Question Description
Transcript
Capstone Video: Breach of Information Security
[ Music ]
[ Background Sounds ]
[ Ringing Phone ]
>> Administrator Roberta Hutchinson.
>> Miss Hutchinson, this is Daniel Johnson at the “Times Register.”
>> Good day, Mr. Johnson. What can I do for you?
>> Well, I’m the editor for the paper’s city section. And we have a rather unusual situation over here.
>> Really? Doesn’t sound good. What’s going on?
>> Last night we received an e-mail from one of your employees about the hospital’s surgical complication rate.
>> Really? That’s a surprise.
>> Thought it might be, but that’s not all. Attached to the letter was, I don’t know, probably 20 or 30 patient files. Which I assume are confidential.
>> You assume correctly. They are confidential.
>> Now, we’re not running a story or anything like that.
>> That’s good because that was my next question.
>> No. This smelled a little fishy to me. And I wanted to check with you first before we did anything with this.
>> Why thank you, Mr. Johnson. I tell you, this is a little out of my jurisdiction. Can I get your number? I’d kind of like to have Barbara Gonzalez give you a call. She’s our Health Information Management Director. And I’m sure she’d be interested in finding out who sent you this e-mail. And whether or not they even had authorization to have access to patient records. Furthermore, I am certain that they didn’t have authorization to make them public.
>> Of course. Anything I can do to help. My direct line at the paper is 555-1032.
>> Got it. Thank you very much, Mr. Johnson. We’ll be in touch.
>> You’re very welcome. Talk to you soon.
>> Okay, great. Bye-bye.
[ Background Sounds ]
[ Ringing Phone ]
>> Barbara Gonzalez.
>> Hey, Barb, this is Roberta. How you doing?
>> Hey, good. You?
>> Good, good, good. You’re not just health information management, you’re privacy and security too; right?
>> Yeah. I wear a lot of hats around here. What’s up?
>> I just got a call from an editor over at the “Times Register.” They’ve received something from one of our employees or supposed one of our employees, an e-mail with dozens of patient files.
>> Patient files? Do we know who sent this e-mail?
>> Actually, I didn’t ask. But I did get the name of the editor and his direct line. And I said that he would, you could give him a call.
>> Sure will do.
>> [Inaudible] forward it to you.
>> Okay.
>> Ready? His name is Daniel Johnson. 555-1032.
>> Okay, I’ll give him a call right now and find out what happened.
>> Okay, thank you. And let me know, okay, because I am curious.
>> Will do. Thanks a lot.
>> Okay, great.
>> Bye-bye.
>> Thanks, bye.
>> Sure. Okay, great. Hold on a minute. Okay, sure. What time do you have in mind? Four-ish. Okay, great. Thanks, bye. Woman with all the hats, how you doing?
>> Good. You wanted me to follow-up with you on that e-mail that was sent to the newspaper. It was sent last night by a John Haines.
>> John Haines. I don’t think he works here anymore. His last day was last Friday. How could he have sent an e-mail from the hospital?
>> His password was never terminated. Apparently he still had access to his account and to patient files.
[ Background Sounds ]
>> You’re right. There was never a request for a deletion of his password. Says here Judy from HR processed his exit. This may have been her first time handling an employee exit.
>> Well, I have a new supervisor over in HIM. And part of her job is to make sure that the passwords for terminated employees are deleted. She should have caught Judy’s mistake with her audit. I’m going to have to set up new training for my HIM supervisors to make sure these terminations are handled properly. This could have been a nightmare all around. For the patients and for us legally.
>> Absolutely. I’ll be discussing this breach of protocol with our human resources too. And FYI, I got a call from Daniel Johnson over at the “Times Register.” He said they deleted the records. Also, I’ve turned this matter over to our legal staff for further investigation.
>> Good. Excellent.
>> Thanks.
>> Thank you.
QUESTIONS:
1. Identify ways that this situation could have been prevented.
2. What types of information will the HIM director look for in the audit log?
3. What mitigation would you recommend?
Transcript
Capstone Video: Failure to Launch
[ Music ]
>> Alright. Yeah, so I have you down for 10 a.m. on Friday. Great. Okay, great I’ll see you then. Thank you. Bye-bye. Thank you for waiting. Victor.
>> Victor Diaz.
>> Diaz. Thank you. I’m still trying to learn everyone’s name.
>> No problem.
>> Okay, so Victor, how can I help you?
>> I’m having a problem with the new encoder software we just installed. I know it’s supposed to be the latest and greatest and everything, but I’m not comfortable using it. And I don’t want to speak for other people, but I know I’m not the only one who feels that way.
>> Wow, that’s disturbing. Is it not working properly?
>> Well, that’s the thing. You see, I’m not sure. It might be working just fine. It’s not so much a problem with the encoder itself. It’s that we only had a half hour of training before we were supposed to be up to speed on it.
>> Half an hour?
>> Yeah. And so we end up going back to the code books half the time anyway.
>> You know, when your coding supervisor.
>> Vanessa?
>> Vanessa, Vanessa Wiley, took me through the coding department to meet everybody and see how the area worked, I thought I noticed a lot of people using the code books and then going to the encoder. But for some reason, it just flew by me.
>> Well, we didn’t even know there was going to be a new program until two days before it was installed. And we had a half hour of training Wednesday afternoon, and then we were supposed to be using it Thursday morning like nothing had ever changed.
>> Okay. Alright, so it’s not that it’s not working properly, it’s just that you haven’t had a chance to familiarize yourself with it. Is that what I’ hearing?
>> Yes.
>> Well, okay, that sounds like a reasonable request to me, Victor. I’ll call Vanessa and see what we can do about it. Thanks for bringing it to my attention. Is there another problem?
>> Well, can you not tell her I told you? I just don’t want her thinking I was doing an end run around her, even though I guess that’s what I’m doing.
>> Sure. But in the future, make sure you discuss issues like this with Vanessa first before coming to me.
>> I will. Thanks Miss Gonzales.
>> I’m glad to be of help, Victor. See you later.
>> Okay.
>> When Victor Diaz left my office, I spoke to the coding supervisor. But I actually took it a little further. I called a coding staff meeting that day to talk about how we should go about managing these kinds of changes because they can be confusing and disruptive. I made sure to address the following items. Why we needed the encoder. How it will benefit the hospital. How it will benefit the coders. And how it’s going to improve the quality of the data we generate. We scheduled some additional training for the coders the very next day, and we told them so. They were so relieved it even got a round of applause. I also spoke to the CIO, and I told him what I was doing and why. Since we were going to extend the training, I knew this would have an effect on our payroll with the hours charged to time for training, and I definitely didn’t want him caught off guard. After the second round of training, the coders seemed a lot more comfortable with the system. And we can see that they’re actually taking good advantage of the functionality of the encoder. Oh, and the last thing I did was tell the coders that I would make absolutely sure that they’d be included in the loop in other implementations that’ll impact them. We are planning a new EHR, and that’s exactly the kind of implementation that we’re going to want to get them involved in early in the process.
QUESTIONS:
1. How can system changes, including encoder software changes, be handled by management to ensure a smooth transition?
2. What problems could have occurred in this case? What departments could have been affected?
3. What should the HIM director do to address this situation?