Security breaches threaten patient privacy when confidential health information is made available to others without the individual’s consent or authorization.
Two recent incidents at Howard University Hospital in Washington showed how inadequate data security affects a large number of people. On May 14, 2013, federal prosecutors charged one of the hospital’s medical technicians with violating HIPAA. Prosecutors said that over a 17-month period, an employee used their position at the hospital to gain access to patients’ names, addresses, and Medicare numbers in order to sell their information. The employee subsequently pleaded guilty and was sentenced to 6 months in a halfway house and fined $2,100.
A few weeks earlier, the same hospital informed more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patient’s files onto a personal laptop, which was stolen from their car. The data was password protected, but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers and in a few cases, “diagnosis related information.”
Discuss the differences between the two cases above and whether the contractor should have been charged and if not, why not? What precautions could the hospital have taken to prevent or mitigate the potential damages of both cases?
Discuss one principle of human-computer interface design that is particularly important in critical applications.