Health Informatics
docx
keyboard_arrow_up
School
Maseno University *
*We aren’t endorsed by this school
Course
CC 422
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
8
Uploaded by UltraKomodoDragon152
1
Health Informatics
Name
Institution
Course
Professor
Date
2
Health Informatics
Health IT Security Breach
Data breach refers to the impermissible disclosure of safeguarded patient-related
information or data that is accessed following a theft, loss, forbidden access, disposal, hacking,
or other unknown breaches. Health informatics suffer undue consequences due to these
inevitable hospital attacks. In July 2022, the Methodist Mc Kinney Hospital experienced a data
breach that resulted in access and disposal of up to 360 gigabytes of patient healthcare data.
McKeon (2022) notes that the data breach attack caused the release of invoices, contract
documents, scanned patient documents, patient cards, and other financial documents. Patient
details such as name, addresses, social security numbers, dates of birth, patient history data,
diagnoses, intervention programs, medical records data, and health insurance documents and
details were allegedly accessed. Through this data breach, patients experienced harassment from
the actors through emails, phone calls, and warnings, prompting their collaboration with the
perpetrators to prevent their data dissemination. HIPAA Journal (2022) documents that the
accessed data were patients' protected health information that unauthorized persons infiltrate.
Development and advancement in technology leading to the invention of the internet of things,
medical and smart devices, information systems, and cloud systems have transformed traditional
healthcare approaches and the industry. Thus, digital healthcare has contributed to the more
effortless and seamless treatment and improved human health. However, these developments
have also attracted internal and external attacks that lead to data breaches, a concern on the need
to improve data confidentiality and protection of healthcare data rapidly.
A Fishbone Diagram
3
Problem Statement
Following the advancement in technology, there has been a significant increase in data
breaches where privacy is the most targeted aspect of healthcare patient data breaches. Electronic
healthcare data are putting patients at greater risk because their personally identifiable
information for many people is kept in a single server, making it a single target for attackers.
These data breaches are caused by theft of credentials, loss of essential data or equipment
carrying the data, and unauthorized disclosure or exposure of sensitive information leading to
possible hacking. Successful data breaches lead to a financial burden to the affected hospitals,
which will have to divert financial resources away from the patient, thus delaying and possibly
disrupting workflow and hospital productivity (Lee & Choi, 2021). A data breach can occur
through accidentally emailing the wrong recipients’ secure healthcare data; this data breach can
be termed as occurring due to carelessness or negligence. These are unintended violations of data
protection policies within healthcare. Phishing and ransomware attacks can be primary causes of
breaches when one of the employees becomes a target and victim of an attacker’s scheme to
compromise electronically safeguarded patient data. Also, technical vulnerabilities occur when
the system has coding bugs and improper configurations that can be exploited. Yeo & Banfield
Weak Credentials
Application Vulnerabilities
Social Engineering
Malware Attack
Insufficient information
Bugs
Weak policies
Misconfigurations
Keyloggers
Network vulnerabilities
Malicious intentions
Negligence
Data Breach
Weak Credentials
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
(2022) clarifies that carelessness or negligence, ransomware attacks, and technical vulnerabilities
are unintentional causes of a data breach, while theft, malicious insider, and hacking are caused
and implemented by people with malicious intentions.
Causes
Weak or Stolen Credentials
Using a weak or stolen password policy gives the attacker a simple route to access
patient-protected data. Attackers can efficiently utilize these vulnerabilities to guess and correctly
access systems containing gigabytes of patient records such as names, insurance numbers, date
of birth, and social security numbers. Writing down usernames and passwords and using similar
passwords for different accounts increases their susceptibility.
Inadequate password policies and insufficient information cause weak credentials.
Healthcare organizations that fail to train their workforce on effective ways to fight against
cybersecurity are vulnerable to data breaches. Effective knowledge transfer implementation and
change of behavior toward fighting cybersecurity should be encouraged regularly.
Application Vulnerabilities
Applications that are used in hospitals, including software, can have technical
vulnerabilities that individuals and organizations with malicious intentions can exploit. These
applications, mostly outsourced from third parties, are continuously improved; thus, individuals
or organized attackers can utilize these vulnerabilities to steal protected patient data before the
providers fix an alert of an identified vulnerability. Other equipment that is outdated and newly
developed has unchecked vulnerabilities.
