Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy ...
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
1. Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential?
Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every
US citizen that should be protected in all its forms by the
healthcare organization.
Rationale
1. The purpose of this paper is to identify why security
measures are necessary to protect one’s privacy in the medical
industry.
2. There are numerous laws, policies and healthcare
organizational rules and regulations and statistics that would be
helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important
then everything. I want to talk on this topic because I think
most of us do not know what is happening to us.
4. I have selected textual analysis of books and available
internet sources. The reason of this limited research
2. methodology is that I cannot perform field study because of
shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice
and leads to information leakage that may destroy someone’s
life. We can eliminate this human right violation by enforcing
effective and practical laws. Healthcare organizations should
understand their responsibilities and tighten security to protect
information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical
Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
3. Introduction
While operating in healthcare organizations need to gather
patient’s information that is mostly personal information. It is
the moral and legal responsibility of health care organizations
to protect the information of their patients and do not share it
with people outside of the organization without the patient’s
consent. Protecting patient’s information is a crucial element of
respect and essential for patients' autonomy and trust in the
organization — the US healthcare industry currently facing
patient mistrust that is caused because of a lack of trust. When
patients experience a lack of confidence they do not share their
information with a healthcare professional that causes
ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-
Fisher, Larkin, Barnes, & Fagerlin concluded that
approximately 81.1% of people withheld medically relevant
information from their health-care providers. Patients fail to
disclose medically relevant information in front of their
clinicians undermine their health and cause patient harm (Levy,
2018).
There are numerous components of patient privacy in
healthcare that are personal space, religious and cultural
affiliations, physical privacy, decisional privacy, associational
privacy that includes patient's personal relationships and
informational privacy that provides for the protection of
patient's personal data. Healthcare organizations and physicians
should protect the patient’s information and kept strict privacy
measures in all its forms;
1. Minimize interpretation of external members with patients
4. personal information
2. Inform patients about every single happening and use of their
information wherever physician it is needed
3. Patients information must be protected in all of the above-
mentioned areas whether informational or associational (AMA,
2019)
Medical records contain personal information of patients and
sometimes sensitive information like physical records that is
disclosed in front of the public by any means, cause
embarrassment and uneasiness in front of others. These things
could affect the patient’s personal and professional life.
Although records at healthcare organizations are promised to be
protected but still we need effective and long-term legal
implications that bring satisfaction among patients. The
protection of medical records through privacy policies is still in
its infancy. Over time medical records are started to save in
computers instead of written documents. Although this
transition is taken to keep records more efficiently but
unfortunately still information from healthcare organizations
moves out, which needs to be settled. Overview of Privacy
Protections with Respect to Medical Records
The word privacy was not a bounded definition but it changed
along with legal changes. Civil law, common law, and criminal
define privacy differently for example, common and
constitutional law define privacy as “it is a right to be let alone”
and to be free from any external interpretation like government
institutions. With respect to medical records constitutional and
common law privacy of patients in different contexts while
statutory laws see and deal with patients privacy policy in a
different ways. In 1888, the right to privacy was first introduced
by Thomas Cooley. Roots of this right can be found in the
Warren and Brandeis law review article that is known as the
creation of tort right to privacy.
During the 1970s, Supreme court raise a decision for
privacy issues in medical records and after reviewing the case
two implications were introduced in the privacy policy of
5. healthcare organizations;
1. Avoid disclosure or sharing of patients’ information with
anyone for personal gain
2. Make independent decisions
During that period, the question for abortion privacy rights has
been raised, that states government involvement in abortion
decisions disturbs women’s independent decision-making
authority and also violate their privacy (Cleaver, 1985). Data
Breaches in the Healthcare Industry
From current sources, it is clear that in the current world data
breaches are a regular practice. Every day, news channels reveal
a hospital or healthcare organization breaching their personal
records. According to a report from, Ponemon Institute and
Verizon Data Breach Investigations healthcare industry are
facing more data breaches than any other industry across the
world, and mainly in the United States. The healthcare sector
faces more breaches because of numerous incidents that include
stealing malware for professional or personal gain, purposeful
harm to a patient or through lost devices of healthcare
professionals. Data breaches in the healthcare sector through
cybercriminals is a controversial topic these days. According to
the health and service report, more than 15 million health
records have been breached and shared for different purposes.
