Question

CASE 14: BREACHING THE SECURITY OF AN INTERNET PATIENT PORTAL Major theme: IT security Background Information Kaiser Permanente is an integrated health delivery system that serves over eight million members in nine states and the District of Columbia. 1 In the late 1990s, Kaiser Permanente introduced an Internet patient portal, Kaiser Permanente Online (also known as KP Online). Members can use KP Online to request appointments, request prescription refills, obtain health care service information, seek clinical advice, and participate in patient forums. Information Systems Challenge In August 2000, there was a serious breach in the security of the KP Online pharmacy refill application. Programmers wrote a flawed script that actually concatenated over eight hundred individual e-mail messages containing individually identifiable patient information, instead of separating them as intended. As a result, nineteen members received e-mail messages with private information about multiple other members. Kaiser became aware of the problem when two members notified the organization that they had received the concatenated e-mail messages. Kaiser leadership considered this incident a significant breachof confidentiality and security. The organization immediately took steps to investigate and to offer apologies to those affected. On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis team was formed. The crisis team began a root cause analysis and a mitigation assessment process. Three days later Kaiser began notifying its members and issued a press release. The investigation of the cause of the breach uncovered issues at the technical, individual, group, and organizational levels. At the technical level, Kaiser was using new web-based tools, applications, and processes. The pharmacy module had been evaluated in a test environment that was not equivalent to the production environment. At the individual level, two programmers, one from the e-mail group and one from the development group, working together for the first time in a new environment and working under intense pressure to quickly fix a serious problem, failed to adequately test code they produced as a patch for the pharmacy application. Three groups within Kaiser had responsibilities for KP Online: operations, e-mail, and development. Traditionally these groups worked independently and had distinct missions and organizational cultures. The breach revealed the differences in the way groups approached priorities. For example, the development group often let meeting deadlines dictate priorities. At the organizational level, Kaiser IT had a very complex organizational structure, leading to what Collmann and Cooper (2007, p. 239) call “compartmentalized sensemaking.” Each IT group “developed highly localized definitions of a situation, which created the possibility for failure when integrated in a common infrastructure.” Discussion Questions 1. How serious was this e-mail security breach? Why did the Kaiser Permanente leadership react so quickly to mitigate the possible damage done by the breach? 2. Assume that you were appointed as the administrative member of the crisis team created the day the breach was uncovered. After the initial apologies, what recommendations would you make for investigating the root cause(s) of the breach? Outline your suggested investigative steps. 3. How likely do you think future security breaches would be if Kaiser Permanente did not take steps to resolve underlying group and organizational issues? Why? 4. What role should the administrative leadership of Kaiser Permanente take in ensuring that KP Online is secure? Apart from security and HIPAA training for all personnel, what steps can be taken at the organizational level to improve the security of KP Online?

Answer 1

Answer:-

1. Any presentation of private wellbeing data is dependably a genuine concern. AS this break occurred in 2000 preceding title II of the medical coverage convey ability and responsibility act. As a result of the planning of the occurrence Kaiser changeless initiative respond so rapidly on the grounds that despite the fact that just two individuals answered to them, more messages had gone out and a lot of recognizable patient data was unveiled. Other individuals who had rescued the email may go straightforwardly to news station with the break and humiliate the organization. They needed to seem to have caught the issue themselves and rapidly , before the general population discovered from another source.
2. . The first step is to determine the full impact of the breach to decide what path to take. In this case study, over 800 individual messages with private health information were concentrated and sent to multiple people, at least 19 of which were found to have been rescued. alternate advances is to investigate the mechanical, individual and authoritative and the gathering level with the end goal to recognize where there would have been an issue in the framework and what might have caused the issue. While doing the examination, it is likewise fitting to consider the strategy of Kaiser Permanente for approving access of the approaches.
3. If Kaiser Permanente did not take steps to resolve underlying group and organizational issues, then the future security breaches will result into Kaiser Permanente being penalized. This is on the grounds that suggestion is a piece of the measures as given by the medical coverage convey ability and responsibility act and the joint commission on the Accreditation of the wellbeing association. On the off chance that they neglect to follow the measures as given by the administrative organizations, at that point undoubtedly they will be punished for any future rupture because of resistance.
4. The importance of security must be evident at the administrative leadership level. if this level does not make it priority , the either level of the organization will not either. the administration should------

1. participate in normal hazard examination that incorporate readiation as required.

2. Contract a devoted boss data security officer.

3. Scramble private social insurance information.

4.guarantee against infection programming is continiously refreshed.

5.Train all employees that have access to confidential information on how to handel it at the level of their day to day workforce.

6. Enact and enforce policies regarding security of information and if there are mistakes or error , make sure they are communicated so everyone can learn from them.

Please do rate answer.....