HEALTHCARE DATA BREACHES 1

Healthcare Data Breaches

Student’s Name

Institution

Course

Professor’s Name

Date
HEALTHCARE DATA BREACHES 2

Healthcare Data Breaches

The reliance on technological tools to manage data and run healthcare facilities initiates a

new wave of challenges. The information technology tools and systems manifest weaknesses,

including breakdowns and possible attacks from malicious individuals. As such, IT professionals

must be prepared at all times to manage IT failures whenever they occur. This paper employs the

WGU hospital scenario to evaluate privacy and security concerns involved in the use of

technology in a healthcare setting, especially after an attack on the systems. The outcomes of the

privacy and security outcomes should help develop systems and structures that should help

address similar breaches before and after they occur in the future.

Plan to Determine the Scope of Breach

Determining the number of patients whose information was breached should be among

the primary steps in mitigating the damages. Present data analytics assign users data access

profiles. With such profiles, each user is assigned the amount of data they can access (Hewitt,

Dolezel, & McLeod, 2017). In the case of the hospital, each doctor’s profile is assigned a

specific number of patients. The plan to determine the number of affected patients is to

triangulate the affected doctor's profile and possibly seal all their access.

Steps in a Focused Risk Analysis Breach

The organization should explore three steps in comprehensive, focused risk analysis to

mitigate the outcomes of the breach. The first step in the risk analysis is to conduct triage. Every

breach should be analyzed by asking the “W” questions (Hewitt, Dolezel, & McLeod, 2017). The
HEALTHCARE DATA BREACHES 3

organization must attempt to answer the who, what, why, and where questions to address the

scope of the attacks. The IT security team and the incident team must collaborate in conducting

the triage. In the triage, the team assesses the areas affected most by the breach based on

triangulation data analytics outcomes. The second step should focus on managing the damage.

That is, the analysts should seal all the possible access points of the data breach. That should

happen by shutting down the system if the facility is still in charge. The third step in focused

risk analysis should be information. Every data breach comes with panic. The involved teams,

hence, must offer efficient and candid information to all the affected stakeholders.

An Administrative Safeguard to Prevent Future Breaches

The administration can implement multiple actions to prevent similar occurrences in the

future. The administrative safeguard activities emphasize the information system selection,

development, implementation, and maintenance to protect data (Antony-Arockiasamy, 2021).

Primarily, the administration must implement policies on basic risk analysis and risk

management standards. That is, the organization must assess its systems periodically to

determine its weaknesses and strengths. The organization should also have a standard protocol

necessary in addressing possible breaches should they occur. The other administrative safeguard

measures worth considering include strategic information system activity reviews and

implementation of a sanction policy. When combined, such safeguard measures should assist in

combating similar incidences in the future.

A Technical Safeguard
HEALTHCARE DATA BREACHES 4

The organization should also implement a sophisticated technical safeguard policy to

protect it from future breaches. The technical safeguard should control access to the health

information systems (Dolezel & McLeod, 2019). Some of the inputs to consider in developing

such a safeguard include user authentication and passwords to access the systems,

implementation of an automatic log-off after a specified time interval, and implementation of

systems that track or audit employees with access to the systems. The organization can also

implement different security levels to control complete access to the systems.

A Physical Safeguard

A healthcare organization can also protect its data from future breaches by implementing

a physical safeguard policy. A physical safeguard explores the physical procedures, policies, and

measures to protect the electronic information systems from unauthorized access (Dolezel &

McLeod, 2019). For example, the physical safeguard can consist of shredding unneeded

documents that can contain sensitive information, minimizing the amount of data in mobile

devices, and switching off mobile devices beyond some physical boundaries. The other aspects

of the physical safeguard measures should include locking offices and file cabinets and

controlling access to some areas in the facility with swipe card systems or photo identification

protocols.