The black market behind the healthcare organization is
working for long, and many patients are not aware of the thing
that their personal information has been sold out to third
parties. 2019, proved as the worst year regarding healthcare
breaches and lack of security measures. Sean Curran, West
Monroe Partners’ senior director states that based on the
previous year attacks and data breaches healthcare professionals
need to reset their infrastructure and adjust their security
measures to limit the activities of hackers. According to this
report, healthcare organizations need to understand that they
need to understand, recover, minimize and get backup of lost
data of patient's healthcare (CIS, 2020).
Twenty-five million patients' health record has been lost or
6. shared according to ongoing investigations. Investigations are
still in process that makes it clear that patients are still
impacted but the accurate number of impacted patients is still
unclear. 12 million people from Quest Diagnostics have been
affected and the lost data includes social and medical
information. The information was leaked through lab reports
and tests performed outside of the hospital organization.
According to the AMCA data breach report, about 7.7
million patients from LabCorp were impacted with data breach
and almost 422,000 patients from BioReference are impacted
with the data breach. These patient’s medical and personal
information has been lost by people within the organization
such as by employees. 1.5 million Patients from immediate
health groups are impacted by the misconfigured database. The
examination decided patient segment subtleties, therapeutic case
information, and other individual data were conceivably broken.
In any case, when Immediate sent the warnings to patients about
the security occurrence, a few patients announced that they
were getting various letters, some routed to different patients
(Davis, 2019).
By 2009-2018 healthcare data breaches evolve 500 health
records. During these year data breaches, records are almost
189,945,874 healthcare records. Almost 59% of the US
population is affected by healthcare record theft and the irony is
half of the impacted population do not have understanding nor
they are informed by healthcare organizations for the leakage of
their personal and medical history (HIPAA, 2019).
Healthcare Breached Records during 2009-18Healthcare is the
biggest Target for Cyber Attack
The healthcare industry is at risk because organizations are
becoming technologically advanced. Although organizations are
becoming technologically advanced still professionals in
organizations do not have the training to manage online risks.
From a few past years, cybercrimes are happening every second
day, and healthcare data is revealed and hacked through these
7. activities. There are many reasons hack patient’s medical
information because of its worth thousands of dollars for
hackers. Employees within the healthcare organization get
trapped by hackers and for their personal gain share patient’s
information outside dealers. Organizations need to keep a sharp
eye on such employees and introduce hard policies that restrict
behaviors within and outside of the organization. IT
professionals are thinking to introduce effective security
measures to prevent data breaches from healthcare organizations
but they understand that this is a high-cost process.
Another big reason for being the big target for attackers is
the low security of medical devices. The healthcare providers in
the United States is becoming totally technologically innovative
and depend on advanced machinery. But the drawback of the
devices that these are not security optimized nor protect data of
patients. These devices are manufactured on one way working
principle without thinking for protection as a need. And this is
the reason hackers can easily access information available in
these devices like X-rays, insulin pumps and many other
devices.
Remote assessment of healthcare data is another point to
ponder. Accessibility of healthcare data of the patient can be
accessed from any desktop or multiple devices from different
places. These availabilities are also risky for healthcare
organizations. Remotely connections should be more secure
than it can identify the actual user and prevent loss of data.
Risk-based authentication is a way to improve security for risk
authentication in the healthcare department (risk, 2018).
Penalties and Punishments for Hacking Personal Information
The term hacking was first introduced in the 1950s in the
Massachusetts Institute of Technology. The word hacking means
feeling pleasure in itself. But over time, the concept has been
changed into a negative meaning because of its association with
negative or criminal activities for a long time. Hackers pulled
out information for someone’s computer and use this
8. information for personal gain, like earn money by selling this
information to a third party. In 2011, Aaron Swartz the founder
of Reddit hacked JSTOR and penalize to pay $1 million and 35
years of imprisonment and all his property was forfeiture, at
last, he committed suicide.
Another important act that protects the privacy and
personal information of people in the United States is The
Computer Fraud and Abuse Act. This act experiences some
amendments that are known as “exceeds authorized access”
which means access to someone’s computer without
authorization. The punishment for the one who accesses
someone’s information without authorization, like in the
healthcare sector will be punished based on the sensitivity of
information hacked. Penalties
In the US a hacker who accesses and uses someone’s personal
information will be imprisoned for ten years at first but if he
again attempts to commit hacking will be kept in prison for
more than 20 years. Punishments to the offender also varied
based on the problem or damaged the victim bears (Lee, 2014).
Because of unusual attempts of a data breach during 2019,
regulators are becoming focused and attempting to enforce strict
measures for those organizations who are not taking any product
decisions. Data breach in different countries brings many
conflicts in various institutions. For example, during 2017, the
US paid a minimum of $575 million for protection against a
data breach. During 2018, the country fined a substantial
amount as a result of weak protection of the health industry
(Swinhoe, 2020).
