Plan in Case of a Security Breach, Essay Example

In the event of a breach in security within this organization, the following measures will be taken:

All print-outs regarding any and all confidential client information, regardless of what department they are in, will be properly stored and/or disposed of, by use of a shredder, in compliance with the Policies and Procedures as set out by this organization, with all intents and purposes to prevent the occurrence of a breach of confidentiality.

A signed Confidentiality Acknowledgement is a requirement of employment for all employees within this organization. Employees are reminded that, “Intentionally viewing confidential information that is not necessary to perform an individual’s role is considered a breach of confidentiality even if that information is not disclosed to another party”(VIHA, 2009, 2.2). As such, employees found to be in breach of this agreement, through an investigation into the breach by IS Administration, will be subject to disciplinary action that may result in termination of employment, and/or resulting legal action as deemed necessary.

Employees witnessing or having knowledge of a breach or potential breach of confidentiality have the following responsibility to the organization as per their Confidentiality Acknowledgement and Code of Conduct Policy agreements:

1. Individuals observing others violating client privacy in or outside of St. John’s Hospital, are obligated to report the incident to their supervisor.
2. Supervisors and/or appropriate personnel will investigate all alleged violations of the Confidentiality Policy.
3. Individuals found in violation of this policy are subject to disciplinary action, up to and including immediate termination.

(Polk, 2003, p. 4)

All training and implementation of this organization’s Security and Privacy Policy will occur as follows:

1. Information and education regarding the Confidentiality Policy shall be given to new employees upon General Orientation and annually for all other employees.
2. An employee who needs clarification of the Confidentiality Policy should speak with his or her supervisor.
3. Supervisors must review this policy with individuals who are in their department on a short-term basis (one or two days) observing or shadowing various jobs/positions at St. John’s Hospital.
4. St. John’s Hospital will engage in ongoing training for its employees, consultants, Board of Supervisors, as well as its providers, regarding the importance of protecting privacy.

(Polk, 2003, p. 2)

All employees shall adhere to this organization’s “Code of Conduct” as per their signed agreement. The Code of Conduct, as it pertains to Confidential Information is as follows:

The term “confidential information” refers to proprietary information about the Hospital’s strategies and operations as well as patient information and third- party information. Improper use or disclosure of confidential information could violate legal and ethical obligations. We may use confidential information only as required to perform our job duties and shall not share this information with others unless they have a legitimate need to know the information. We must protect the organization’s confidential information, even if we leave the organization. We shall not use confidential business information obtained from competitors, including customer lists, price lists, contracts or other information in violation of a covenant not to compete, prior employment agreements, or in any other manner likely to provide an unfair advantage to the Hospital. Salary, benefits and other personal information relating to employees shall be treated as confidential (Tomball, 2010, ¶ 36).

Description of Facility Patient Data Privacy and Security Plan

St. John’s Hospital takes pride in their sound policies and procedures for the protection of confidential client information, serving as a model for other institutions in the area. As such, this Facility’s Patient Data Privacy and Security Plan involves a number of steps and policies to protect both the patient, and the hospital. If security breaches, due to insufficient policy and procedures occur, the hospital may be fined a significant numerical amount, as demonstrated by several cases brought to media attention in the article, “California Fines Five Hospitals for Failure to Protect Patient Data “ (Wilson, 2010). Agreements, Education, and definitions that clearly identify are all essential elements of this Data Privacy and Security Plan.

Identifying the different aspects of this policy is the first step to understanding Privacy and Security issues as they pertain to this organization. The right to privacy and to determine with whom information will be shared, in any manner, is, ”essential to the trust and integrity of the client-provider relationship” (VIHA, 2009, 2.1, p.1, 2). The responsibility for confidentiality follows the right to privacy as the natural course. ”All reasonable measures must be taken to ensure that personal information is collected, used and disclosed only in circumstances necessary and authorized. All use, sharing or disclosure of information must be in accordance with the appropriate legislative authority” (VIHA, 2009, 2.2, p. 2). As such, all client information is collected and used appropriately within this organization. Security and Privacy measures are in place to ensure that only authorized staff is able to view or use confidential information, and all employees are required to sign a Code of Conduct and a Confidentiality Agreement with this organization prior to beginning employment. All information is stored securely with all copies or printouts securely shredded each day in all areas, restricted or not. Any breach of confidentiality is dealt with according to policy, as signed in agreement by the employee, and may result in disciplinary action, including termination of employment and-or legal action as deemed necessary by this organization.

“Audit trails, masking, passwords, encryption technology, data storage, and other policies at the technical level will be used to further protect client privacy” (Polk, 2003, p. 2). Audits will be randomly and intermittently performed, with no notice, and in all areas, to ensure compliance with policy. Management of information systems, including but not limited to; the distribution and changing of passwords, computer security settings, assigned security levels of access, cataloguing and securing of all electronic media, long-term record management, and recovery systems will be securely managed under the strictest governmental expectations and recommendations of the State to ensure that Confidential Data remains private and secure for the client.

References

Chief Executive Officer, Vancouver Island Health Authority. (2009). Retrieved September 19, 2010, from http://www.viha.ca/NR/rdonlyres/A0E34A34-ABAC-4FBE-9F2E-55387851A292/0/policy_personal_information.pdf

Polk County Policies and Procedures. 601.P. (2003). Confidentiality, Security and Access to Protected Health Information. Retrieved September 19, 2010, from http://www.co.polk.wi.us/upload/Confidentiality.pdf

Tomball Regional Medical Center. (2010). Retrieved September 19, 2010, from http://www.tomballhospital.org/code_of_conduct.html

Wilson, T. (2010). California fines five hospitals for failure to protect patient data. Dark

Reading. Retrieved September 19, 2010, from http://www.darkreading.com/insiderthreat/security/government/showArticle.jhtml?articleID=225600466