Safekeeping Practices by the Physician

The physician in the scenario should have two primary safekeeping practices to limit the

chances of similar occurrences in the future. Primarily, the physician should always ensure that

the mobile devices are kept in secure places (Wikina, 2014). Hence, the devices should be
HEALTHCARE DATA BREACHES 5

accessed or carried in places where their security is guaranteed. Carrying or accessing the device

beyond some physical boundaries should be a prohibition from the physician's point of view. The

physician should also ensure that the device is technically protected. The device should have

passwords or biometric access points activated to limit the chances of unnecessary access. Still,

the device should be attached to the mainframe so that it notifies the security team of any

possible breaches. Hence, physical safeguarding and technical safeguarding are ideal options for

the physician to avoid such an incident.

Applicable Fines and Penalties

HIPAA has a clearly defined policy on fines and penalties in case of a violation.

Primarily, willful violations of the rules should attract a minimum fine of $50,000. To the

responsible individual, the maximum penalty should be $250,000 (Towbin, 2019). Additionally,

restitution may be needed for the affected patients should the impacts be bigger. Finally,

depending on the impacts of the breach on the organization, the individuals responsible for the

violations can be charged legally and be eligible to serve jail terms if found guilty of criminal

violations.

A Software

Cisco ACI is a data security software that the organization can consider bearing its

futuristic features. ACI employs multiple data protection protocols to ensure the safety of its

systems. Some of the notable aspects of the software include adaptive authentication,

containerization, and the use of blockchain analytics. The ACI accords healthcare facilities an
HEALTHCARE DATA BREACHES 6

opportunity to protect their data from breaches or to limit the scope of damage from data

breaches if they occur.

Notification Letter

Hello esteemed patients! The hospital is sorry to inform you that its health information

system database has been breached. The attack occurred five minutes ago and has since been

contained. You are required to stay calm as the IT security team assesses the scope of the

damage. You will receive an update within 10 minutes detailing the progress in managing the

breach. The organization thanks you for your cooperation and continued support.

Conclusion

Every healthcare facility’s security team should be prepared for data breaches. Even more

importantly, the organization must implement protocols to safeguard its data in the future.

Multiple options, including the use of physical, technical, and administrative safeguards, should

be considered for data protection. Ultimately, every stakeholder in a healthcare facility must be

educated on data protection to avoid some breaches.

HEALTHCARE DATA BREACHES 7

References

Antony-Arockiasamy, A. (2021). Impact of information breaches on health care records (Order

No. 28318026). Available from Publicly Available Content Database. (2489272141).

Retrieved from https://www.proquest.com/dissertations-theses/impact-information-

breaches-on-health-care/docview/2489272141/se-2?accountid=130654

Dolezel, D. & McLeod, A., Ph.D. (2019). Cyber-analytics: Identifying discriminants of data

breaches. Perspectives in Health Information Management, 1-17. Retrieved from

https://www.proquest.com/scholarly-journals/cyber-analytics-identifying-discriminants-

data/docview/2288653270/se-2?accountid=130654

Hewitt, B., PhD., Dolezel, D., EdD., & McLeod, A., Ph.D. (2017). Mobile device security:

Perspectives of future healthcare workers. Perspectives in Health Information

Management, 1-14. Retrieved from https://www.proquest.com/scholarly-journals/mobile-

device-security-perspectives-future/docview/1874376801/se-2?accountid=130654

Towbin, R. S. (2019). A protection motivation theory approach to healthcare cybersecurity: A

multiple case study (Order No. 13809084). Available from Publicly Available Content

Database. (2207492982). Retrieved from https://www.proquest.com/dissertations-

theses/protection-motivation-theory-approach-healthcare/docview/2207492982/se-2?

accountid=130654

Wikina, S. B. (2014). What caused the breach? An examination of the use of information

technology and health data breaches. Perspectives in Health Information

Management, 1-5. Retrieved from https://www.proquest.com/scholarly-journals/what-

caused-breach-examination-use-information/docview/1690624031/se-2?

accountid=130654
HEALTHCARE DATA BREACHES 8