIPAA, policies and procedures would help mitigate risks to unauthorized access to information. Meeting the requirements set by HIPAA will protect the company, the employees, and the people private information within the company computer network.
Works Cited
Easttom, C. (2006). Network defense and countermeasures. (p. 10).
Upper Saddle River, NJ: Pearson Education, Inc.
Grama, A. (2011). Legal issues in information security. (p. 170).
Burlington, MA: Jones & Barlett Learning.
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Whitman, M., & Mattord, H. (2011). Reading & cases in information security: law & ethics. (2011 custom ed., p. 264). Boston, MA: Cengage Learning.
According to the report provided by the consultant, the employees at this facility were not taking precautions in safeguarding the patient’s health information. Therefore, the employees at this facility were in violation of the Health Insurance Portability and Accountability Act (HIPPA). It is important for employees to understand the form of technology being used and the precautions they must take to safeguard patient information.
Introduction The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a law designed “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. ”1 HIPAA mandates that covered entities must employ technological means to ensure the privacy of sensitive information. This white paper intends to study the requirements put forth by HIPAA by examining what is technically necessary for them to be implemented, the technological feasibility of this, and what commercial, off-the-shelf systems are currently available to implement these requirements. HIPAA Overview On July 21, 1996, Bill Clinton signed HIPAA into law.
Kabay, M. E., & Robertson, B. (2009). Security policy guidelines. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (5th ed.). New York, NY: John Wiley
The Health Insurance Portability and Accountability Act, most commonly known by its initials HIPAA, was enacted by Congress then signed by President Bill Clinton on August 21, 1996. This act was put into place in order to regulate the privacy of patient health information, and as an effort to lower the cost of health care, shape the many pieces of our complicated healthcare system. This act also protects individuals from losing their health insurance if they lose their employment or choose to switch employers. . Before HIPAA there was no standard or consistency for the enforcement of the privacy for patients and the rules and regulations varied by state and organizations. HIPAA virtually affects everybody within the healthcare field including but not limited to patients, providers, payers and intermediaries. Although there are many parts of the HIPAA act, for the purposes of this paper we are going to focus on the two main sections and the four objectives of HIPAA, a which are to improve the portability (the capability of transferring from one employee to another) of health insurance, combat fraud, abuse, and waste in health insurance, to promote the expanded use of medical savings accounts, and to simplify the administration of health insurance.
Some of the things that HIPAA does for a patient are it gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate guidelines that health care providers and others must do to protect the privacy of the patients’ health information. It holds violators accountable, in court that can be imposed if they violate patients’ privacy rights by HIPAA. Overall HIPAA makes it to where the health information can’t b...
...ed on how to respond to information security breaches. Regardless of an organization size, there is always the risk of information breaches.
A major concern with EHR systems is patient confidentiality. Even though these systems are used with the best intentions, patient’s personal and medical information might be exposed to unauthorized personnel. An estimated 150 different healthcare professionals have access to a patient’s records during a hospitalization (Kreuser, 2007). The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of individual’s health information (“Summary of the,” 2014). With little governance, organizations can violate HIPAA regulations. The Hospice of North Idaho (HONI), which is a not-for-profit, end-of-life-care facility, breached HIPAA standards when they did not evaluate the potential risks of transmitting electronic protected health information (ePHI) while using portable devices. These actions resulted in a $50,000 fine, coupled with a two-year probation period (Lynn, 2013). According to The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, the health information of nearly 18 million people has been breached electronically from 2010-2012 (Kam, 2012). Such events cause the general public to question the privacy of EHRs, and because of these concerns, wary patients are less likely to disclose necessary health information. The Department of Health and Human Services estimated that because of a lack of trust in the ability of EHR systems to keep health information private, approximately 600,000 Americans did not seek earlier cancer treatment and 2,000,000 Americans did not undergo treatment for mental illness (Kam, 2012). As patients’ medical records are becoming computerized, the susceptibility to information being accessed by the wro...
The intensity and depth of an organization's security policy depends heavily on the nature of their business. A large company compared to a small company would require a different approach to their security policy. Also, the type of information that the company dea...
Whitman, M. E. & Mattord, H. J. (2011). Principles of information security. Boston, MA: Cengage Learning.
Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. Boston: Course Technology.
Li, P. D. (2014). Information and Computer Security. International Journal of Information and Computer Security, 3-7.
Attacks upon information security infrastructures have continued to evolve steadily overtime making the management of information security more complex and challenging than ever before (Deloitte East Africa, 2011).
According to the information security governance, success is often less, due to inability to value the the organisation 's information and data. This creates the discussion on the needs for security and the resources to be assigned to this.
In many cases, these contracts require security clearance and involve the release of national secrets to the elected company. Since many corporations have close relationships between trade and national secrets, the responsibility exists to protect information. Each organization is responsible for managing and protecting their IS security and is obligated to ensure a sound IS security plan. This plan requires companies to conduct a risk and vulnerabilities assessment to fully understand where security threats may reside. Maintaining information confidentiality is extremely important as failure to properly enforce the organization’s security plan may result in security breaches. Companies must strive to ensure they are deploying proper logical and physical security controls to combat cyber security attacks. Regardless of how close or how far removed from national secrets an organization is, every company has a responsibility to be good keepers of all information they are trusted with. Failing to keep trade secrets, intellectual property and national secrets safe could have a detrimental effect on the safety of the
Freedman, C. D. The Extension of the Criminal Law to Protecting Confidential Commercial Information: Comments on the Issues and the Cyber-Context. (August 01, 2013). International Review of Law, Computers & Technology, 13, 2, 147-162. http://www.tandfonline.com/doi/abs/10.1080/13600869955116#.UdhxNezkU1I