Hermit’s Pediatrics is a small practice serving the health care needs of children in a small, rural community. The practice has always used paper health records. However, the practice founder, Dr. Melody Hermit, learns that under the American Recovery and Reinvestment Act (ARRA) of 2009, the Centers for Medicare and Medicaid Services (CMS) is offering significant incentives to eligible healthcare professionals who effectively adopt electronic health records (EHR). She sees an opportunity to move into the electronic age.
It takes some time for Dr. Hermit and her staff to get accustomed to using the EHR instead of the paper record, but they quickly see some real advantages. Information in the EHR is always easy to find and is well-organized. Things are going smoothly until one morning when Dr. Hermit and her staff discover that all of their patient records are gone from the EHR. Inadvertently, the system upgrade that was rolled out the night before has overwritten the storage partition containing the records. Luckily, the records had been backed up just before the wipe-out, and are eventually reloaded within a few hours.
Several months later, Dr. Hermit receives an irate phone call from a patient’s mother whose child has been diagnosed with sickle cell disease. The mother’s anger is triggered when a neighbor expresses her sympathy, although the mother has not discussed the diagnosis with anyone. Dr. Hermit questions her staff and learns that the receptionist discussed the child’s diagnosis with the mother’s neighbor after checking his medical records. Dr. Hermit is astounded that the receptionist could even view the patient information, particularly given that the EHR is supposed to be HIPAA compliant according to Planet, the software developer. She is equally surprised when she walks into the reception area only to witness that another patient’s record is in full-sight of those waiting for their appointment. To top Dr. Hermit’s frustration, the Planet software server suffers a malicious software attack. As a consequence, the EHRs of many patients have been compromised, and many others might have been made vulnerable.
Dr. Hermit is now rethinking her decision to adopt an EHR to qualify for the incentive payment after all. The clinic may be better off using paper records until she retires.
Case Study Questions
1. Hermit’s Pediatrics has experienced risks to information confidentiality, data integrity, service availability, and the business itself. Identify the consequences, the vulnerabilities exploited, and the ways these risks could have been mitigated.
2. What are some of the risks that are not addressed by HIPAA, but an EHR software subscriber may need to consider?
How to solve
Health Information System Case Study
Introduction:
In this case study, Hermit’s Pediatrics, a small pediatric practice, decides to adopt electronic health records (EHR) under the American Recovery and Reinvestment Act (ARRA) of 2009. However, they encounter several challenges and risks related to information confidentiality, data integrity, service availability, and the overall business. This has raised concerns for Dr. Melody Hermit, the practice founder. In this response, we will address the consequences, vulnerabilities exploited, and potential mitigation strategies for these risks. Additionally, we will explore the risks that are not covered by HIPAA but should still be considered by EHR software subscribers.
1. Consequences, vulnerabilities exploited, and risk mitigation:
a) Consequences:
– Loss of patient records due to an inadvertent system upgrade, resulting in potential delay and disruption of patient care.
– Unauthorized disclosure of sensitive patient information, leading to breaches in confidentiality and loss of patient trust.
– Malicious software attack compromising EHRs and potentially making patients vulnerable to identity theft or medical fraud.
b) Vulnerabilities exploited:
– Lack of proper backup protocols: The practice experienced data loss due to a system upgrade, highlighting the importance of regular and secure backups.
– Insufficient access controls and training: The receptionist was able to view patient information and discuss it with unauthorized individuals, indicating gaps in access control and staff training.
– Poor physical security: Patient records being visible to others in the reception area suggests a lack of proper physical safeguards.
c) Risk mitigation strategies:
– Implement robust backup procedures: Regularly back up EHR data to secure off-site locations to ensure data recovery in case of system failures or disasters.
– Strengthen access controls: Implement role-based access controls (RBAC), where staff members are granted access only to the necessary patient information based on their job roles. Provide comprehensive training on privacy and confidentiality.
– Enhance physical security: Ensure patient records are not visible or accessible to unauthorized individuals by implementing privacy screens, secure filing systems, and restricted access to areas where records are stored.
2. Risks not addressed by HIPAA but should be considered by EHR software subscribers:
– Cybersecurity threats: EHR software subscribers should acknowledge the risk of cyberattacks, such as malware, ransomware, or hacking attempts. Implementing robust security measures, including firewalls, intrusion detection systems, and regular security audits, can help mitigate these risks.
– Data breaches by insiders: While HIPAA primarily focuses on external threats, the risk of insiders intentionally or unintentionally leaking confidential patient information should be considered. Implement measures such as user access controls, audit logs, and ongoing staff training to minimize this risk.
– Vendor management and system vulnerabilities: EHR software subscribers should assess the security practices of their software vendors. Ensure that the software is regularly updated, and any identified vulnerabilities are promptly patched to minimize the risk of exploits.
In conclusion, Hermit’s Pediatrics experienced risks related to information confidentiality, data integrity, service availability, and the overall business when transitioning to EHR. The consequences included data loss, unauthorized disclosure, and compromised system security. These risks could have been mitigated through robust backup procedures, improved access controls and training, and enhanced physical security measures. Additionally, EHR software subscribers should consider risks not covered by HIPAA, such as cybersecurity threats, insider breaches, and vulnerabilities in the software itself.