You have recently been hired as the chief information security officer (CISO) for Big Sky Health System, the largest healthcare system in a predominantly rural state.
You have recently been hired as the chief information security officer
Scenario and project instruction.
You have recently been hired as the chief information security officer (CISO) for Big Sky Health System, the largest healthcare system in a predominantly rural state. When you were hired, the chief executive told you candidly that you were chosen in order to bridge the gap between the modern IT infrastructure used by Big Sky and the dated practices of your regional partners. For example, of the 16 critical access hospitals in your network, 20% still primarily chart on paper.
Your state does not participate in a health information data exchange, making it difficult to electronically transfer medical information even for those 80% of providers who do use electronic medical records. Big Sky is the only trauma hospital within a 250-mile radius. It is vital for Big Sky to provide medical records back to the referring provider for continuity of care and to ensure referrals continue to come to Big Sky Health System.
After taking the last three months to investigate and assess your new organization’s information security posture, you have come to learn the following about Big Sky:
Outside individuals have access to Big Sky’s electronic medical records (EMRs). This has resulted in 25 HIPAA breaches through inappropriate access over the last six months.
Many records are fax ed, including some being fax ed to the incorrect fax number.
Some records are never send to the referring provider, causing agitation to referring providers who threaten to take their business elsewhere.
Big Sky currently utilizes the following health information technologies:
Cerner: https://www.cerner.com/solutions/health-systemsThis is a cloud-hosted EMR that contains all clinical and demographic data.
Commonwell: https://www.cerner.com/commonwell-health-alliance This is an electronic health information exchange technology. Commonwell is purchase d nationally by organizations attempting to connect EMRs across different organizations. This is a purchase d solution that hasn’t been adopt ed by many providers in the state.
Fairwarning: https://www.fairwarning.com/patient-privacy-intelligence/ This is a cloud-hosted system that monitors user access to Cerner and flags for potential inappropriate access.
You are expect to brief the Big Sky executive leadership team, including the CEO and chief compliance officer, with the results of your investigation, including your plan for addressing the primary information availability and security issues facing your organization.
You must craft a presentation for the Big Sky executive leadership team that communicates your recommended solutions for assuring the availability of information for public health use without compromising the confidentiality, security, and integrity of Big Sky’s EMRs.
1. First, walk your nontechnical audience through the underlying principles and guidelines governing healthcare information security best practices.
o Identify the governing organizations that apply to your organization. Be sure to address all who regulate data, information availability, and flow in the healthcare field.
o Then, explain the relevant data standards of those governing organizations by illustrating how they apply to the specific issues Big Sky faces.
o Finally, address any additional healthcare compliance regulations and policies relating to patient confidentiality.
2. Present the results of your investigation. Specifically, you should outline and explain the unsafe technology conditions that pose a threat to patient information. Also, make sure that you go beyond recounting the information in the scenario by illustrating the implications. Also, associate d risks of each issue for your audience.
3. Finally, propose reasonable big-picture solutions for addressing each of the identified issues. Be sure to specifically reference the standards, regulations, and policies discussed at the top of your presentation in your proposal. In other words, you should demonstrate that your solutions reflect and incorporate current views and trends in health information security.