I would not say I got much from the lecture itself as I anticipated, but I enjoyed the class activity as I got to collaborate with other students. We were in a group of 5 where we discussed different ideas on what we can do to make sure the situation does not happen again.
What was the situation?
The University Hospital employee was caught in the act and as the hospital department head, the offender’s employment was terminated immediately and a letter of apology was sent to the patients.
Class Activity on Data Management and Privacy
We sincerely apologise about this incidence and have decided to restrict employee access by ranking according to duty level. We will also be adopting a daily security risk analysis process and each medical file would be password protected.
Quite short I know! We were timed when reading it out loud in class, and it came to be about 18 seconds if I remember correctly. We went to discuss our idea, and the lecturer advised that password protection might not necessarily be the right step because the files would have been password protected initially and nurses and doctors will need access to medical records when treating patients. We also discussed the 2 other points which the lecturer mentioned were the best ideas to implement because restricting employee access by levels are of huge importance. For example, administrative staffs like receptionist do not need to have access to patient’s medical files. If they can also find a way to restrict nurse’s access on some top confidential information, that only the major medical practitioners like surgeons or consultants need to access because they might not give into financial bribes to leak medical information of their patients.
During the group activity, we were discussing if the security risk analysis should be carried out on a daily, weekly or monthly basis. I personally said daily because waiting on weekly or monthly, a lot of damage might have been done before anyone is aware. If the hospital as a dedicated cybersecurity team, there is no reason why a daily security audit should not be carried out. Some said it might be too much of a task to be carried out on a daily basis which I reason with as well. The security professionals will be in the best position to give that advise we concluded and decided to stick to a daily basis as part of the data protection guidelines of the hospital.
I have further read up on the data management and the general data protection regulation (GDPR), it is important for organisations to take data protection very seriously and have a Data Protection team so they can adhere to GDPR. And for hospitals, they should appoint a Data Protection Officer and if they do not, they still have to comply with other requirements of the GDPR.
Increasing security when it comes to employee access is crucial and any organisation must have a strict way of safeguarding personal data, checked often to avoid situations of employees stealing customer’s records. A true-life story of such an event can be found here.
You can contact me here or via any of my social media accounts below: