Information Governance

Information Governance
Name
Institution

Information Governance
Health information security remains to be a significant concern with great leaps in technological advancement happening every day. In 2015, hacking was the top method of compromising health record systems, and it led to the exposure of over 100 million records (HIPAA Journal 2017). The trend changed in 2016 whereby the most significant data breaches were traceable to theft, loss, improper disposal and unauthorized email access or disclosure (Snell, 2016). Some of the cases that year were paper medical records found on the street in Florida and in a dumpster in Ohio, inappropriate exchange of information from Apple Health in Washington and laptop thefts in Illinois and Kansas. The number of leaked records decreased in the two years, but the institutions from which the data was obtained increased prominently.
All the risk factors are traceable to improper handling of information by employees due to negligence (Ponemon, 2016). The problem has an impact in both health and business sectors, but it is more evident in the latter. While the study by Ponemon identifies other risk factors such as the use of insecure mobile apps, public cloud services, and unsafe medical devices, perhaps the risk can be classified into two: internal and external. Internal threats to security may be due to staff activity or inherent system failure. External vulnerabilities, on the other hand, are beyond the organization’s control and include identity thieves and cyber attackers.

Among the attacks launched are malware and ransomware which lead to Denial of service problems.
Members of staff affect health data safety by being negligent, ignorant, or malicious. The unaware personnel either have inadequate training on software handling or none at all. They may readily disclose vital information in the course of their conversations. They may input private data on public forums within the network leading to exposure of personal details – their own or patients’. Such people require identification and immediate education to make them competent in the usage of the installed systems.
Some employees may be well aware of procedures and policies but choose to disregard them in their practice. They do not pay close attention while sharing information with their colleagues to ensure that it does not reach the third party. For example, in a facility where every member of staff has a unique password or PIN, a worker may share his or her login details with a co-worker. Such an action is a lack of exercising diligence and should a breach occur; the individual would have no defense since they disclosed information knowingly and under no coercion. The malicious insiders are the worst as they intentionally reveal information to third parties who then infiltrate systems.
The effects of such breaches include medical and personal identity theft, fraud and unauthorized disclosure of patients’ health records (Ponemon, 2016). The main target is usually the billing and insurance records which criminals identify as an accurate indication of people’s financial status. They can then filter from the list, whom to target in credit card or another type of theft. All of these elements are confidential, and when they leak, the IT vendors and medical institutions may face legal action.
Establishment of budgets dedicated to health information protection is necessary. They cover insurance for revenue losses, brand damages, legal defense costs and penalties, and communication costs to vendors and the affected persons. They also facilitate upgrades to keep up with developments as the industry necessitates to ensure compliance. The other requirements are applying HIPAA and HITECH standards which are taken to be a minimum for guaranteeing security. HIPAA recommends that organizations should put extra effort to safeguard their data beyond just seeking compliance (HIPAA Journal, 2017).
Information governance (IG) is an upcoming self-sustaining concept from corporate management. It involves managing content and records, safeguarding the privacy of data, creating proper disposal channels for redundant information and for preserving vital data for extended periods, complying with regulations, and adequate preparation for possible litigation (Smallwood, 2014).
It enables managers to make effective decisions as it avoids information overload. It also protects the organization from litigation since the process of disposing of data is legally defensible. The courts also analyze the governance measures in place where there is a case to determine if sanctions and fines should be imposed. The priority is, however, not to absolve a corporation from responsibility, but to provide maximum safety to clients’ details.
Smallwood (2014) refers to IG as an ongoing program that is adaptive to technological changes and internal adjustments such as the addition of new staff. It is subject to regular reviews whose frequency should be more than once a year. Annual revisions mean that it takes 12 months for unauthorized activity – say by rogue employees – to be detected (HIPAA Journal, 2017). The efficiency with which IG deals with e-mail matters justifies the need for its adoption. E-mail is the significant means of communication in large organizations making it a primary target for cybercriminals. The policies formulated by administrators determine IG’s effectiveness, and consequently, financial gains will improve. The importance of a good IG program can therefore not be overestimated.

References
HIPAA Journal. (2017). Largest Healthcare Data Breaches of 2016. Retrieved from https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
Ponemon Institute LLC. (2016). Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. Ponemon Institute.
Smallwood R. (2014). Information Governance: Concepts, Strategies and Best Practices. Wiley CIO Publishers.
Snell E. Top 5 Data Breaches in 2016 Not From Hacking. Retrieved from https://healthitsecurity.com/news/top-5-healthcare-data-breaches-in-2016-not-from-hacking