Bugs and misconfigurations in new equipment cause application vulnerabilities. Bugs
refer to errors, flaws, or faults identified in software design, development, and operation and can
5
lead to unexpected or incorrect outcomes. Attackers can exploit the presence of these bugs to
launch data breaches. Misconfiguration leads to exploitable gaps within the networking systems
and possible avenues to launch attacks.
Social Engineering
Social engineering involves using authorized employees to provide information against
the system without their awareness. Though some employees have malicious intentions with
their organizations, they may collaborate with attackers to misuse their sensitive data and expose
patient data through the dark web for financial gains. Therefore, employees are susceptible to the
misuse of sensitive data through malicious intents implemented in collusion with external
individuals and organizations or without their support. Employees can also lose sensitive
information through losing a laptop, attachment of a sensitive document to an unauthorized
person, or including the wrong person in the Cc of an email.
Social engineering occurs when employees are not adequately trained to identify and
handle and manage threats emerging from malicious individuals to target data breaches.
Therefore, employees serve as links and bridges, allowing cyberattacks on their systems. Another
cause of the success of social engineering is the malicious intentions of the employees within the
healthcare organization.
Malware Attacks
Malware attacks are made through malicious software programs sent to systems with
vulnerabilities. The malware can track what users enter into a computer or a laptop to get
passwords and usernames, which can be exploited to gain access.
6
Malware attacks target unsuspecting employees through emails or the use of
organizations’ network systems to launch ransomware, phishing, or keyloggers. Also, malware is
sent and installed through vulnerabilities in the plans, such as bugs and misconfigurations.
Recommendations
The organization’s networking system should utilize recent technologies that have been
tried and tested for bugs, and their equipment should be properly configured to avoid
vulnerabilities. Software and hardware used within the hospital should also be safeguarded by
regular training of employees to avoid sharing protected data with unauthorized individuals. The
organizations should utilize firewalls, antivirus applications, encryption, and decryption tools and
follow other imperative access control and entity authentication processes (Kruse et al., 2017)
The causes of the data breach, designed and implemented by individuals and
organizations with malicious intentions, should be prevented through proper training and better
organizational culture to avoid untimely disruption of productivity. Training will lead to few
errors reported in sending sensitive data to unauthorized individuals through emails, no
employees falling prey to social engineering, early detection of data breaches, and ransomware
prevention.
System and operational changes to be implemented include limiting the number of
employees accessing sensitive data and updating software regularly to keep all application
security bugs fixed on time. Patches should also be installed when available and use the latest
cost-effective and easy-to-meat deploy third-party security analyzers that check whether all
applications are patched and updated. Healthcare organizations should also have a data breach
response process that assesses the seriousness and provides detailed information on the quantity
of data compromised and how the vulnerability can be fixed. Lastly, radical changes are needed
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
to mitigate failure and improve data security through actions that include developing better
policies and installing new security systems and authentication processes (Choi et al., 2019).
8
References
Choi, S. J., Johnson, M. E., & Lehmann, C. U. (2019). Data breach remediation efforts and their
implications for hospital quality.
Health services research
,
54
(5), 971-980.
HIPAA Journal. (2022).
PHI exposed in cyberattacks on Methodist McKinney hospital and
Columbia River mental health services
. HIPAA
Journal.
https://www.hipaajournal.com/phi-exposed-methodist-mckinny-hospital-
columbia-river-mental-health-services/
Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security techniques for the
electronic health records.
Journal of medical systems
,
41
(8), 1-9.
Lee, J., & Choi, S. J. (2021). Hospital Productivity After Data Breaches: Difference-in-
Differences Analysis.
Journal of medical Internet research
,
23
(7), e26157.
McKeon, J. (2022).
Karakurt Ransomware Group Targets Methodist McKinney Hospital in
Cyberattack
. Healthitsecurity.com.
https://healthitsecurity.com/news/karakurt-
ransomware-group-targets-methodist-mckinney-hospital-in-cyberattack
Yeo, L. H., & Banfield, J. (2022). Human Factors in Electronic Health Records Cybersecurity
Breach: An Exploratory Analysis.
Perspectives in Health Information
Management
,
19
(Spring).