Table of Contents
The management of any organization has the reason to fear information security breach especially where sensitive patient information is at a risk. The healthcare provider needs to create a data breach response plan that will be able to avert such a breach in the future and restore the situation in the institution (Smedinghoff, 2008). The plan will be guided by the stipulations of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The plan will consist of the following:
Encrypting of information
The organization will need to encrypt all the data. Under the HITECH Act, if an organization has encrypted its data then the data will be safe. The information can be encrypted before it is transferred into tapes through the use of tape backup software. In addition, the organization can use data loss prevention software that will notify the management when one is attempting to transfer unencrypted data over the network. This will help the management to determine whether the data violation attempts are an outside or inside job. Data encryption should be backed by encryption of other devices in the network to ensure that the data is fully secured (Smedinghoff, 2008). Other devices that should be encrypted to prevent visitors or unauthorized people to access the data include laptops, thumb drives and corporate smartphones. In encrypting the devices, the management should note that disk encryption is not effective on its own. Disk encryption works for mobile devices and removable storage media but does not prevent data access when data is being moved over a network.
The organization should also enforce the notification procedure stipulated by the Senate Bill 1386 and the Security Breach Information Act. The notification procedures require that an organization report to individual clients when it believes that there is a security breach. Under the notification laws, whenever personal information is believed to have been accessed by unauthorized parties, the person needs to be informed. Data breach notifications laws have changed in the recent past to increase the incentive for the organization to safely-guard any client information. HIPAA regulations did not stipulate that patients be notified in case of data breach by the concerned organizations. The issue was left under the protection of state data protection laws (Hiles, 2002). The HITECH Act requires that individuals involved in a data security breach be notified individually through the mail or by telephone in case it is an emergency. Whenever personal health information data has taken place, the notification to the patient should include information of when the breach occurred, what type of data was involved and the steps the organizations has taken to rectify the situation. In addition to individual notification, a data breach that entails more than 500 patients in a single state, the state's local media channels must be informed (Hiles, 2002).
Risk assessment of a data breach
The organization should also conduct a risk assessment on the data security breach. The organization can use the Risk Management Framework created by the National Institute of Standards and Technology (NIST) to initiate a risk assessment on all the computers that store the PHI. The management can then install an effective data access control system containing login and authentication processes to increase data security. When creating the data access security plan, the organization will observe the stipulations of NIST and Health Information Trust Alliance (Smedinghoff, 2008). Such standards will ensure that the organization is motivated enough to maintain data security. The (HITECH) Act and NIST will provide the most appropriate guidelines that will ensure that the organization rectifies the present situation and prevents such a data security breach in future.