Breaching The Security of An Internet Patient Portal
May 18, 2013
Kaiser Permanente is a health system which serves over eight million members in nine states and the District of Columbia. In the 1990’s the KP Northern California region created an Internet Patient Portal known as “Kaiser Permanente Online” (KP Online)(Wager, 2009). KP Online provides members access to request appointments and prescription refills, obtain health information, and receive medical advice from staff.
In August 2000, a breach occurred when an Operations technician applied patches to servers in support of a new KP Online pharmacy refill application. Subsequently, the outgoing e-mail function of KP Online failed and created a dead letter file of outbound messages with replies to patient inquiries that contained individually identifiable patient information (Collmann & Cooper, 2007).
In trying to clear the e-mail file, a flawed computer script was created that concatenated over 800 individual e-mail messages, which contained personal identifiable. At least nineteen of the e-mails reached their intended destination (Collmann & Cooper, 2007). Two members who received the email messages reported the incident to KP. Kaiser considered the breach was a significant incident due to the number of messages sent. As a result, the company created a crisis team to find the cause of the breach. The Kaiser crisis team notified its members and issued a press release three days after the breach. Major Issues
This case study protected sensitive patient information was comprised during the e-mail security breach. The Kaiser Permanente leadership reacted quickly to mitigate the damage of the breach because the company was non-compliant with good information security practice and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which established standards for the confidentiality and security of health care information.
The advances in technology including computerized medical data has the potential to be breached regarding patients privacy and confidentiality health information. The ANA supports the following principles with respect to patient privacy and confidentiality. Patients right to privacy of health information. The use or release of health information is prohibited without patient consent, as well as, using safeguards for disclosure and storage of personal health information. It is the responsibility of users to follow the guidelines in their workplace set forth to protect the patient and information.
This statement gives support to patients’ privacy, which may turn into laws that the ANA would represent and push in congress. Also, it supports the laws and regulations set forth by the HIPAA regulations of 1996 in that it protects and adopted the national standards for electronic health care. It promotes using safeguards for all disclosures and transactions in health information.
Crisis Team Member
As a crisis team member, it is important to find the cause of the breach. Two key suggestions that should be implemented in the Kaiser IT group. • More interaction with one another during the planning, implementation, and evaluation process • Before the implementation process of a program or a change the IT groups should test the migration site and functions in a test lab.
As noted in the case study, the three groups the development group, operations group, and e-mail group worked independently from each other to meet their individual department goals. The following Diagram notes the IT department that manages their prospective component:[pic]Source: Collmann, J., & Cooper, T. (2007). Breaching The Security Of The Kaiser Permanente Internet Patient Portal: The Organizational Foundations Of Information Security. Journal of the American Medical Informatics Association, 14(2), 239-243.
As a crisis team member I...
Please join StudyMode to read the full document