Based upon the examples of security breaches provided in the case study, it is important to identify possible solutions for each primary concern. The responses to each example are as follows:
1.Nurses who log in to the system and then walk away from the terminal without walking out provides an opportunity for any person walking by to read the information on the screen or to access other files if nobody is in the vicinity. This situation may compromise the integrity of the information that is available to others. Therefore, nurses must log out of every system as they leave the terminal area in order to avoid any type of situation whereby an unauthorized party could obtain this information without any effort, thereby possessing the capability to change information within the system at a moment’s notice.
2. Dr. Jones’ demonstrates a lack of respect for the hospital-owned computer system and the integrity of his patients by leaving his password out in plain view for all other staff members to see. These careless actions permit anybody who happens to see his password to access the computer system under his name and use his privileges as they see fit. Therefore, Dr. Jones’ should never leave his password information in plain view and should store this information in a private location where others in the hospital cannot access it. This will facilitate improved protection of Dr. Jones’ personal information and files within the hospital system as a whole.
3.When fax machines and printers are in rooms without locks and with high traffic, there is a much greater risk of unauthorized persons removing documents from one or both machines that others have printed or have received via fax machine. Although many printers and fax machines are shared by any number of people, they nonetheless should not be left unprotected or unmonitored. The ability to maintain the privacy of data and information requires an approach that facilitates the effective and practical use of office equipment such as fax machines and copiers. This will support the protection of data and information as needed in order to ensure that its integrity is not compromised.
4.Although an employee may have the option to use a single password for all database systems and other logins, this is not necessarily the most effective approach because if the single password were to be compromised by another party, that individual or group of individuals would gain access to any and all information that the password authorizes. This is an important reminder that one password may pose serious risks to an individual’s user access, particularly if another person intercepts that password. Remote access also poses a risk to the password because if it is compromised through a network outside of the work environment, there is a risk that it could be stolen and used for a particular purpose, such as accessing unauthorized data. This requires an evaluation of the use of a single password and perhaps a change in the password frequently, or several passwords for different systems.
5. In some cases, passwords are not required to be changed in accordance with an established schedule; therefore, the same passwords might be used for lengthy periods of time. This is not a practical approach to passwords because if an outsider is able to obtain the password, particularly if it is easy to guess or resembles a name, there is a significant risk that it could be easily compromised. It is important to provide password reminders as a means of protecting users from the accidental compromise of their data. These options also reflect the importance of password reminders so that individuals are required change their passwords on a regular basis, such as 60-90 days, depending on the nature of the system and the sensitivity of the data that is stored. It is important to maintain a change in password requirement on a regular basis in order to protect data from unnecessary risk or compromise. This is an important step in the ability to protect data from being compromised.
6.If an employee pretends to forget his or her password in order to obtain access to the system using somebody else’s password, this is a direct violation of privacy and should be grounds for disciplinary action or dismissal. This type of behavior should not be tolerated in the workplace setting, particularly in a hospital where confidential patient data and records are stored. Furthermore, these actions represent a means of manipulation by employees towards other employees in order to obtain data. This is a clear breach of ethics that should not be tolerated under any circumstances. At the same time, those who give out their passwords to others should also be disciplined in the same manner, as they provided access to sensitive information under another person’s name, which could ultimately compromise data and information.
7. Providing sensitive patient files on diskette is a clear violation of personal freedoms and ethical principles. These activities represent a serious breach of organizational policy and should be grounds for dismissal. Employees should not have access to sensitive patient information unless it is under specific conditions which likely do not include the transfer of patient files to diskette. These activities should not be tolerated under any circumstances. Furthermore, those persons who have observed these activities and have failed to report them should also be disciplined because they recognized what is considered to be a clear violation of hospital policy, yet they did nothing to stop these activities from taking place. This is a serious violation of hospital regulations and patient privacy rights, which should not be tolerated under any circumstances. Employees should only be permitted to have access to patient records when they are authorized to do so and the access is under controlled conditions without any fear of data being compromised.
- Buchbinder, S.B. Building a better MIS-Trap. Pp. 384-385.
