1 Running head: INFORMATION SECURITY 9 INFORMATION SECURITY Information Security Name Institutional Affiliation Information Security Information is very important for the hospital to run its daily operations. There are many hospital functions that the require information. They range from appointments being booked by patients to the roster for the nurses and doctors work shifts. The information used in hospitals varies greatly in priority. For example, people need to book doctor appointments before coming to the hospital. This process gives doctors ample time to prepare for the meeting. The information about the patient and the arrival time is vital information for the hospital. Other bits of information that are important for hospital operations are the medical histories of the patients. This information is very sensitive and prior to the incident, St. John’s Hospital, the administration had prided itself on having the most stable information security system that served as the standard for other hospitals in the area. The administration has found ways of ensuring that it preserves the privacy of patients by having information about patients land in the hands of the relevant people only. However, an incident recently occurred where printouts containing patient information were being discarded haphazardly. The printouts from the restricted area were not shredded, and they were, therefore, being seen by the cleaning staff during late hours. The information on the printouts could vary greatly, and the hospital has to step up and face this problem before it blows up on their faces. The response from the hospital’s administration has to be fast, and it also has to ensure that it covers all the bases of the problem so as to find a suitable solution to the problem; it will lead to the complete avoidance of it ever recurring in the future. The first step is to investigate who was behind the mishap. The printouts must have been made for the use of the hospital staff. One person must have requested the printing and another been responsible for the handling of the files after use. The reason for the incident might be due to human error or because there is a fault in the hospital’s process of dealing with the printouts. Finding out who is responsible for the poor storage or disposal of the printouts will help find out what the problem is and find a good way of handling the printouts. The next step is to find out how much information was left out to the public. In this step, one has to find out exactly which unauthorized people saw printouts. Were the printouts receipts? Were they prescriptions by the doctors or diagnosis of the patient’s disease or the condition? This is information tends to be very sensitive and can lead to lawsuits by the patients who feel offended that their personal information was treated without appropriate caution by the hospital staff. In addition to this, the administration has to find out exactly .

1. 1
Running head: INFORMATION SECURITY
9
INFORMATION SECURITY
Information Security
Name
Institutional Affiliation
Information Security
Information is very important for the hospital to run its
daily operations. There are many hospital functions that the
require information. They range from appointments being
booked by patients to the roster for the nurses and doctors work
shifts. The information used in hospitals varies greatly in
priority. For example, people need to book doctor appointments
before coming to the hospital. This process gives doctors ample
time to prepare for the meeting. The information about the
patient and the arrival time is vital information for the hospital.
Other bits of information that are important for hospital
operations are the medical histories of the patients.

2. This information is very sensitive and prior to the incident, St.
John’s Hospital, the administration had prided itself on having
the most stable information security system that served as the
standard for other hospitals in the area. The administration has
found ways of ensuring that it preserves the privacy of patients
by having information about patients land in the hands of the
relevant people only. However, an incident recently occurred
where printouts containing patient information were being
discarded haphazardly. The printouts from the restricted area
were not shredded, and they were, therefore, being seen by the
cleaning staff during late hours. The information on the
printouts could vary greatly, and the hospital has to step up and
face this problem before it blows up on their faces.
The response from the hospital’s administration has to be
fast, and it also has to ensure that it covers all the bases of the
problem so as to find a suitable solution to the problem; it will
lead to the complete avoidance of it ever recurring in the future.
The first step is to investigate who was behind the mishap. The
printouts must have been made for the use of the hospital staff.
One person must have requested the printing and another been
responsible for the handling of the files after use. The reason
for the incident might be due to human error or because there is
a fault in the hospital’s process of dealing with the printouts.
Finding out who is responsible for the poor storage or disposal
of the printouts will help find out what the problem is and find
a good way of handling the printouts.
The next step is to find out how much information was left
out to the public. In this step, one has to find out exactly which
unauthorized people saw printouts. Were the printouts receipts?
Were they prescriptions by the doctors or diagnosis of the
patient’s disease or the condition? This is information tends to
be very sensitive and can lead to lawsuits by the patients who
feel offended that their personal information was treated
without appropriate caution by the hospital staff. In addition to
this, the administration has to find out exactly how many people
came into contact with these printouts and how much sensitive

3. patient information they found out.
After finding this out, it would be in the best interests of the
hospital administration and the patients if the third party signed
a Non-Disclosure Agreement (NDA) where the third party is
liable to penalties if he or she discloses that information to any
other person. This step is more of a damage control move. The
NDA also protects the patient from the third party (e.g. the
cleaning staff who happened to find the printouts). The
protection aspect comes when the staff cannot blackmail the
patients for money or other material goods in exchange for their
silence about the patients’ medical condition or disease.
Finally, the most important part of the response to the
situation is to find a solution to the problem. Since the
investigation was done into what exactly the problem was, a
solution to how to avoid the situation altogether can be arrived
at. The administration can better train the team responsible for
handling the printouts on how to dispose of them carefully or
how to store them effectively. Another solution is removing the
need to use printouts in the hospital processes. Instead, the
administration can digitize all of its processes in order to
eliminate the use of printouts. For example, instead of the
doctor having to print out the prescription for the patient, the
doctor can write up an e-note and send it to the pharmacy’s
computer. In this situation, the pharmacist will have already
received the prescription and prepared it for the patient much
faster than if the patient was to carry a printout to the
pharmacy. This saves the company time. It also protects the
company from the risk of having private and sensitive
information landing in the wrong hands.
The hospital deals with sensitive patient information
daily. Therefore, before adding anyone to the hospital’s payroll,
they have to undergo some training to ensure that they can
handle the information that is entrusted to them by the
administration and the patients. There was a law enacted in
1996 that was aimed to protect the sensitive information that
patients entrust to the hospital staff. The Health Insurance