Apart from hacking attempts, those who sell healthcare
information to others are also termed as fraudulent. Because
they commit fraud with the organization with which they are
working. Thus, penalties for fraud attempts could be termed as
criminal penalties, civil penalties or in some cases both.
Punishment for fraud activities or involvement in these
activities includes imprisonment, fine and probation or both
imprisonment and fine. These conditions are varied based on the
9. sensitivity of the case. Laws for theft from 2004, decide the
punishment for these cases that minimum is three years that
might be extended to five years (http://criminal.findlaw.com,
2016). Devastating Consequences of Healthcare Data Breaches
According to studies of 2000, US citizens have faced personal
data breaches and as a result of data breach patients have to pay
for their medical information up to $2500 that is out of pocket
cost for them. Studies have found that the healthcare sector
ranks first when it comes to data breach results. The healthcare
organization notifies only one-third of data breach victims and
only 15% are alerted by the government agencies. Because of
the ineffective management of healthcare organizations patients
face financial loss and if the information revealed by hackers, it
also causes domestic rejection for victims mostly for women
(Security, 2017). Conclusion
Privacy is paramount and to personalize it vital whether it
is me or you. Not just in the healthcare sector but everywhere
like insurance companies and banks are also impacted by these
evil attacks. After reviewing the data of healthcare breaches and
its impact on the lives of victims, I would say that healthcare
officials should stay vigilant and careful about the protection of
patients, healthcare information. Personal information and
medical history are two important things to be protected under
strong security. Recommendations
Healthcare protection laws should be improved with the aim to
protect electronically saved patient's information. Training
should be arranged for healthcare officials and employees so
they can get an insight into technical risks and enable them to
manage if occurs. Employees should be hired on a loyalty basis
in healthcare organizations, and strict punishments are needed
to impose to regulate their activities. Strong security should be
maintained to monitor the activities of healthcare workers.
Enhanced and advanced network security and application
security are required to avoid data breaches and further
complications for the organization as well as for the patient.
Encryption methods should be implemented because this is a
10. good thing to protect the patient’s personal and medical
information from any unauthorized access. Punishments stated
in constitutional and universal laws are short term that is not
enough to probate a criminal. Healthcare hacking laws need to
be improved with extended imprisonment and fined that will be
paid to the patient according to the beard loss. Government
involvement in the healthcare sector needs to eliminate or
should be on a small level, to protect data breach by undefined
ways. These recommendations help deal with privacy problems
in the United States as well as across the world.
Bibliography
AMA. (2019). Privacy in Health Care. AMA, https://www.ama-
assn.org/delivering-care/ethics/privacy-health-care.
CIS. (2020). Data Breaches: In the Healthcare Sector. CIS,
https://www.cisecurity.org/blog/data-breaches-in-the-
healthcare-sector/.
Cleaver, C. M. (1985). Privacy Rights In Medical Records.
Privacy Rights In Medical Records, 13 Fordham,
https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1252
&context=ulj.
Davis, J. (2019). Health IT Security.
https://healthitsecurity.com/news/the-10-biggest-healthcare-
data-breaches-of-2019-so-far.
HIPAA. (2019). Healthcare Data Breach Statistics. HIPAA
Journal, https://www.hipaajournal.com/healthcare-data-breach-
statistics/.
http://criminal.findlaw.com. (2016, October 7). Retrieved from
http://criminal.findlaw.com:
http://criminal.findlaw.com/criminal-charges/fraud.html
Lee, S. O. (2014). The Need for Specific Penalties for Hacking
in Criminal Law. The Scientific World Journal, 6.
11. Levy, A. G.-F. (2018). Prevalence of and factors associated
with patient nondisclosure of medically relevant information to
clinicians. JAMA Network Open, 1(7):e185293.
doi:10.1001/jamanetworkopen.2018.5293.
risk, T. h. (2018). The healthcare industry is at risk. Swivel
Secure,
https://swivelsecure.com/solutions/healthcare/healthcare-is-the-
biggest-target-for-cyberattacks/.
Security, H. N. (2017). The devastating impact of healthcare
data breaches. HELPNETSECURITY,
https://www.helpnetsecurity.com/2017/02/23/healthcare-data-
breaches/.
Swinhoe, D. (2020). The biggest data breach fines, penalties,
and settlements so far. CSO,
https://www.csoonline.com/article/3410278/the-biggest-data-
breach-fines-penalties-and-settlements-so-far.html.
CAPSTONE PROJECT
CAPSTONE PROJECT