4. Portability Accountability Act (HIPAA) required that medical
practitioners made the patients aware of its existence so that
they would know what their rights were when seeking medical
care.
The law lists information that it classifies as personal: the
name of the patient, the medical record number of the patient,
the social security number of the patient and the name. A person
can be located easily if someone has these pieces of
information. Therefore, it is very significant that they are
protected. During the training, the hospital staff is told of the
few instances where they can disclose this information to a third
party. An example of these instances are during health
oversights, for purposes of legal proceedings or to help the law
enforcement officers during an investigation. There are
consequences to the breaching of this trust by the medical
practitioners. They are made aware of them and how they can
avoid getting to that point. During training, the employees are
shown how to handle patient information and also how to
dispose of this information. With proper training, St. John’s
Hospital can create a team of very qualified individuals who can
be prepared to handle any patient information with the highest
level of discretion.
In addition to this training, it is important that the staff is
trained on how to use everyday technologies in the handling of
patient information. A solution to the problem of printouts
being mishandled was doing away with them altogether. If they
were to be replaced, then the hospital administration of St.
John’s Hospital would have to invest in technological
alternatives such as devices and software. There is a chance that
there are employees who are not fully versant with these new
alternatives. There are also some employees who might not be
well versant with the recent versions of these technologies.
Therefore, training the staff on how to use the newest versions
of the technologies will eliminate human error that arises from
not knowing how to use the technologies well. The hospital will
have to set aside some funds to hire a training expert to show

5. the employees how to use these new electronic inputs in the
hospital’s operations. In the end, the people being trained will
be ready to use the new inputs effectively while protecting
employee privacy(Rhodes-Ousley, 2013).
In preparedness for an incident where sensitive information
might be leaked, the administration has to establish protocol
that employees can use when they want to report an incident of
leaked information. The protocol should ensure that there are
effective channels of communication throughout the hospital.
Good communication enables proper problem management and
effective solution application. For example, if an employee
notices that there is a problem with how information is stored
and that there is a leak somewhere, he or she can report the
problem with the assurance that the problem will be listened to;
a result of good communication channels.
A management plan is important for the various functions
of the hospital; or any organization in general. The plan
highlights where the organization wants to be after a given
period and how it will employ the services it already has to get
there. Good implementation of the plan is vital to its success. A
good plan remains only a plan if the implementation process is
not poorly carried out. The plan includes the strategies that
should be used by the company to get to where it aspires to
be(Bennet P. Lient, 1999).
Good communication is key to the full and effective
implementation of the management plan. The plan is formulated
by management with the aim that the staff will work towards the
achieving of the goals and the objectives of the hospital. The
hospital wants to be the best provider of healthcare services in
the region. It wants to maintain high standards of health care
provision and be a forerunner of the maintaining the privacy of
sensitive patient information. Therefore, at the commencement
of the year, the administration should communicate what it
plans for the year to the staff. Good communication will let the
employees know what is expected of them. Therefore, they can
work with the goals of the company in mind. One way of

6. ensuring that communication is effective between the
administration and the staff is by getting feedback from the
staff. For instance, when the staff does not understand how the
use of a technological device will simplify their work, the
management can help the people understand how it can the
devices are for their good and the good of the hospital.
Evaluation of the staff is an important step in
implementing the management plan. Since they were already
informed of what they were expected to do throughout the
whole year, they should work with their best effort to achieve
this. The evaluation should be periodical so as to keep the
employees on their feet. One technique for accomplishing this is
by using the Key Performance Index where one’s work is
compared to what is expected of him. A key area of evaluation
should be the knowledge of measures to protect patient records
and how well the employees can react in a situation where the
privacy of the patients is compromised.
Establishing a rewards or recognition system will also inspire
the staff to put their best effort when they report to work each
day. When a person is recognized for his or her commendable
work, he or she is encouraged to work harder or to maintain the
good standards of work for which he or she was recognized. It
is a morale boost for the person, and he or she is very likely to
accomplish more than he or she would have before being
rewarded or recognized. When all of the employees are working
hard, it is likely that the company can achieve its goals.
In conclusion, information gives the hospital the ability
to handle the clientele’s issues effectively. With the use of
information that is in the hospital’s database, the staff can work
effectively to give the patients the best hospital experience
ever. As mentioned earlier, the use of printouts might not be the
best for the protection of privacy of the patients. Having the
hospital switch to digital means of storage and handling of
information would be in the best interests of the staff, the
administration, and the patients. Using electronic means to store
and handle patient information creates the need to have a team

7. of qualified people who are knowledgeable about how to use the
current technological software and devices. The management
plan should be implemented effectively through evaluation and
good communication of the objectives of the hospital. In the
long run, the hospital will get to its desired state and the will be
the standard of quality health care in the region once more.
References
Bennet P. Lient, K. P. (1999). Project Managment: Planning and
Management. New York, NY: Harcourt.
Rhodes-Ousley, M. (2013). Information Security: The Complete
Reference. New York, NY: McGraw-Hill Education.
Appendix
The Code of Conduct
1. The employees of St. John’s Hospital should handle the
information of patients with uttermost discretion.
2. Patient information should not be discussed outside the
hospital unless in a consultation among professional medical
personnel.
3. Any instance of leaked information should be reported.

8. 4. Persons who are found guilty of leaking patient information
will be prosecuted in a court of law.